MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439
SHA3-384 hash: 23dd0bfff9be2c4a0ec6a47596be0669e22da74599f64e683a85cbcd106b852e657a4bc67b35e096609bb9dfa1655720
SHA1 hash: b7279cbe6ee65e099dd295dff3e2d462d0afdc86
MD5 hash: 5e30e25782ecca5f036ec2d2736ba9c5
humanhash: washington-utah-bakerloo-victor
File name:Faktur Bangun Nusa Mandiri.exe
Download: download sample
Signature Loki
Create hunting rule
File size:225'280 bytes
First seen:2020-04-21 12:12:16 UTC
Last seen:2020-04-21 12:59:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bddeac6a8687f75cb2bb8f2f1d99d3a9 (1 x Loki)
ssdeep 1536:G+yKuU/NZ9hiMKxJRh8lpw+saO8/jeYmYB2roeesBdhGdgbljMkviOvK4uxCANe2:yKuUNZAjulNrt/NMd5XG+akFvKpx
Threatray 2'153 similar samples on MalwareBazaar
TLSH 402406416DB89523C70846316EF6E7B9C3487DD0E9E5CA4F20913B2EAF3378614A652F
Reporter abuse_ch
Tags:COVID-19 exe Loki


Avatar
abuse_ch
COVID-19 themed malspam distributing Loki:

HELO: merbabu.indosol.net
Sending IP: 202.51.253.120
From: Unipower <petrusd@datanet.co.id>
Subject: PT.UNIPOWER PRATAMA - INVOICE 098/I/IV/20- PO.9100326941
Attachment: Faktur Bangun Nusa Mandiri.gz (contains "Faktur Bangun Nusa Mandiri.exe")

Loki C2:
http://cmeducationhub.com/wwp/Panel/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-7678438-0
Create hunting rule

Win.Dropper.LokiBot-7678947-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-04-21 01:40:24 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvskn2vf2jeuuqlbcwdzfz6n4p5x3gt32nxqntan4jyrsjmc6q4q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
guloader
Create hunting rule
Similar samples:
4b610516f134b6efb2100a2e298a70b573be1cd6c4d653af007b907f11ff065e
Loki
5a30aa9032bf9eb86209f176404481e70fa108b689330a2544ce0b54fa959ab4
Loki
6ba2ab2afade3c48fb86ce5290a0980f19e901117033cb723cfd48b3ab2c6888
Loki
8b791216101006bea031bc4ff657001f95cd58ed1db4429a242d79050f947d40
Loki
983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6
Loki
ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49
Loki
b666f8a605a45edebf5a3980675d00b84343a9b3c7a6d00fb90c37f40b55ac57
Loki
cebf765590be725ca5f5589e51a0e81236f6e63dae47f1cdff6029429827c0be
Loki
eec46d65be09a86f25c891d462671a7a0b3140ee4a8a6ac0a9fa7e1c56a8cb40
Loki
f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68
Loki
+ 2'143 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz c3a60130f32d6079741c9958303f18aacf548a81cfb88fe218a726c7377c343b

Loki

Executable exe ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439

(this sample)

  
Dropped by
MD5 e1e355d6f2d9af93058ef9d396e80e22
  
Dropped by
SHA256 c3a60130f32d6079741c9958303f18aacf548a81cfb88fe218a726c7377c343b
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments