MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 1 Comments

SHA256 hash: b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0
SHA3-384 hash: db21a2d218ab83d8d1f71710a264f5a0205b377dc858800deb306ce73423012308748b768f77d2556b5f6ab5ba1b5bca
SHA1 hash: 2c3a07752cb73e1b0bd80f2b6554f0ec4bed2ba8
MD5 hash: 03b1061e0a0cdf717e60708f1051d156
humanhash: massachusetts-butter-michigan-idaho
File name:Pago Factura.xls
Download: download sample
Signature Loki
File size:163'840 bytes
First seen:2020-06-30 17:35:59 UTC
Last seen:2020-06-30 18:48:48 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 3072:pCxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAxObOATXjNALPsDnKS27Xd6hotbFFRFq:AxEtjPOtioVjDGUU1qfDlavx+W2QnAto
TLSH 77F3BF917281D8DADA5847344CE6C7E62723FC545F6A87CB3248F32F2E7678099C3686
Reporter @abuse_ch
Tags:Loki xls


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: 3grobotics.com.mx
Sending IP: 162.245.96.42
From: Juan <sgarcia@ferremayoreo.com.mx>
Subject: PAGO
Attachment: Pago Factura.xls

Loki payload URL:
https://protestlabsmovings.es/domry/LIjJHBNFy.exe

Loki C2s:
http://46.21.147.175/FtgPlac/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 37
Origin country FR FR
ClamAV TwinWave.EvilDoc.URLDownloaderSuperStar.20200510.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0/
ReversingLabs :Status:Malicious
Threat name:Document-Word.Downloader.Sload
First seen:2020-06-30 15:04:20 UTC
AV detection:16 of 31 (51.61%)
Threat level:   2/5
Spamhaus Hash Blocklist :Suspicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Link: https://tria.ge/reports/200630-knpevy6mk2/
Tags:evasion spyware trojan stealer family:lokibot
Config extraction:http://46.21.147.175/FtgPlac/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
VirusTotal:Virustotal results 36.07%

Yara Signatures


Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Excel file xls b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments