MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc5abecfb3e5dc45ac5ad4b9273cd06e2b7d0ea834f67ca209d6999f5b054bef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc5abecfb3e5dc45ac5ad4b9273cd06e2b7d0ea834f67ca209d6999f5b054bef
SHA3-384 hash: ac4e02e5b222b05dca27ee1fc16e978f349226445cc06e22fb1f6817ca1422d765fda815efc906326589ed6371203364
SHA1 hash: 45c4a5df97da40d130aadb766ad8b13aa02bb5ed
MD5 hash: e7b4a9426d543a14b835724c340dcd20
humanhash: hamper-emma-vermont-cat
File name:SOA.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'068'880 bytes
First seen:2020-04-30 07:34:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a24a74b77f2ddfb630cb5a5f088e710c (1 x Loki)
ssdeep 6144:PHxJDy1T4Mr4jiO59/K/gCMUxxqwy8rvS6YrXlXH6Xj:ZFy1MM4jiEi/gI1FrK6Yw
Threatray 1'949 similar samples on MalwareBazaar
TLSH 52359D22D7A37854FE4DC7F150A222B0BA64CD516A61282E207F7D1B9B777C47B83D88
Reporter jarumlus
Tags:Loki

Code Signing Certificate

Organisation:COMODO SHA-1 Time Stamping Signer
Issuer:UTN-USERFirst-Object
Algorithm:sha1WithRSAEncryption
Valid from:Dec 31 00:00:00 2015 GMT
Valid to:Jul 9 18:40:36 2019 GMT
Serial number: 1688F039255E638E69143907E6330B
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: DF5AA7FAC68D7B0ABF52C404CB0587BE2670D4BD8A289691043F5BE17FC65373
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-6950530-0
Create hunting rule

Win.Dropper.Razy-6951714-0
Create hunting rule

Win.Trojan.Razy-6952680-0
Create hunting rule

Win.Trojan.Razy-6952681-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2019-04-18 17:51:18 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
guloader
Create hunting rule
Similar samples:
1db568f6ff72a35878d8772fa11e25a64d2b38447580fba8bdbee9c1b946a621
Loki
3056e351e7f9636a77d54c0e149e510a5e357484d2fb0b4659cb7b590e9b75b5
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
5e29b5586d17960eaf88a95098dae48bc58ac10cfdc5f9a086a49b30c5ea72ff
Loki
68e57f90365021feb3737c6b743a12ac1e4697cb0fba2a3414a961eeb7486d95
Loki
7200e0900aae53fbd40a961458d2fbdf60a715cf4880b9a6397ea007ccf20f17
Loki
8682df8104337b21a5ec19279b4f7c51a199e53dbb77b5d5a73ea8eeda545ba0
Loki
894b997a3f219f7fe03842ecdba7de1f5f2d9c67ce8eaaa4e6b287969ac8931c
Loki
9bcf29ef3bbb1003db97934e2412dfb77fc1d289797a9b4eab2af243bbc8987f
Loki
fe36f8b161c6e9f38fba4be32eb2b67846c9c93de9f48028762f79e5ee2b6169
Loki
+ 1'939 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaErrorOverflow

Comments