MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c03f737cb9dc57529e3536275c757f76137b7407bd1ca4fd2f1c7f3029491c13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c03f737cb9dc57529e3536275c757f76137b7407bd1ca4fd2f1c7f3029491c13
SHA3-384 hash: fd957ca8c8de53a786079ae659cdc02f1fdf0538c5e00bf40e999cbce7848f8072d9322d8d966c7e21386845ccb1e17a
SHA1 hash: 4fd57a4d45cc27ef71b9e2047f4b1ff90633e5f6
MD5 hash: 6cce0842305006492e552ecfabcbb1d3
humanhash: mockingbird-nevada-twenty-beer
File name:spl394573.exe
Download: download sample
Signature Loki
Create hunting rule
File size:827'662 bytes
First seen:2021-03-03 07:32:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 130312efe8892496180179ce46d20b79 (7 x NetWire, 2 x DarkComet, 2 x ModiLoader)
ssdeep 24576:3TQuKl+kqnKCy/LOmRoaQjpBylVwkfsrTQ2cT:1wZoaQ1Ilqkfsr0FT
TLSH D005126132E1C031E57354349DB8D762FE78F8385931E64FBB800B6E5F21A93CA2A756
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: leonardo.aserv.co.za
Sending IP: 154.0.166.107
From: Jbossom Sales <joesales683206@gmail.com>
Subject: NEW ORDER
Attachment: spl394573.zip (contains "spl394573.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
spl394573.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-03 08:17:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d733ec76-408b-43e1-9705-698c2c3beb3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/121262/
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.1618.231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/625753
Signature
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c03f737cb9dc57529e3536275c757f76137b7407bd1ca4fd2f1c7f3029491c13/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 07:33:10 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ya7xg7fz3rlvfhrvgytvy5l7oyjxw5ahxuokj7jpdr7takkjdqjq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210303-n21n1zca32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Lokibot
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://hipjunks.tk/champs/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
703f3e5a57ba4cea28b8f1d58717466fb14d2a4d340af910cb4ae662dcdfc1b2
MD5 hash:
90b5c63be5b3ddb71786da42c676107c
SHA1 hash:
268984950c70ceda46d11f9e1818c1bf9543b68f
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/66fcccb9-4d7b-4e05-a1b0-dcbd7bf4b2cd/
SH256 hash:
7ef92780ea8011e9190dca538a5f2d32a087c5d66c66ef2bd86710bfe0ff584f
MD5 hash:
fd28a4ef607d14626f9e703cc4086c76
SHA1 hash:
e4624cc1861fef6d690e8fec9f7fcd5972286b93
Link:
https://www.unpac.me/results/66fcccb9-4d7b-4e05-a1b0-dcbd7bf4b2cd/
SH256 hash:
3e8342e50ecf22e1e047a8fa428e227051b9bbc3979a779ca23bd4f37cd9a91b
MD5 hash:
7711c05d17b7b40769e40ccc42a7b92a
SHA1 hash:
94e93a9c76d4fc1b7b163a187123c2232ad263b0
Link:
https://www.unpac.me/results/66fcccb9-4d7b-4e05-a1b0-dcbd7bf4b2cd/
SH256 hash:
63984244ed54e2f02de95ad5c1b2e02f2c008a63c0a71a31beceae9567de2362
MD5 hash:
61b2f585280a114529cf69127b9959cc
SHA1 hash:
fcff87a45f4e14a9ec7cac50ac01c41281bbdfd4
Link:
https://www.unpac.me/results/66fcccb9-4d7b-4e05-a1b0-dcbd7bf4b2cd/
SH256 hash:
c03f737cb9dc57529e3536275c757f76137b7407bd1ca4fd2f1c7f3029491c13
MD5 hash:
6cce0842305006492e552ecfabcbb1d3
SHA1 hash:
4fd57a4d45cc27ef71b9e2047f4b1ff90633e5f6
Link:
https://www.unpac.me/results/66fcccb9-4d7b-4e05-a1b0-dcbd7bf4b2cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c03f737cb9dc57529e3536275c757f76137b7407bd1ca4fd2f1c7f3029491c13

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip dbdef5a7ecfe21b330a3bf96f7e37a09235ee8939829857d71d7de801fa668db

Loki

Executable exe c03f737cb9dc57529e3536275c757f76137b7407bd1ca4fd2f1c7f3029491c13

(this sample)

  
Dropped by
MD5 095fae005896dd05cdd026e84d36cd68
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/121262/
  
Dropped by
SHA256 dbdef5a7ecfe21b330a3bf96f7e37a09235ee8939829857d71d7de801fa668db

Comments