MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a7770be72ce3fdee62b8af207e63e32cdfd6cb7a29fc7b9761fc1fb8bf678e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: c1a7770be72ce3fdee62b8af207e63e32cdfd6cb7a29fc7b9761fc1fb8bf678e
SHA3-384 hash: 43f0685b31d5dfd51b44a94183b25d4b763cd558f3703c82d186364a6d2a9db8f46a2e319ef2e7542e64ff73dc4d3090
SHA1 hash: a808177004e18b1059d9721ba8249073b4833496
MD5 hash: a157d3c44279f7d4cdf79fea9dd3d8a9
humanhash: south-finch-edward-xray
File name:crypted_pdf.exe
Download: download sample
Signature Loki
File size:609'792 bytes
First seen:2020-06-30 13:31:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:QCbpcLhilrm7G8oclWEAroCo3DQmTsiz6efjV87NolRyJ:XuLhi80Jro7nn5JlEJ
TLSH ABD49F22E7A0443FF172363D9D2BD6BC5926BE51392C59472BE4DC4C6F39381392A287
Reporter @abuse_ch
Tags:exe Loki


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: metheksis.gr
Sending IP: 5.9.14.91
From: NATIONAL UNIVERSITY OF SINGAPORE <office@nus.edu.sg>
Subject: Request For Price quotation (NATIONAL UNIVERSITY OF SINGAPORE) NUS894/BU463
Attachment: Request For Price quotation 30-6-2020_pdf.rar (contains "crypted_pdf.exe")

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 37
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17226/
ClamAV SecuriteInfo.com.Win32.Herz.B.23927.UNOFFICIAL
PUA.Win.Adware.Slugin-6803969-0
PUA.Win.Adware.Slugin-6840354-0
SecuriteInfo.com.Variant.Zusy.307895.13627.19246.UNOFFICIAL
CERT.PL MWDB Detection:lokibot
Link: https://mwdb.cert.pl/sample/c1a7770be72ce3fdee62b8af207e63e32cdfd6cb7a29fc7b9761fc1fb8bf678e/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 03:22:48 UTC
AV detection:25 of 31 (80.65%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Link: https://tria.ge/reports/200630-npgf5aq92j/
Tags:spyware trojan stealer family:lokibot
Config extraction:http://195.69.140.147/.op/cr.php/SczbkxCQZQyVr
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
VirusTotal:Virustotal results 54.17%

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe c1a7770be72ce3fdee62b8af207e63e32cdfd6cb7a29fc7b9761fc1fb8bf678e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments