MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c349617e2fbc16a5c1eefdb82f0749e6108943c6ce8090499b8a88dae34f9759. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c349617e2fbc16a5c1eefdb82f0749e6108943c6ce8090499b8a88dae34f9759
SHA3-384 hash: 8519c87c15a9f1dd43c4f597485b2c28dca5eec3b95b14ad1ed4a8bd03718115fbf1d63b4b742dcbcd04192ef3774fcb
SHA1 hash: b32cf21a029ce77335f9e6f53f8b31d38c8918bf
MD5 hash: d12447b0293211f8bb76aecfb6bf5802
humanhash: quebec-victor-minnesota-carolina
File name:serthcryt.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'182'720 bytes
First seen:2020-06-22 07:54:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:XAHnh+eWsN3skA4RV1Hom2KXMmHaVDfg5:Kh+ZkldoPK8YaVDe
Threatray 2'206 similar samples on MalwareBazaar
TLSH 9745392273D1C325FE5651F2DA59A17476787C2313338C5F2A84F9A9AFB01A2732E217
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: qproxy5-pub.mail.unifiedlayer.com
Sending IP: 69.89.21.30
From: Ricardo Sousa <RicardoSousa45@gmail.com>
Subject: RE: FATURA SC-192 // CONSELHOS DE PAGAMENTO //
Attachment: file scan 0007332.zip (contains "serthcryt.exe")

Loki payload URL:
https://paste.ee/r/epWSs

Loki C2:
http://sethr.dynamic-dns.net/sethr/logs/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12485/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c349617e2fbc16a5c1eefdb82f0749e6108943c6ce8090499b8a88dae34f9759/
Threat name:
Win32.Trojan.Povertel
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 03:39:17 UTC
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynewc7rpxqlklqpo7w4c6b2j4yiisq6gz2ajasm3rkenvy2ps5mq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
02ed1dcfad15fc23f5bac610517e9ec27d4a9611296276cf3f626925edacbd52
Loki
0a5c490fd9b09f59af4428e01b959f6879d41edf04424cd90dc3b3868c19697e
Loki
7a7438886a3a9e9ca3b2187509ee26856f7befb671bd8a9fd35502c8e07d00f5
Loki
a5d305715b9b78ff4bc8cb79e875dfad70b93e285dd8102b138fe27c585802a6
Loki
b69c69a4e61c0aa4eb601eae795266fcfec4c4e691142afe306289fb2a8fa69a
Loki
cf0d07700b71c7041c0e761c114b1555e5cf66c61f4e0812a96b83e087c3cd35
Loki
d2857b888fbab6dc4e36c403e86f39fedee428ba5ed45b28b8f99e59fb93ff58
Loki
d2fbdcb9d9332b0af5da443beb7874523b385f619170a02d82395e5f9bebec7c
Loki
da362c114efb6a8f52b94b4554a7dcf6594eb2408f16d22cbd3cdbc520eb86eb
Loki
f834e2059da963db70d88af267f09807a69fb3edfaefc344e5ab542911835be3
Loki
+ 2'196 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-awhq2ab8ln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in System32 directory
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

2e46cd7bedc5a88b08635e977fdacf1b

Loki

Executable exe c349617e2fbc16a5c1eefdb82f0749e6108943c6ce8090499b8a88dae34f9759

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/400275/
  
Dropped by
MD5 2e46cd7bedc5a88b08635e977fdacf1b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12485/

Comments