MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5c0c1dc1b82ded99f843bdce1ab3d44bff352bcdd6c934afe80577474738a43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5c0c1dc1b82ded99f843bdce1ab3d44bff352bcdd6c934afe80577474738a43
SHA3-384 hash: 7d362a805a905461fa9522a7e4e6887ee6804c419b34eef33015402add8bda3a1ca5355c71490fc532aeb06734c73a0b
SHA1 hash: c0179168d031e16598c785dad2df098ea5cf0eee
MD5 hash: e499c6056afc8e822c936888061c0b4c
humanhash: massachusetts-south-skylark-moon
File name:RFQ file_pdf.gz
Download: download sample
Signature Loki
Create hunting rule
File size:220'720 bytes
First seen:2021-07-30 15:17:17 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 6144:d0JNlOJU3mruy38ltBWDlxYqYK6qBo2xNA:6JcN38rwDlx96qBRxO
TLSH T19A2423893453C2609E53261E0B5AF225B8766F6B3ED5BFB601C804489713C9FDA376CB
Reporter cocaman
Tags:gz Loki


Avatar
cocaman
Malicious email (T1566.001)
From: "Madiha Rasheed<madha@technogroupllc.com>" (likely spoofed)
Received: "from sg.sgalavitz.com (sg.sgalavitz.com [45.14.9.100]) "
Date: "30 Jul 2021 16:50:46 +0200"
Subject: "Request for quotation"
Attachment: "RFQ file_pdf.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Sanesecurity.Malware.27383.GZipHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5c0c1dc1b82ded99f843bdce1ab3d44bff352bcdd6c934afe80577474738a43/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 08:47:41 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
18 of 28 (64.29%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxamdxa3qlpnth4ehpoodkz5is77guv43vwjgsx6qblxi5dtrjbq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210730-l22vcmvp6s/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/rVXhi7NTm83H7
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c5c0c1dc1b82ded99f843bdce1ab3d44bff352bcdd6c934afe80577474738a43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz c5c0c1dc1b82ded99f843bdce1ab3d44bff352bcdd6c934afe80577474738a43

(this sample)

Loki

Executable exe bec8e8e71bc2a00b95d339c9f19b8c40a9e17beb943df3b9abb897f56d6d671f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bec8e8e71bc2a00b95d339c9f19b8c40a9e17beb943df3b9abb897f56d6d671f
  
Dropping
Loki

Comments