MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc5c0b1d0293246d55558f0b1e4ab8cfe76187d3cf50a26f78bbb52e92955b1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc5c0b1d0293246d55558f0b1e4ab8cfe76187d3cf50a26f78bbb52e92955b1d
SHA3-384 hash: 78d7c624e0c0ece2e3d992ad42165534a840d8bf6a90bf66205b1963524acccddf509e48e5a2927d9751c28e0f82752a
SHA1 hash: dba2a069af4d7bb5930341776d40d8bd5c589d66
MD5 hash: fe5904e80e448b2dbdc2fdd66c1119c3
humanhash: hot-oregon-magnesium-bluebird
File name:OUR- REF GVFZC08062001.xlsx
Download: download sample
Signature Loki
Create hunting rule
File size:699'392 bytes
First seen:2020-08-06 07:03:33 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/encrypted
ssdeep 12288:Pc4BPZTAtgDnV52OdPf6TyeTa0ct0YncjdvvP25JIen7UkkrfZRKBKQ5HX:PcixTA4nV0WPfWymaltMdvvPEJIenQkt
TLSH 58E423A979D49FAFFF6E183C09388068A81EFE498D64F892653931461C31BFB31C9553
Reporter abuse_ch
Tags:Loki xlsx


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail.fb-joy.com
Sending IP: 49.4.15.132
From: root@fb-joy.com
Reply-To: covestone@yahoo.com
Subject: Urgent Inquiry
Attachment: OUR- REF GVFZC08062001.xlsx

Loki payload URL:
http://meganmall.ga/~zadmin/cwd/9ap.exe

Loki C2s:
http://modevin.ga/~zadmin/lmark/ap0s/mode.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Doc.Packed.EncryptedDoc-6563700-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Reading critical registry keys
Launching a service
Changing a file
Replacing files
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Launching a file downloaded from the Internet
Unauthorized injection to a system process
Stealing user critical data
Connection attempt to an infection source
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Sending an HTTP POST request to an infection source
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
2 / 100
Link:
https://www.joesandbox.com/analysis/412374
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc5c0b1d0293246d55558f0b1e4ab8cfe76187d3cf50a26f78bbb52e92955b1d/
Threat name:
Document-Office.Downloader.EncDoc
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 02:58:16 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zroawhicsmsg2vkvr4fr4svyz7twdb6tz5ike33yxo2s5euvlmoq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200806-8eah8j2pb6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: AddClipboardFormatListener
Launches Equation Editor
Modifies registry class
Suspicious use of SetWindowsHookEx
NSIS installer
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Blacklisted process makes network request
Lokibot
Malware Config
C2 Extraction:
http://modevin.ga/~zadmin/lmark/ap0s/mode.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc5c0b1d0293246d55558f0b1e4ab8cfe76187d3cf50a26f78bbb52e92955b1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Excel file xlsx cc5c0b1d0293246d55558f0b1e4ab8cfe76187d3cf50a26f78bbb52e92955b1d

(this sample)

Loki

Executable exe f24ba3f7acbd2c5dcdc1a3a4d92d36e0c882dc56ad022ad88695e432e3d75297

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f24ba3f7acbd2c5dcdc1a3a4d92d36e0c882dc56ad022ad88695e432e3d75297
  
Dropping
MD5 640e049191e0d14065223f0dc732ae55

Comments