MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3707dcf5c34bd9d4b45341568bfc7ef57f65987c6edf5f6a17bcca455490f73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3707dcf5c34bd9d4b45341568bfc7ef57f65987c6edf5f6a17bcca455490f73
SHA3-384 hash: 5c5bac9fa21c3a4df6d6755d15df336726ad051605094cdf22ab8cadb588b560057f533030215739a2efe7830728192b
SHA1 hash: 75b647686ae012a0198e05eb1b2c9e59568e431e
MD5 hash: 2926117f59ceb261c19e6c80a5951d91
humanhash: happy-spaghetti-grey-spring
File name:QUOTAION#323456.tar
Download: download sample
Signature Loki
Create hunting rule
File size:736'974 bytes
First seen:2021-08-20 05:44:22 UTC
Last seen:Never
File type: tar
MIME type:application/x-rar
ssdeep 12288:loO1SiBn1KDEyH57/gxQuy4C/gCfXVnlTjl4nD2uDIv16tOBjjpQb28:l9Syn1RyH5EY/gC/VnlTjl4D2dvYtajU
TLSH T18EF423DF2B431C11AE8C1E13DBB9F21145A90DAD6A540DDAD2FEF64B66C31A478F80C9
Reporter cocaman
Tags:Loki tar


Avatar
cocaman
Malicious email (T1566.001)
From: "Fahed Ben Ahmed <Fahed.BenAhmed@eppm.com.tn>" (likely spoofed)
Received: "from eppm.com.tn (unknown [77.247.110.181]) "
Date: "20 Aug 2021 04:37:30 +0200"
Subject: "[External Email] Re: Ref#RFQ018 Piping Works # SFEC"
Attachment: "QUOTAION#323456.tar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3707dcf5c34bd9d4b45341568bfc7ef57f65987c6edf5f6a17bcca455490f73/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 05:45:05 UTC
File Type:
Binary (Archive)
Extracted files:
80
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2nyh3t24gs6z2s2fgqkwrp6h55l7mwmhy3w7l5vbppgkivkjb5zq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210820-a6tent95te/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.5/sxisodifntose.php/M6blptnVd3Wd9
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d3707dcf5c34bd9d4b45341568bfc7ef57f65987c6edf5f6a17bcca455490f73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

tar d3707dcf5c34bd9d4b45341568bfc7ef57f65987c6edf5f6a17bcca455490f73

(this sample)

Loki

Executable exe 2b8ac768796de30803bc5bb6f116d39d0ee7843715b66b875d0942029d14e172

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2b8ac768796de30803bc5bb6f116d39d0ee7843715b66b875d0942029d14e172
  
Dropping
Loki

Comments