MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8b2ffd30fe5984a39973b92b91efea09d90e39c99bd5b2327205463678e20a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	d8b2ffd30fe5984a39973b92b91efea09d90e39c99bd5b2327205463678e20a6
SHA3-384 hash:	e690d67373e037cf7d24932104421ad7b4d2dd9b77142c48ba7c1f6fc32040d6c269b2e803b1165b79d21b351fd84777
SHA1 hash:	5c9f5ea0ced61e7a1f43f6fc0002696e26eb259d
MD5 hash:	f37f52241606b4c298230df272008575
humanhash:	low-zebra-cup-hotel
File name:	mrholyaa.exe
Download:	download sample
File size:	765'952 bytes
First seen:	2020-04-30 07:33:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7d89d31912ae1a5bf308a3300d67ba03
ssdeep	12288:c10342KD6N2wwdb2GuLq6AP8EcZTnRwR4Nv828i43iyR3:CAOeN2wWyBFAPspnRw2RE3io
Threatray	381 similar samples on MalwareBazaar
TLSH	E0F47D23A2E14837DD731A38DD3BD7E49926BE113E24A9472BE51C4C9F393813929397
Reporter	jarumlus

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Agent-7382633-0

Win.Malware.Ehhw-7414166-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Lokibot

Status:

Malicious

First seen:

2019-11-11 13:39:51 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Verdict:

malicious

65a59e303768c300ddda71f068996d02af3f154dc48f72c958ec5da2a1260f9c

6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f

7ab75859697472c8bda10b6cb7e7ffa7c8f5ce5eae3e7c67a565ffad2c6de83b

8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e

b14306aa1789a4d6b9bfa4f8c9392033ef0fc70e584addad632135f7f832dec1

c366104c944aee48c742218be05de134d13fd7bde6024b1c0f4c1d843b2288f8

e0e1906cf3bdce3052f97a950aef614488f566a4d587428d64d0c848f97a7a4f

ee90eed51dae78e750028e905b9f3dd61af7407bf82b19c666e9549b6e982a62

f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4

+ 371 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetDriveTypeA kernel32.dll::GetVolumeInformationA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	kernel32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample