MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df1338550b2b7474d6143c26fd6ef7feeb25bdb5931b268df83a031f1856a8f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df1338550b2b7474d6143c26fd6ef7feeb25bdb5931b268df83a031f1856a8f7
SHA3-384 hash: 8951fb797695f336ff2e012d6f3583446c4ffd9bb97293388569af75b5eadf34315c241ceb3c695f4f521c0933e207fe
SHA1 hash: 7bfbe7fe09031371d31a28ab78040d11fd298425
MD5 hash: 5fdb6a8df8f0487eba25dc42c187719d
humanhash: maine-fanta-uncle-south
File name:Arshehkar Co November Order Request 778988647TGTT (2).scr
Download: download sample
Signature Loki
Create hunting rule
File size:1'042'112 bytes
First seen:2020-11-05 15:43:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4200abc8996b175d017a27c24840eda2 (5 x ModiLoader, 1 x Loki)
ssdeep 12288:IuQSAIeXjs8BQPtd+TuaCzhnycIZTtkOxy2QSTgvRwoaQtkljsWF/sWF9sT:nRMj/BQPSTuVByrthxpQSMpwoh8I
Threatray 210 similar samples on MalwareBazaar
TLSH A4259EA2A680D432D09215B94D5BD7FC783EBEE02D24580B77D4DE0C6F3A782B53925B
Reporter abuse_ch
Tags:Loki scr


Avatar
abuse_ch
Loki C2:
http://www.zi-chem.co/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83319/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a TCP request to an infection source
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df1338550b2b7474d6143c26fd6ef7feeb25bdb5931b268df83a031f1856a8f7/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 10:20:17 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=34jtqvilfn2hjvquhqtp23xx73vslpnvsmnsndpyhibr6gcwvd3q._file
Verdict:
suspicious
Similar samples:
2ccee108cf8e10eeef5129554e97fdb481d375475419be26cff2430360db2689
Loki
44af7302c97eab1187371407735c5192c41b07f4e5ead51adb620f1066d076e9
Loki
4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019
Loki
9f6b63a12d79521712f768014b6b5f67b363c7a1dc4d42d356056b69979ac293
Loki
ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
Loki
e6466ffe692dee0c3fef6cc053389a2bb2a6764a10c687801733cc5f8c5f19d1
Loki
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
Loki
f829c65731383f66a34a87af8aac93119ee04674c3dc8a07796fb470db03bd42
Loki
f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca
Loki
f91dac6b3f959138295d2a16c4ff1ea413dd37c221ce0bd3cec5c680c00548a3
Loki
+ 200 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan upx
Link:
https://tria.ge/reports/201105-kq5c3442cj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
0a70c2f1d70aa0ebf46163c63acb5a7b3d3ca169a018017bdc19e642a6d24506
MD5 hash:
b4564fdf1e9aeeb933b045ce40b058fd
SHA1 hash:
437ee744b0ef530851a751f57c38b0a42363e3fc
Link:
https://www.unpac.me/results/de6242d2-f0f4-4e83-9afd-c5aadeb35048/
SH256 hash:
df1338550b2b7474d6143c26fd6ef7feeb25bdb5931b268df83a031f1856a8f7
MD5 hash:
5fdb6a8df8f0487eba25dc42c187719d
SHA1 hash:
7bfbe7fe09031371d31a28ab78040d11fd298425
Link:
https://www.unpac.me/results/de6242d2-f0f4-4e83-9afd-c5aadeb35048/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe df1338550b2b7474d6143c26fd6ef7feeb25bdb5931b268df83a031f1856a8f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83319/

Comments