MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df7674f44ffc5c738cd3f1efa27aff8ec3d47f8dadd8cba71c13b9c81e683e89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df7674f44ffc5c738cd3f1efa27aff8ec3d47f8dadd8cba71c13b9c81e683e89
SHA3-384 hash: 267cd11d9f77a0c6eabc8d744fa65839aca0c79929541b032a345b11ff9640f91fd9442e79155ff67f24ff98dc506e08
SHA1 hash: d9b085627de8413f0920d9230d10e61c77e18f9c
MD5 hash: 9122344e3b9e4ed48c49bbe2c0e2c0ea
humanhash: quebec-uranus-yankee-salami
File name:193026588 Swift Copy.rar
Download: download sample
Signature Loki
Create hunting rule
File size:640'275 bytes
First seen:2022-02-22 07:05:05 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:+nm4i43v8KY2xQkGY3/sQmh7rklvFs070x2yQguu9t3AB8AZom4:+3f8z2x8YP7mh7rk8dx2jgujBEL
TLSH T10AD423BCDDC1DDDB42CE371EB1CA0089DE1505922A2A3B866C71B54D6CB2875A0DE8DF
Reporter cocaman
Tags:Loki rar SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: "Anny grace <grace@dcmusn.sbs>" (likely spoofed)
Received: "from hp0.dcmusn.sbs (unknown [137.184.236.49]) "
Date: "Mon, 21 Feb 2022 17:57:03 -0800"
Subject: "RE: Bank receipt for INV#193026588"
Attachment: "193026588 Swift Copy.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/62148b27ac8ad0468b64fd80/reports/85604628-0c59-4cbd-a4f8-3404465b1ffb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df7674f44ffc5c738cd3f1efa27aff8ec3d47f8dadd8cba71c13b9c81e683e89/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 07:06:14 UTC
File Type:
Binary (Archive)
Extracted files:
25
AV detection:
11 of 43 (25.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=353hj5cp7rohhdgt6hx2e6x7r3b5i74nvxmmxjy4co44qhtih2eq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220222-hwkl5sdhb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://164.90.194.235/?id=13524038937789651
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/df7674f44ffc5c738cd3f1efa27aff8ec3d47f8dadd8cba71c13b9c81e683e89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar df7674f44ffc5c738cd3f1efa27aff8ec3d47f8dadd8cba71c13b9c81e683e89

(this sample)

Loki

Executable exe e1d54d2244d2ee82170a78ae2d63cfde1338a1678aca6679bb9f315d04ca4ba4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e1d54d2244d2ee82170a78ae2d63cfde1338a1678aca6679bb9f315d04ca4ba4
  
Dropping
Loki

Comments