MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3390d55fcaf849c1dc612723a24162bfb6e06b8681624d55555c6418b3a1db2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3390d55fcaf849c1dc612723a24162bfb6e06b8681624d55555c6418b3a1db2
SHA3-384 hash: c4d5a4f434e9ad038c0a4991fe8caa645aebead64a7b9d1da2a45b36ea29d7809ef56001679d77e03ba00a9cbd622823
SHA1 hash: 139504087979022c797220f7a0b3577c283a24e2
MD5 hash: c2eedff4fdc58c7bbc78fcc6e60006ab
humanhash: sixteen-neptune-one-network
File name:e3390d55fcaf849c1dc612723a24162bfb6e06b8681624d55555c6418b3a1db2
Download: download sample
Signature Loki
Create hunting rule
File size:1'169'720 bytes
First seen:2020-03-23 16:24:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6538cb5d1302a6510506860837161b6f (1 x Loki)
ssdeep 6144:RUgXB4B3f0XucWCOihKSzdksFos1hge+F3:TB4Bce9tS+sFXge+F3
Threatray 494 similar samples on MalwareBazaar
TLSH AC45BF863340FBA2D529C8720039CEF46970AFAD14F2484FA575FE5BED783A2481D9B5
Reporter Marco_Ramilli
Tags:exe Loki

Code Signing Certificate

Organisation:wall as a service modern layout center press
Issuer:wall as a service modern layout center press
Algorithm:sha256WithRSAEncryption
Valid from:May 13 17:09:43 2019 GMT
Valid to:May 12 17:09:43 2022 GMT
Serial number: 01
Intelligence: 371 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 5AC8EB401BC8B5848A7225089B77529156E5E6B0F6EC1535920946712BAB6DDF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.445771.1961.158.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2019-05-14 22:43:33 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
28 of 30 (93.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305
Loki
165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d
Loki
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
Loki
5f9b8ce62abc0d49b1bb253bd51286151a8b3d3f09fdb9e37cd964f80df26669
Loki
aea480ebd5777e840f0b988267554fe1d35f70238bed009231b24475fdc0b0d9
Loki
bc5abecfb3e5dc45ac5ad4b9273cd06e2b7d0ea834f67ca209d6999f5b054bef
Loki
cac86be4b999583d9586a49aa2530ea548a78019e25c98f02158c01ef2883381
Loki
d2641eefb1f61e48b87efdf457c48469b11192863ce4aafaa630d14c6cdee9be
Loki
d2edc352a2a157c1ac51e314039ca894958635959d905900755992eed6a13256
Loki
f4cbb077c89f62bb6542489c882b324e8e2880dc3970e2540e61d1d25fff157a
Loki
+ 484 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe e3390d55fcaf849c1dc612723a24162bfb6e06b8681624d55555c6418b3a1db2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/196354/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen
MSVBVM60.DLL::__vbaErrorOverflow

Comments