MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7
SHA3-384 hash: bba0aff9334603518e08ac84bce047fd9560bf0121194d3e8b8c221d098efafcd0e86216e37711f8484e34c9a6f3ebff
SHA1 hash: d37eb801cb9ec7def54cacea9943f362b862e240
MD5 hash: 6234a51bc75e744df7073b66bd6d8855
humanhash: fanta-utah-pizza-zulu
File name:UWiGTSNxQPXd91q.exe
Download: download sample
Signature Loki
Create hunting rule
File size:590'336 bytes
First seen:2021-01-14 20:04:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:jsKZVT2JBRtVnfupvF0RVk4Wo/ei+QvqB2ot1+mmTr12yM:js5Jj/fu9ceQei7qBj+zR2yM
Threatray 3 similar samples on MalwareBazaar
TLSH 09C4120056785B22EEBE9BF96AA5C14807B675B3B332E32C4D9571E92593720C680F37
Reporter abuse_ch
Tags:exe GoDaddy Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: p3plsmtp26-03-25.prod.phx3.secureserver.net
Sending IP: 216.69.139.27
From: biuro@kancelaria-tw.pl
Subject: Nuevo pedido- # 04178958
Attachment: New order.rar (contains "UWiGTSNxQPXd91q.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UWiGTSNxQPXd91q.exe
Verdict:
No threats detected
Analysis date:
2021-01-14 21:01:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0dbd76a8-86bb-4f8a-bbb3-2ff44aec6dee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112073/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/581798
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 14:02:50 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4uto6wwdqs24njpr3bcp5cdveir2fx23t6ybhco7bekvxjnzrt3q._file
Verdict:
unknown
Similar samples:
3622005ae3bfc501cdba1551166885af68fbdf4deb6b780880e8b1e71e8f3cf5
Loki
5128bb068a8ab072f70e24e50edbb76198f9ed7859534505cf62c067bb1221de
Loki
9f4258e5c61e45d8cedece680a26b83be12413727685afdf469bc91727751a8c
Loki
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-v54slmg71a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
4c893ecc65ab6dc915df25d3226a5236bcd1bb9161cf7104a2359bc19e12dd82
MD5 hash:
fc320db307d393d329b5292e875960ab
SHA1 hash:
fbf0b0e115491c9839fe28aa3a0876ddc336dd9c
Link:
https://www.unpac.me/results/b6342215-5b12-4af3-9cf6-41fc81764e08/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/b6342215-5b12-4af3-9cf6-41fc81764e08/
SH256 hash:
742ae9a1b16526473a71a07f6b07f1ccfc000bae4b5cb39695c6ab1ac35cde45
MD5 hash:
db494a437e5ce96a35186f94cc380ed6
SHA1 hash:
0398300b58954b738a77cd1730260fb8427dee74
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/b6342215-5b12-4af3-9cf6-41fc81764e08/
Parent samples :
e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7
6f6a4ba365d2b3086b4c7c98d45e7216ac000bce60094e92023868b11750f4b1
SH256 hash:
e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7
MD5 hash:
6234a51bc75e744df7073b66bd6d8855
SHA1 hash:
d37eb801cb9ec7def54cacea9943f362b862e240
Link:
https://www.unpac.me/results/b6342215-5b12-4af3-9cf6-41fc81764e08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 41b16dc098db364a7be4f2555037e0cd9be1e21e2f0aa031567e839cc837be00

Loki

Executable exe e526ef5ac384b5c6a5f1d844fe88752223a2df5b9fb01389df09155ba5b98cf7

(this sample)

  
Dropped by
MD5 2a53757cbee565301459d03022939923
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 41b16dc098db364a7be4f2555037e0cd9be1e21e2f0aa031567e839cc837be00
Cape
Cape
https://www.capesandbox.com/analysis/112073/

Comments