MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e5492d13dd5bf3bd7e1df12594f2839bd99148059d749e4aae1cb61fa08ec315. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 5
| SHA256 hash: | e5492d13dd5bf3bd7e1df12594f2839bd99148059d749e4aae1cb61fa08ec315 |
|---|---|
| SHA3-384 hash: | b6c492d9b67992e060c9fd7ba5e9574473ba28f3e7b24f338ea9c5c7481c05133e88c465c0c8ccadae3f0b978a7d3297 |
| SHA1 hash: | 84de35c002cb6f62d69307dd19b43abb1c608263 |
| MD5 hash: | d6ba3fc7017be986af6fe1aa8864bcfa |
| humanhash: | harry-sixteen-east-twenty |
| File name: | Price List.rar |
| Download: | download sample |
| Signature | Loki |
| File size: | 346'854 bytes |
| First seen: | 2022-06-13 06:21:50 UTC |
| Last seen: | Never |
| File type: | rar |
| MIME type: | application/x-rar |
| ssdeep | 6144:BSR/atG05fG49BX5rf+Eo3TatqVRSdzuNz3wlMHIdhdrKGBIi+V8rYcYTDo19Lax:BSE7R9brJeOcWu5wMohNBqV8row3nyP |
| TLSH | T1FF7423F63176CCD1A7F4E3D58473A7B2A901FA5BBF049D16CC58FA3D052A0961583871 |
| TrID | 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1) |
| Reporter |  cocaman |
| Tags: | Loki rar |
cocaman
Malicious email (T1566.001)From: "Huyen Anh <henry@xv25.fzhang.cfd>" (likely spoofed)
Received: "from hp0.xv25.fzhang.cfd (unknown [164.92.67.5]) "
Date: "Sun, 12 Jun 2022 21:29:33 -0700"
Subject: "Re: price list"
Attachment: "Price List.rar"
Intelligence
File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Status:
Malicious
First seen:
2022-06-13 01:33:59 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=53483370875096238
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Delivery method
Distributed via e-mail attachment
Dropping
Loki
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.