MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c6e7d2f285d7248b7b8e2e4db1aa8340f967ff3f45a6a4c35165e24d3ff9a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6c6e7d2f285d7248b7b8e2e4db1aa8340f967ff3f45a6a4c35165e24d3ff9a2
SHA3-384 hash: 9d79f15e58580784426a3aa377b7a14e346fa70648b95ebc9a5228182c217175fb55999935608a7a83d9537793b11259
SHA1 hash: 8debdd5556ded48ac5c512cb04c74657cd8b578d
MD5 hash: 6fc1cbcc0ade853b721e8b56796cf846
humanhash: monkey-maryland-happy-eighteen
File name:RFQ_ETC020420.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'305'088 bytes
First seen:2020-04-02 18:48:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:UCdxte/80jYLT3U1jfsWaKIxoykinqWolX5Q:Fw80cTsjkWaKcoyk8qWoly
Threatray 2'215 similar samples on MalwareBazaar
TLSH 6F55DF2273DDC371CB769173BF2AB7016EBB38614630B95B2F880D7DA950161162DBA3
Reporter JoulK
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-87.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 00:44:55 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
00372c59a05ba9cce6ab5a40b28e8bd7db5a284e019dbaaaccf30408ec14f26f
Loki
1fc07dd40ce54a5f60fd732d7cef7e8021ef21971fe7027ffdf524f326c59ac8
Loki
2773ca0f617c527ecacc2ab05f488ad9bb4875816d8f934e920bcbc40dd3f604
Loki
61a34452d0fe45c9ca538fae20e355c89d2d104b5dc8f50ca46be2d1e59e83c4
Loki
77acad55f36e96de7a8d2d37abc8faee5795196c67a89ae0b283f9076ea45c51
Loki
7e784491a41c322df63b093c3966bc9c0d209e66706c890a4803b39de0dec51d
Loki
925f7ac6e0ab0911c0cd801094f7d22e407ab69755173d6a38fb4f325bb160f5
Loki
c46c893972a4e58ca13bd9751cad2e962d0a8d6b59e2a5d061250c1b79fbafed
Loki
cf0d07700b71c7041c0e761c114b1555e5cf66c61f4e0812a96b83e087c3cd35
Loki
da362c114efb6a8f52b94b4554a7dcf6594eb2408f16d22cbd3cdbc520eb86eb
Loki
+ 2'205 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments