MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879
SHA3-384 hash: bd9822494a388a13001f1ced1943c11055d941e970119cd1579607c601a75cc284a20f278c2b65e34439a871d98f092d
SHA1 hash: 991d19b31d93f4e8a572ef79307921f33b7d8dab
MD5 hash: 329e5766ebd9bbca8a790ee427e6a8a5
humanhash: nine-four-table-echo
File name:Purchase order.exe
Download: download sample
Signature Loki
File size:321'536 bytes
First seen:2020-06-30 13:06:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:ITVTiVwyv25oDcuGMaH6HOtPv+1dgLRSJSZN2il/Tgd:IxuVwyv2qDzGMQmOtP21W9Y/ilcd
TLSH 0E64162E1204466FE5647AB0C09E7F510EA026FF3963E77ABD50B183F912BD5523393A
Reporter @abuse_ch
Tags:exe Loki


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: sme15.small-dns.com
Sending IP: 183.81.162.123
From: azhar.haron@slwholding.com.my
Subject: Purchase order
Attachment: Purchase order.zip (contains "Purchase order.exe")

Loki C2:
http://slimfile.cf/Slim/fre.php

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 28
Origin country FR FR
CAPE Sandbox Detection:Loki
Link: https://www.capesandbox.com/analysis/17184/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:lokibot
Link: https://mwdb.cert.pl/sample/e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 13:08:07 UTC
AV detection:18 of 30 (60.00%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Link: https://tria.ge/reports/200630-ts56psv2ca/
Tags:trojan spyware stealer family:lokibot
Config extraction:http://slimfile.cf/Slim/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
VirusTotal:Virustotal results 5.48%

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments