MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879
SHA3-384 hash: bd9822494a388a13001f1ced1943c11055d941e970119cd1579607c601a75cc284a20f278c2b65e34439a871d98f092d
SHA1 hash: 991d19b31d93f4e8a572ef79307921f33b7d8dab
MD5 hash: 329e5766ebd9bbca8a790ee427e6a8a5
humanhash: nine-four-table-echo
File name:Purchase order.exe
Download: download sample
Signature Loki
File size:321'536 bytes
First seen:2020-06-30 13:06:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:ITVTiVwyv25oDcuGMaH6HOtPv+1dgLRSJSZN2il/Tgd:IxuVwyv2qDzGMQmOtP21W9Y/ilcd
TLSH 0E64162E1204466FE5647AB0C09E7F510EA026FF3963E77ABD50B183F912BD5523393A
Reporter @abuse_ch
Tags:exe Loki

Malspam distributing Loki:

Sending IP:
Subject: Purchase order
Attachment: Purchase (contains "Purchase order.exe")

Loki C2:


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 28
Origin country FR FR
CAPE Sandbox Detection:Loki
CERT.PL MWDB Detection:lokibot
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 13:08:07 UTC
AV detection:18 of 30 (60.00%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Tags:trojan spyware stealer family:lokibot
Config extraction:
VirusTotal:Virustotal results 5.48%

Yara Signatures

Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <>
Description:Rule to detect the presence of SQLite data in raw image

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879

(this sample)

Delivery method
Distributed via e-mail attachment