MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e920edae93d44363b7f23b7eb55d9074a5781ab05cdace625283ba73bc411524. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e920edae93d44363b7f23b7eb55d9074a5781ab05cdace625283ba73bc411524
SHA3-384 hash: f60973577e1fa88909806178d8e4512fbf1569567695e562a94d9c07ec28655ce5c62cb422113bb69e119b7c585fd18b
SHA1 hash: f7c8debc1c05b133fd5db9f640e42cfbe7115535
MD5 hash: a5cdc39b45cb8c2f51a562d8c8fd1031
humanhash: victor-aspen-high-steak
File name:PO_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:106'496 bytes
First seen:2020-05-11 09:27:30 UTC
Last seen:2020-05-11 10:47:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad2428d74ad55748c4f5e80470878a1d (1 x Loki)
ssdeep 1536:ggrhVH++Btw1tgxNo843bRz4basZnrxraH2P:5Nl++BtwD6azgasV9r4i
Threatray 1'807 similar samples on MalwareBazaar
TLSH 7EA3B55173A4FA27C8BA8EF60701AAE102F95C75581076536BCB7AEF1639C36E270317
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: d166.x-mailer.de
Sending IP: 212.162.13.166
From: Catherine Minio<c.mini@blancmariclo.com>
Reply-To: <c.mini@blancmariclo.com>
Subject: Quotation for new order
Attachment: PO.rar (contains "PO_pdf.exe")

Loki C2:
http://egamcorps.ga/~zadmin/lmark/gld/mode.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisA5CDC39B45CB.22449.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 11:35:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5eqo3lut2rbwhn7shn7lkxmqossxqgvqltnm4yssqo5hhpcbcusa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2ed2a56967e7cb3e18b8b2cb910b9e6d356a52a9b65a05309c36ec62fa09773c
Loki
3667b7518f2634bfd589f12fe1fd6e7ec1701030529dd3ece0b04705e76e5e06
Loki
37a3468d527e22a4cdd0c1e8717a5bca60db2cd8aaace1a4d25b65eeccd8079c
Loki
40c27e805186cc26240cbf37d1d2809412c42e2a3610fdff32cf5b8ce35459e2
Loki
5c86fcf32d1f15a745dd2f39989630ac310d1aee52af7b5f762f75f8855879ab
Loki
610d402c4582386b2f01e1297d386c62f19b2d3f89c0f0db0e9c232e7de99c4e
Loki
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
Loki
bdd1e58d7a15e88b1f6400fa7aff3d021a3b944dde54e0b156b5d90c71e1f553
Loki
c688c6b0f5bd44c8d37e810000892ce8d0e2225f1dd04a92d454fd60c7cdc779
Loki
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
Loki
+ 1'797 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-kab7apjhp2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar ee32f4fd8924c24ce06a7a6bcd9f99d257b6fe7d20645d35ec93fa84d1b3fc1c

Loki

Executable exe e920edae93d44363b7f23b7eb55d9074a5781ab05cdace625283ba73bc411524

(this sample)

  
Dropped by
MD5 7ebbf49fb0f2fb6ecd0469e69acef435
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ee32f4fd8924c24ce06a7a6bcd9f99d257b6fe7d20645d35ec93fa84d1b3fc1c

Comments