MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee665ac6cacc0fec507227dedc2efaeebddab022b1cf553280a6733e08d7085d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	ee665ac6cacc0fec507227dedc2efaeebddab022b1cf553280a6733e08d7085d
SHA3-384 hash:	9b9055e705fbb8704a6fa3784a1ec10013512c2558d6bfbe1285b343ac95b34f47036bc77e253590df2b7b5f8481be4d
SHA1 hash:	1e319f4eed8623f93bd1f43826617b84569ca1de
MD5 hash:	2416f32ed0d3111d51fff37f4a2d2702
humanhash:	washington-eleven-vermont-triple
File name:	ee665ac6cacc0fec507227dedc2efaeebddab022b1cf553280a6733e08d7085d
Download:	download sample
Signature	Loki Create hunting rule
File size:	622'080 bytes
First seen:	2020-03-23 15:58:14 UTC
Last seen:	2020-03-23 16:17:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	85f5edf91d2b0cdb95140aa8ebd97bc8 (1 x Loki)
ssdeep	12288:+PQ8rQBmYdGig53OTR5GE7RzTJ1RpJgbAx2+jFG:SQb3rgwPD7RzT3RpJKAU+A
Threatray	1'462 similar samples on MalwareBazaar
TLSH	ACD47D23B2A24D77C022563D4C175A68D529BD31AF3D6F861AED7D4CAF3F240392A253
Reporter	Marco_Ramilli
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Lptehw-6879858-0

Win.Malware.Smdd-6879862-0

Win.Malware.Fareit-6879874-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Loki

Status:

Malicious

First seen:

2019-03-06 18:28:40 UTC

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe ee665ac6cacc0fec507227dedc2efaeebddab022b1cf553280a6733e08d7085d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/154217/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample