MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4522323d9dcdf293d23d86d6701f9e4eca1f51885ff6e8a7963e58db7b89209. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4522323d9dcdf293d23d86d6701f9e4eca1f51885ff6e8a7963e58db7b89209
SHA3-384 hash: 63e1dcb0570b9ee93aec02fcc8c685c1ed04642d6007f502240c88b20a08995272f4a757c98870e7855a8413527e87ff
SHA1 hash: 00db725684215847f14eb66968d9190055e27ed0
MD5 hash: 4379370b20fd06403a842670b9edbd68
humanhash: golf-spaghetti-emma-undress
File name:DHL Shipment documents.ace
Download: download sample
Signature Loki
Create hunting rule
File size:96'850 bytes
First seen:2021-07-20 06:17:31 UTC
Last seen:Never
File type: ace
MIME type:application/octet-stream
ssdeep 1536:Hg0avDsypxifA8M+dZlVxlhtgmaR9uZK8py0BDQ9meBAtHaj/sVT9c7n/snXT4+:HaDbxwO4nVxRgFMk0pQ91AtH2/p7n/od
TLSH T1059312B70753A30EF34877E69040947B0385B0E6006397CC7ABC12F95A3933D99A9A97
Reporter cocaman
Tags:ace DHL Loki


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Express <dhl@225.mtrxiv.club>" (likely spoofed)
Received: "from postfix-inbound-4.inbound.mailchannels.net (inbound-egress-5.mailchannels.net [199.10.31.237]) "
Date: "Mon, 19 Jul 2021 22:07:13 -0700"
Subject: "=?utf-8?q?DHL_Import_Clearance_=E2=80=93_Consignment_=3A_=23600595460_is_?=
=?utf-8?q?now_under_clearance_process?="
Attachment: "DHL Shipment documents.ace"

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4522323d9dcdf293d23d86d6701f9e4eca1f51885ff6e8a7963e58db7b89209/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 04:10:34 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rjcgi6z3tpsspjd3bwwoapz4twkd5iyqx7w5ctzmpsy3n5ysieq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210720-87g5l4nbfa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/UNdvNRJkngXd7
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f4522323d9dcdf293d23d86d6701f9e4eca1f51885ff6e8a7963e58db7b89209

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

ace f4522323d9dcdf293d23d86d6701f9e4eca1f51885ff6e8a7963e58db7b89209

(this sample)

Loki

Executable exe 2d65a3c7da04463e34efa56f9754da234575e1082c239ce1aad1d2115d4d029a

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2d65a3c7da04463e34efa56f9754da234575e1082c239ce1aad1d2115d4d029a

Comments