MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4cb074ca623e33af5fbe7f728f60b3b264330f138e9366a7e6fa9a3ac12a31f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4cb074ca623e33af5fbe7f728f60b3b264330f138e9366a7e6fa9a3ac12a31f
SHA3-384 hash: 6bdd3d2ffc74c75ee0673c4569457a0ffcdc14edceb56f53009d87f59a6f60258154ac0b17aab64858fc2f2cc96a333a
SHA1 hash: 81fdbb849b81a0f4d28515dd771615defcebbb0a
MD5 hash: 05797a9e39ee41a66c33ab58032d6e2b
humanhash: cola-virginia-cold-bluebird
File name:Tax for this tax period is -702.23 AED.exe
Download: download sample
Signature Loki
Create hunting rule
File size:470'016 bytes
First seen:2021-02-11 10:06:53 UTC
Last seen:2021-02-11 11:59:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:jR8Zi97083+5oayq9j7LluzO1hwhncMzcWZRMd9h3FLf:6ZS3ooG5MCLqnDccc
Threatray 30 similar samples on MalwareBazaar
TLSH 6BA4F22D1BBC8F55D2592F7C0E70D224B7FDC7521E16D306EEA42DDC693AE88A9809C1
Reporter abuse_ch
Tags:ARE exe geo Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: tax.gov.ae
Sending IP: 45.137.22.41
From: fta-reg <fta-reg@tax.gov.ae>
Subject: VAT Return Submission (refund position)
Attachment: Tax for this tax period is -702.23 AED.gz (contains "Tax for this tax period is -702.23 AED.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tax for this tax period is -702.23 AED.exe
Verdict:
Malicious activity
Analysis date:
2021-02-11 10:13:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e8ed593-8a24-46f5-b0de-614b86f39311

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116780/
Detection(s):
SecuriteInfo.com.Artemis05797A9E39EE.23488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605652
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4cb074ca623e33af5fbe7f728f60b3b264330f138e9366a7e6fa9a3ac12a31f/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 10:38:11 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tfqotfgeprtv5p3473sr5qlhmtegmhrhdutm2t6n6u2hlasumpq._file
Verdict:
unknown
Similar samples:
005051028cd70b06d41a9703a87b07dfd779d03395073edf6d43aaa10a719040
Loki
093c6d24a6ee34fd279dce32ae9fc9be8970668b11e7018c0286ed350d6155e9
Loki
21090f5623e9c498291f5fea0d54bb7ea8cd27088b9a4d80b325acbf44d85b8a
Loki
4c38ca304d90865a911a298d8d79fe91000c50d78e58383a74b5f502d4c17bf2
Loki
5bbb6f4426870c981ad4c9049d6b471e153780d29e0e02030a0f26c3d1050375
Loki
61bb0008f7eb07dee59ef765fe010cf1612d9e8f3a17a5cb3b5fbab76d232df9
Loki
d6d98fe472040b42a4bb0a040480aa7335f92e56f49b558c86c9bb07162028f6
Loki
e48eaa56cf0a12668fc9400f1a6d8840ea70127c7653c497887cb50b296317ec
Loki
ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
Loki
fa0c59c6418d5bc0a4efc4a543c49b5e6e1a92f5ecf1ffbceadc6cc9bdf0b63b
Loki
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-v1dtey1emn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/f38caf19-bee1-4d8c-9ea4-608d7c7871af/
SH256 hash:
f4cb074ca623e33af5fbe7f728f60b3b264330f138e9366a7e6fa9a3ac12a31f
MD5 hash:
05797a9e39ee41a66c33ab58032d6e2b
SHA1 hash:
81fdbb849b81a0f4d28515dd771615defcebbb0a
Link:
https://www.unpac.me/results/f38caf19-bee1-4d8c-9ea4-608d7c7871af/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz 31bcb3b5ae2c6160f926cb2b4cd0bead4d4d425268a257a42002a88fc369a5e3

Loki

Executable exe f4cb074ca623e33af5fbe7f728f60b3b264330f138e9366a7e6fa9a3ac12a31f

(this sample)

  
Dropped by
MD5 26d0ce8060c056b789d376c13bb8832a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116780/
  
Dropped by
SHA256 31bcb3b5ae2c6160f926cb2b4cd0bead4d4d425268a257a42002a88fc369a5e3

Comments