MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 1 File information 3 Yara 3 Comments

SHA256 hash: 191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d
SHA3-384 hash: e39531c7cc6c7b164886a9f2b2af1fab23d951197fb6c4f01457a610ce6f6a5fd878a0f6b4bb672606df02542f5dfc6a
SHA1 hash: 555a223b93c90cd3f11bf3263abe9a2e16effed1
MD5 hash: b161e6ed6d212e7a36026eaed1f3d902
humanhash: bacon-mike-cat-idaho
File name:engineserv.exe
Download: download sample
Signature Loki
File size:603'648 bytes
First seen:2020-06-30 06:07:20 UTC
Last seen:2020-06-30 07:01:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:oCbpcLhilrm7G8oclWEAroCo3DQmTSh+hH1npSCWvwO:vuLhi80Jro7XBpAvP
TLSH 81D49F12E7A0443FF172363D9D2B57BC592ABE51393C59462BE4DC4C6F39382392A287
Reporter @Jouliok
Tags:exe Loki


Mail intelligence No data
# of uploads 2
# of downloads 35
Origin country GB GB
CAPE Sandbox Detection:n/a
ClamAV PUA.Win.Adware.Slugin-6803969-0
CERT.PL MWDB Detection:lokibot
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 06:09:05 UTC
AV detection:28 of 31 (90.32%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Tags:spyware trojan stealer family:lokibot
Config extraction:
VirusTotal:Virustotal results 49.32%

Yara Signatures

Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <>
Description:Rule to detect the presence of SQLite data in raw image

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download


Executable exe 191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d

(this sample)

Delivery method
Distributed via web download