MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972
SHA3-384 hash: db688cdcda4483d30feba3d0f8c4d7fb0ca113a1e108d7cd8f64728450962a27ea63d995397db8f36fa6fc83ad92e4be
SHA1 hash: f99ec5bcaf78d6642f4a82375eba9c3b51b9d3f9
MD5 hash: e116606e6c959f67a099850beef0fcd9
humanhash: eight-summer-island-blue
File name:FG98765456700098000000.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'545'216 bytes
First seen:2025-09-16 09:30:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 63a7884deadb0f34accabcb21cf8585a (2 x RemcosRAT, 1 x Loki)
ssdeep 24576:CqlGVZjzBFArK+QlTeczEfvjJTEj3vTpso9TeczEfvjJTEj3vTpsoN:C7xTj4VInTj4VIT
Threatray 4'401 similar samples on MalwareBazaar
TLSH T10C65E1767A919872C1263538CCC6D78859297EF02F24AD5B3ADC3C8C0F397DA253A15B
TrID 95.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.5% (.EXE) Win64 Executable (generic) (10522/11/4)
0.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
FG98765456700098000000.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 09:31:54 UTC
Tags:
delphi xor-url generic dbatloader loader stealer auto-sch lokibot trojan
Link:
https://app.any.run/tasks/d283495b-8642-4069-9048-3d4f9827f3e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27709/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c92e65d49ea3f1e4b65ae5
Tags:
emotet blic sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Reading critical registry keys
Launching a service
Changing a file
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Moving of the original file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug borland_delphi fingerprint keylogger lokibot overlay packed zero
Link:
https://www.filescan.io/uploads/68c92e6473287948292ba4f9/reports/ba243f0d-39bc-4588-b5de-e37956a396e8/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-16T03:50:00Z UTC
Last seen:
2025-09-16T03:50:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fa42062-ce0d-4924-a34c-ec78074e5e36
Result
Threat name:
DBatLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778387
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected DBatLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1778387 Sample: FG98765456700098000000.exe Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 11 other signatures 2->51 7 FG98765456700098000000.exe 7 2->7         started        11 rundll32.exe 3 2->11         started        process3 file4 37 C:\Users\Public\gbamabzM.exe, PE32 7->37 dropped 53 Drops PE files to the user root directory 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Writes to foreign memory regions 7->57 59 4 other signatures 7->59 13 gbamabzM.exe 123 7->13         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 7->20         started        22 schtasks.exe 1 7->22         started        24 Mzbamabg.exe 1 11->24         started        signatures5 process6 dnsIp7 43 213.209.157.114, 49717, 49718, 49720 M247GB Germany 13->43 39 C:\Users\user\AppData\...\31437F.exe (copy), PE32 13->39 dropped 61 Detected unpacking (changes PE section rights) 13->61 63 Detected unpacking (overwrites its own PE header) 13->63 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->65 79 4 other signatures 13->79 67 Uses ping.exe to sleep 18->67 69 Uses ping.exe to check the status of other devices and networks 18->69 26 conhost.exe 18->26         started        28 PING.EXE 1 20->28         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        71 Writes to foreign memory regions 24->71 73 Allocates memory in foreign processes 24->73 75 Sample uses process hollowing technique 24->75 77 Allocates many large memory junks 24->77 35 gbamabzM.exe 24->35         started        file8 signatures9 process10 dnsIp11 41 127.0.0.1 unknown unknown 28->41
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972/
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 06:47:21 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy3frjxoevpxc72gv2gqgctvwcyol5jza64proi5j4d72mvzjfza._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
22700f234e5cf59a9b9b1e89a4711b28381b175db23e3a7900322b4f49eff0fa
Loki
98f8aa235cf07d4e6fe52c1ad88fd6fcf08d08be178dfc620ab993d1eb90703c
Loki
b0cf41eaffcc2c22c866c4cb721d763021898f74f1bdf35d4ae2711f6edf327b
Loki
d4fadd4ee8d3864f9a07149decba872260789b39654db894c95ea23e16ede112
Loki
e81120da828bfc636cb5cadb20a4e5418bfd3c66b8211a30510d686c8bb02bc5
Loki
error
Loki
+ 4'391 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:modiloader collection discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/250916-lg3e7askw3/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Reads user/profile data of web browsers
ModiLoader Second Stage
Lokibot
Lokibot family
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
lokibot
YARA:
n/a
Link:
https://app.threat.zone/submission/cecb2991-20a0-4ef3-bcfd-762a9deaee06
Unpacked files
SH256 hash:
163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972
MD5 hash:
e116606e6c959f67a099850beef0fcd9
SHA1 hash:
f99ec5bcaf78d6642f4a82375eba9c3b51b9d3f9
Link:
https://www.unpac.me/results/a96ead86-d7ce-442b-9299-d02822be04e7/
SH256 hash:
f672a242f9f21bc7892e463d7722fed8678701712e87d94763d99648ad8ad420
MD5 hash:
7ccb5827acc089d4a3702843d5dc24e3
SHA1 hash:
3f5a9f004e3ed0410719f63a7186814a15394be6
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/a96ead86-d7ce-442b-9299-d02822be04e7/
SH256 hash:
2f5ea3f325bc5f12ca62ff7b2134fdbca68c761a709cc975bcb296311bb1ef59
MD5 hash:
61a86f351ba0e98a5a9544a084566091
SHA1 hash:
d4fde62c330e1c17e7a39164b1b4836955a418c1
Link:
https://www.unpac.me/results/a96ead86-d7ce-442b-9299-d02822be04e7/
SH256 hash:
fa6819a6a1727202ff3e1d24402ac6653af9ed5fc727eb1459a0feaab8cae686
MD5 hash:
401308bbfd1e412a392c40d07cd8939c
SHA1 hash:
f33d7544714bed88ed39044cbb688a809d224269
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
STEALER_Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Lokibot
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/a96ead86-d7ce-442b-9299-d02822be04e7/
Parent samples :
5c636cb6db8855128f635a9a92ecb2c806bbce65fbaaa2321fb43fb157054cfb
caa92a31b30f0105856e28e65218fe2fec26f5903f10dbaeeab0e331cf267854
163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972
b39df39579ecb80331677bf1a9c36a857fc48f8658839987af4493ff4e73efa9
f1306c781600196b1b5a5f25d2fb8e3e9282777f97a94ed0774db8a6d0ca57c7
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/163658a6ee25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 163658a6ee255f717f46ae8d030a75b0b0e5f53907b8f8b91d4f07fd32b94972

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27709/

Comments