MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bc87c4f205cd112b2cec3f67c577ae7b604ed56c6cd6a15d8ad1ae6438598b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Loki


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 31 File information Comments

SHA256 hash: 1bc87c4f205cd112b2cec3f67c577ae7b604ed56c6cd6a15d8ad1ae6438598b8
SHA3-384 hash: de8fe6e9afcc637db4bfb210c71a30718ca4ed3ad316e7c02a96e0c56fa314955351cff1dcad2d73b1c23d9dae05996f
SHA1 hash: 4815ffb346727ccf3ceb6cf5d0f03158209f883d
MD5 hash: 1e8b10fdcf06a6305fb7bf0e80e3c4a2
humanhash: hotel-zulu-louisiana-kansas
File name:1e8b10fdcf06a6305fb7bf0e80e3c4a2.exe
Download: download sample
Signature Loki
File size:1'273'856 bytes
First seen:2025-09-12 23:30:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 356f908c1b0cd139f4a1e44528f97d0c (4 x Loki)
ssdeep 24576:hReuectp9dCDX0wtJ+VHo2qFSasuIGD/zOX6WXaaKjhZZSY:h7CT3aRgSaJIIM6WUjhZZj
Threatray 716 similar samples on MalwareBazaar
TLSH T1D9459E13B7C3C1A6DFA20AB2D47543371E79BCA0173C9ACB6641342EE871ED06A75B58
TrID 52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Win64 Executable (generic) (10522/11/4)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon ccdaece2fae4b2b0 (4 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://pakarabi.net/loki/Panel/five/fre.php

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://pakarabi.net/loki/Panel/five/fre.php https://threatfox.abuse.ch/ioc/1588772/

Intelligence


File Origin
# of uploads :
1
# of downloads :
389
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
ID:
1
File name:
1e8b10fdcf06a6305fb7bf0e80e3c4a2.exe
Verdict:
Malicious activity
Analysis date:
2025-09-12 23:30:47 UTC
Tags:
lokibot stealer trojan auto-sch-xml

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Moving a recently created file
Creating a process from a recently created file
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context fingerprint keylogger lolbin microsoft_visual_cc obfuscated schtasks threat
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T11:18:00Z UTC
Last seen:
2025-09-11T11:18:00Z UTC
Hits:
~10
Detections:
Backdoor.Androm.TCP.C&C Backdoor.Androm.HTTP.Notification Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.MSIL.Agent.seshvd Trojan.Win32.Gorgon.sb HEUR:Trojan.Win32.Generic Trojan-Dropper.MSIL.Agent.avnd Backdoor.Androm.HTTP.C&C Trojan.Win32.AutoHK.mp Trojan.MSIL.Crypt.sb Backdoor.MSIL.Agent.yao PDM:Trojan.Win32.Generic Backdoor.Androm.HTTP.ServerRequest UDS:DangerousObject.Multi.Generic VHO:Trojan.MSIL.Exnet.gen Trojan-PSW.Fareit.HTTP.C&C PDM:Backdoor.Win32.Generic Trojan-PSW.Win32.Fareit.sb Trojan-Dropper.Win32.Agent.sb VHO:Backdoor.MSIL.Agent.gen
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1776803 Sample: PNEUOJyQhF.exe Startdate: 13/09/2025 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 9 other signatures 2->48 8 PNEUOJyQhF.exe 5 2->8         started        12 Svchostt.exe 2 2->12         started        process3 file4 32 C:\Users\user\AppData\...\Svchostt.exe (copy), PE32 8->32 dropped 34 C:\Users\user\AppData\Local\Svchostt-t.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\Svchost.Text, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\MCconfig.dll, PE32 8->38 dropped 50 Contains functionality to register a low level keyboard hook 8->50 52 Sample or dropped binary is a compiled AutoHotkey binary 8->52 14 Svchostt-t.exe 5 8->14         started        18 Svchostt.exe 3 8->18         started        20 Svchostt.exe 12->20         started        signatures5 process6 file7 40 C:\Users\user\AppData\Local\x, XML 14->40 dropped 54 Antivirus detection for dropped file 14->54 56 Multi AV Scanner detection for dropped file 14->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 14->58 22 schtasks.exe 1 14->22         started        24 Svchostt.exe 18->24         started        26 WerFault.exe 4 20->26         started        signatures8 process9 process10 28 conhost.exe 22->28         started        30 WerFault.exe 2 24->30         started       
Gathering data
Threat name:
Win32.Malware.Heuristic
Status:
Malicious
First seen:
2025-09-10 06:06:38 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Result
Malware family:
lokibot
Score:
  10/10
Tags:
family:lokibot collection discovery execution persistence spyware stealer trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://pakarabi.net/loki/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
Win.Dropper.ImminentMonitorRAT-9965568-0 lokibot
YARA:
n/a
Unpacked files
SH256 hash:
552fd2d5ed44515506c0ab87da49a65d6c2c301bd40911ebbf0456a1804bb34c
MD5 hash:
c4d243e47796fdc9feab34f4cf29e800
SHA1 hash:
3070ea2bb07abba4c053154f63410af267c9473a
SH256 hash:
6d3c2217b8d283fa208b146e1642fc51eccac9c56dc1792a08e58701fef8c442
MD5 hash:
cc825d825390e09f0c21dcdea486ab81
SHA1 hash:
18cd9c68d4a14f7da3a1ad07f6843603dde40c9f
SH256 hash:
bbee34359e7e473e25a1962b9a345e7e68893369f2271b6adcd6ea4811bec9a1
MD5 hash:
a792765c889fe968823e16946e2a361d
SHA1 hash:
3d33a579a17fb9d0d23b292dfe9d6639d37b6dc7
SH256 hash:
f99710ff79652237bb2bb8846f64791a1f099ce6b2b7a87f6632f638752c893b
MD5 hash:
ca8f3dbd9c5af06b5d417dc14c0a3a49
SHA1 hash:
6635fab748796c3bdcf362d2201c40126d4b17dc
Detections:
win_lokipws_g0 win_lokipws_auto lokibot STEALER_Lokibot SUSP_XORed_URL_In_EXE Lokibot INDICATOR_SUSPICIOUS_Binary_References_Browsers INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients INDICATOR_SUSPICIOUS_GENInfoStealer
SH256 hash:
e5936d703244284a84aaa908a68bf9fdf322d754cb4522c6956d45b19bf1f2a9
MD5 hash:
ba4d3a01b8dd96db39ec4ecb683b4bdc
SHA1 hash:
fa16213e286299493093d1be0daf26f5e2f1809a
SH256 hash:
1bc87c4f205cd112b2cec3f67c577ae7b604ed56c6cd6a15d8ad1ae6438598b8
MD5 hash:
1e8b10fdcf06a6305fb7bf0e80e3c4a2
SHA1 hash:
4815ffb346727ccf3ceb6cf5d0f03158209f883d
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:infostealer_loki
Rule name:infostealer_xor_patterns
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Author:kevoreilly
Description:LokiBot Payload
Rule name:LokiPWS
Author:NDA0E
Description:Detects LokiBot
Rule name:malware_Lokibot_strings
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:NET
Author:malware-lu
Rule name:NETDLLMicrosoft
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:STEALER_Lokibot
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_In_EXE
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Trojan_Lokibot_0f421617
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Author:Elastic Security
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments