MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5
SHA3-384 hash: cf3c2262a3e1f3e28d76da1bb462412f21442c22d94e938acef7fe8fc8b6eb730cb9505d966bac5fd6f3f140315ba910
SHA1 hash: 2919235d611bb36611c1c47d53b52521b90d3a8b
MD5 hash: f6c255bffe3253d538fca1adbb0ccc60
humanhash: salami-twelve-four-chicken
File name:DOCUMENT3.bit.exe
Download: download sample
Signature Loki
Create hunting rule
File size:790'528 bytes
First seen:2026-02-24 14:43:38 UTC
Last seen:2026-03-03 10:23:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'829 x AgentTesla, 19'759 x Formbook, 12'295 x SnakeKeylogger)
ssdeep 24576:4z/Tq26QSS2pLoeX7nGY1xBaZsQwuK8XIjaKw:ueLDHnBles1uNIja
Threatray 12 similar samples on MalwareBazaar
TLSH T1A6F402986B06C903C86A5B385775F27427BC1DEAE811D3074FECEDE7B966F255C08282
TrID 25.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
25.3% (.EXE) Win64 Executable (generic) (6522/11/2)
17.5% (.EXE) Win32 Executable (generic) (4504/4/1)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter threatcat_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
6
# of downloads :
233
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/f5832448-beea-4bb8-8080-d20ef416ce17/
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
_25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5.exe
Verdict:
Malicious activity
Analysis date:
2026-02-24 14:44:32 UTC
Tags:
lokibot stealer auto-startup trojan susp-lnk
Link:
https://app.any.run/tasks/40071402-9d39-473f-a05b-76fcba48fc0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54444/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.61662396.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699db9418fffa866e3b1a380
Tags:
infosteal autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt masquerade obfuscated packed
Link:
https://www.filescan.io/uploads/699db93d10e80629d4f04d17/reports/8a9051ae-6984-48e7-8082-62ee99a07ed0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-PSW.Win32.Fareit.sb Trojan.Win32.Gorgon.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan.WinLNK.Powecod.e Trojan-Dropper.Win32.Dorifel.sbd Trojan.Win32.Agent.sb Trojan.CMY3U.TCP.C&C Backdoor.Androm.HTTP.ServerRequest Backdoor.Androm.HTTP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Fareit.HTTP.C&C Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Backdoor.Androm.HTTP.Notification HEUR:Backdoor.MSIL.Androm.gen Backdoor.Androm.TCP.C&C
Link:
https://opentip.kaspersky.com/25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9cffd89e-dfa4-44e7-a0ee-3a18965b08de
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1874151
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.17 Win 32 Exe x86
Link:
https://app.malva.re/file/f6c255bffe3253d538fca1adbb0ccc60
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5/
Verdict:
Malicious
Threat:
Family.LOKIBOT
Link:
https://tip.neiki.dev/file/25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5
Threat name:
Win32.Spyware.Loki
Create hunting rule
Status:
Suspicious
First seen:
2026-02-24 14:44:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 38 (47.37%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exuqco4wd6he4spwl6pstieassjjvx4yya2kiu3mq4nlk5vlllsq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5
Loki
5f6f593e7ab45cfbef33f249eaadc2eb0e29b752a8d517d8793b6dc5f534dce8
Loki
652a323b76a64c51111ed62e9a6096e5e925b7ee0b1f2700a38be486c9825550
Loki
a510389aca7e39df029d0f4974f63a70010270f589bc7f6095d523687196f08f
Loki
d266b7b27d36add4acc8cfa1fa5b6ca01517411013109f07564bfe9e078325d4
Loki
error
Loki
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/260224-r39paabs2e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops startup file
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5
MD5 hash:
f6c255bffe3253d538fca1adbb0ccc60
SHA1 hash:
2919235d611bb36611c1c47d53b52521b90d3a8b
Link:
https://www.unpac.me/results/06e0cda4-86d9-4665-8e4a-984f3bda4d02/
SH256 hash:
5f9bc32902d67bf64aded9290137597f17c4da289accd2ff20ddebbae274b61a
MD5 hash:
4cf4814603b3a45675dc421b12af2251
SHA1 hash:
2553157ef268842ccf2ec6e99ca679f845ee7127
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
STEALER_Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Lokibot
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/06e0cda4-86d9-4665-8e4a-984f3bda4d02/
Parent samples :
652a323b76a64c51111ed62e9a6096e5e925b7ee0b1f2700a38be486c9825550
25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5
SH256 hash:
60cae8ad2115f74d1b0c4fb76af91bcc8766f7f7bc3d39cd795edb8201ca7beb
MD5 hash:
5b2134677b8b64de3c49573e78667bde
SHA1 hash:
c0f8d8e6142b3e2937148b321482dc088a58b9b3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/06e0cda4-86d9-4665-8e4a-984f3bda4d02/
SH256 hash:
7e1ad413becb342eab79a517ed8a986d01ef6234248f837b5cce16df255cfcd5
MD5 hash:
fe6918a61784ffe8063e996735293a1e
SHA1 hash:
d4c22969c56656ac95227680eb1fe8d7d7d55bd8
Link:
https://www.unpac.me/results/06e0cda4-86d9-4665-8e4a-984f3bda4d02/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25e9013b961f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 25e9013b961f8e4e49f65f9f29a08094929adf98c034a4536c871ab576ab5ae5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/54444/

Comments