MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 22


Intelligence 22 IOCs 1 YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
SHA3-384 hash: 4a89ede3023125734854eeb062d21aef0e1893be27b7af679e85443eb32729e77566ed2413109d38701b33b5b790f84b
SHA1 hash: e516f170f34784a856101fcda160f85cda9f3364
MD5 hash: eb9ad4d45ae40f1ff4c8022ab55e5517
humanhash: freddie-burger-bakerloo-west
File name:FHFD98765456780000.exe
Download: download sample
Signature Loki
Create hunting rule
File size:604'160 bytes
First seen:2025-09-11 04:35:04 UTC
Last seen:2025-09-12 00:09:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:7KqOZQ8FOEbItaquX+rI/Jt7qzgXej+T0C+ZuSBj3zzgKyK:GRQzEbItv6j7qzgXeg0nzPFy
Threatray 4'387 similar samples on MalwareBazaar
TLSH T1F6D4CF562F8DC9D9D0F2CAF54933D2701E789E64AC52D232CED53F9BF23E6508A42192
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://198.55.98.114/pi00/pin.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://198.55.98.114/pi00/pin.php https://threatfox.abuse.ch/ioc/1587753/

Intelligence

File Origin
# of uploads :
3
# of downloads :
242
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
FHFD98765456780000.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 04:36:29 UTC
Tags:
lokibot stealer trojan auto-sch-xml xor-url generic
Link:
https://app.any.run/tasks/055563b5-032d-4e9d-a99a-966937b393dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26807/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c251a9b20052598879a520
Tags:
infosteal spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Reading critical registry keys
Launching a service
Changing a file
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap exploit infostealer lokibot lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stealer stealer stego vbc xor-url
Link:
https://www.filescan.io/uploads/68c251abc62f699623887eac/reports/133c7070-4705-4387-8d90-13cca57ba91a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T01:26:00Z UTC
Last seen:
2025-09-11T01:26:00Z UTC
Hits:
~1000
Detections:
Backdoor.Androm.HTTP.Notification Trojan.Win32.CMY3U.sb PDM:Backdoor.Win32.Generic Trojan.MSIL.Taskun.sb Backdoor.Androm.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Gorgon.sb Trojan.MSIL.Inject.sb PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.gen HEUR:Trojan.MSIL.Injector.gen Trojan-PSW.Win32.Fareit.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Taskun.sb VHO:Backdoor.Win32.Androm.gen Backdoor.Androm.HTTP.ServerRequest Backdoor.Androm.HTTP.C&C
Link:
https://opentip.kaspersky.com/28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad/results?tab=lookup
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/798b498e-6da7-461a-9757-b4294d051269
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775293
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1775293 Sample: FHFD98765456780000.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 7 FHFD98765456780000.exe 7 2->7         started        11 LJtLHFOYHksyr.exe 5 2->11         started        process3 file4 41 C:\Users\user\AppData\...\LJtLHFOYHksyr.exe, PE32 7->41 dropped 43 C:\...\LJtLHFOYHksyr.exe:Zone.Identifier, ASCII 7->43 dropped 45 C:\Users\user\AppData\Local\...\tmpBC2E.tmp, XML 7->45 dropped 47 C:\Users\user\...\FHFD98765456780000.exe.log, ASCII 7->47 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 FHFD98765456780000.exe 98 7->13         started        17 powershell.exe 23 7->17         started        19 powershell.exe 23 7->19         started        29 2 other processes 7->29 63 Multi AV Scanner detection for dropped file 11->63 65 Tries to steal Mail credentials (via file registry) 11->65 21 schtasks.exe 11->21         started        23 LJtLHFOYHksyr.exe 11->23         started        25 LJtLHFOYHksyr.exe 11->25         started        27 conhost.exe 11->27         started        signatures5 process6 dnsIp7 49 198.55.98.114, 49716, 49718, 49720 ASN-QUADRANET-GLOBALUS United States 13->49 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->67 69 Tries to steal Mail credentials (via file / registry access) 13->69 71 Tries to harvest and steal ftp login credentials 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 75 Loading BitLocker PowerShell Module 17->75 31 conhost.exe 17->31         started        33 WmiPrvSE.exe 17->33         started        35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 29->39         started        signatures8 process9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
Gathering data
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad/
Verdict:
Malicious
Threat:
Family.LOKIBOT
Link:
https://tip.neiki.dev/file/28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
Threat name:
ByteCode-MSIL.Trojan.InfostealerLokibot
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 04:36:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcrj264vrsyiuxu2oedyhb6yoj4idlyeurknmzold2lgwd6lwowq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
Loki
7b75b7d9e892e63a9fd39ccb87222d7311b6a3e9cba68cd34dc650e15e295796
Loki
a8dabe249da520a24de691d48bf2549dda65bbb3e62cecd148b1ff0080533cac
Loki
b0cf41eaffcc2c22c866c4cb721d763021898f74f1bdf35d4ae2711f6edf327b
Loki
d4fadd4ee8d3864f9a07149decba872260789b39654db894c95ea23e16ede112
Loki
error
Loki
+ 4'377 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/250911-e7313sgk9z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://198.55.98.114/pi00/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/205edf72-1ad3-401e-b363-c1093a608e1c
Unpacked files
SH256 hash:
28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
MD5 hash:
eb9ad4d45ae40f1ff4c8022ab55e5517
SHA1 hash:
e516f170f34784a856101fcda160f85cda9f3364
Link:
https://www.unpac.me/results/e1e51d0e-2c11-418f-8dc5-5695b698f1a3/
SH256 hash:
a61e8d25ec00f203ffaecc0b9f38ee335628bbd0bc271c7fc5aa20654433a055
MD5 hash:
67f7d650343f14d894e4ee867677c0c8
SHA1 hash:
90791b8dab4c90b74fdd7affc55be82bdb0c581f
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
STEALER_Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Lokibot
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/e1e51d0e-2c11-418f-8dc5-5695b698f1a3/
Parent samples :
28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d
SH256 hash:
736b5ee83bb1176d3f5c66922fe69fcf4dcb8d2b8d210e0c50b931bc025ca5bd
MD5 hash:
020c22dcb05cdb6ddfb2d3baa9c5db04
SHA1 hash:
c6ddfc962f5f77e788db36671e69b287ec2c4cb7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e1e51d0e-2c11-418f-8dc5-5695b698f1a3/
SH256 hash:
a07218767cb37a2eb228ddf96d25724848f368c446abe6ad0813387dfc603f98
MD5 hash:
af22bb92639cb98b8f09382c32c478ac
SHA1 hash:
d97ed60de226af9876769ac2e94185cf1b25d676
Link:
https://www.unpac.me/results/e1e51d0e-2c11-418f-8dc5-5695b698f1a3/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28a29d7b958c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:LokiPWS
Create hunting rule
Author:NDA0E
Description:Detects LokiBot
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26807/

Comments