MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d
SHA3-384 hash: 50d458ec217f994fb296ce80e4dd3c96ff43042309c792521b9a160921b084143765666327b6850f5b38879f47376e10
SHA1 hash: 7d0dcc4c20a43d17954b6264d1e915c8e8f82345
MD5 hash: 82ec03a5872682040a32b56620436705
humanhash: berlin-failed-moon-wyoming
File name:HD0987654567000000.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'320'472 bytes
First seen:2025-09-11 14:10:09 UTC
Last seen:2025-09-11 21:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep 24576:K5xolYQY6O5EmXFtKaL4/oFe5T9yyXYfP1ijXda2/Dreuq9q:dYVPVt/LZeJbInQRa2/DrN
Threatray 4'268 similar samples on MalwareBazaar
TLSH T10F55BF0373809027FFAB95724E16F621AB787D320663AD1F13941E79B970163A63E367
TrID 44.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
23.3% (.EXE) InstallShield setup (43053/19/16)
16.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.7% (.EXE) Win64 Executable (generic) (10522/11/4)
2.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://198.55.98.114/pi00/pin.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://198.55.98.114/pi00/pin.php https://threatfox.abuse.ch/ioc/1587753/

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HD0987654567000000.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 14:13:45 UTC
Tags:
auto-startup
Link:
https://app.any.run/tasks/de62a647-3ac5-44e7-a55c-135f49b539c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26928/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

SecuriteInfo.com.Trojan.Siggen6.54687.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2d890b20052598879ca9b
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Reading critical registry keys
Launching a service
Changing a file
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Setting a single autorun event
Launching the process to create tasks for the scheduler
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
autoit explorer lolbin obfuscated overlay packed packer_detected visual_basic
Link:
https://www.filescan.io/uploads/68c2d897dbc6f5a29c402654/reports/3bee0852-2cc7-42de-ad80-23ed7ea3ab36/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T11:16:00Z UTC
Last seen:
2025-09-11T11:16:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d/results?tab=lookup
Malware family:
MOFKSYS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a816f29-1c98-4a73-99dd-2508ce90b287
Result
Threat name:
CryptOne, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775686
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775686 Sample: HD0987654567000000.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 81 zxq.net 2->81 83 vccmd03.googlecode.com 2->83 85 5 other IPs or domains 2->85 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 15 other signatures 2->117 12 HD0987654567000000.exe 1 4 2->12         started        16 explorer.exe 2->16         started        signatures3 process4 file5 75 C:\Users\user\...\hd0987654567000000.exe, PE32 12->75 dropped 77 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->77 dropped 155 Installs a global keyboard hook 12->155 18 icsys.icn.exe 3 12->18         started        22 hd0987654567000000.exe 6 12->22         started        signatures6 process7 file8 63 C:\Windows\System\explorer.exe, PE32 18->63 dropped 119 Antivirus detection for dropped file 18->119 121 Drops executables to the windows directory (C:\Windows) and starts them 18->121 123 Drops PE files with benign system names 18->123 125 Installs a global keyboard hook 18->125 24 explorer.exe 3 62 18->24         started        65 C:\Users\user\AppData\...\robustuous.exe, PE32 22->65 dropped 127 Binary is likely a compiled AutoIt script file 22->127 29 robustuous.exe 22->29         started        signatures9 process10 dnsIp11 89 vccmd01.zxq.net 51.81.194.202, 443, 49695, 49696 OVHFR United States 24->89 91 googlecode.l.googleusercontent.com 142.250.141.82, 49688, 49691, 49699 GOOGLEUS United States 24->91 93 142.251.2.82, 49689, 49702, 49712 GOOGLEUS United States 24->93 69 C:\Windows\System\spoolsv.exe, PE32 24->69 dropped 71 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 24->71 dropped 137 Antivirus detection for dropped file 24->137 139 System process connects to network (likely due to code injection or exploit) 24->139 141 Creates an undocumented autostart registry key 24->141 149 2 other signatures 24->149 31 spoolsv.exe 3 24->31         started        73 C:\Users\user\AppData\...\robustuous.vbs, data 29->73 dropped 143 Binary is likely a compiled AutoIt script file 29->143 145 Drops VBS files to the startup folder 29->145 147 Writes to foreign memory regions 29->147 151 2 other signatures 29->151 35 svchost.exe 29->35         started        file12 signatures13 process14 dnsIp15 79 C:\Windows\System\svchost.exe, PE32 31->79 dropped 95 Antivirus detection for dropped file 31->95 97 Drops executables to the windows directory (C:\Windows) and starts them 31->97 99 Drops PE files with benign system names 31->99 101 Installs a global keyboard hook 31->101 38 svchost.exe 138 4 31->38         started        87 198.55.98.114, 49690, 49692, 49693 ASN-QUADRANET-GLOBALUS United States 35->87 103 System process connects to network (likely due to code injection or exploit) 35->103 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->105 107 Tries to steal Mail credentials (via file / registry access) 35->107 109 2 other signatures 35->109 file16 signatures17 process18 file19 67 C:\Users\user\AppData\Local\stsys.exe, PE32 38->67 dropped 129 Antivirus detection for dropped file 38->129 131 Detected CryptOne packer 38->131 133 Creates an undocumented autostart registry key 38->133 135 3 other signatures 38->135 42 spoolsv.exe 38->42         started        45 at.exe 38->45         started        47 at.exe 38->47         started        49 27 other processes 38->49 signatures20 process21 signatures22 153 Installs a global keyboard hook 42->153 51 conhost.exe 45->51         started        53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 49->57         started        59 conhost.exe 49->59         started        61 24 other processes 49->61 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d
Verdict:
Malware
YARA:
8 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/82ec03a5872682040a32b56620436705
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 13:59:17 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdfb2mxcugpu36jhqobpqgz3iyaydwvyayfz5yusftu4jf73daoq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
mofksys
Create hunting rule
Similar samples:
605acd8daeed0286629f52eab2267a433f3dfc9f4c3127a94881b96fbf389d97
Loki
62e0fac7c5231aa0d8d5f0fdb9e64d8bdadf79934a26577282b7affbc557a5fb
Loki
6d893d39aa7cbad71156fbede1b15173ea68bcf53cc6aba1d0018270320b56f8
Loki
ce03ff47b601e4154e103927e9b8e9f9f54f18653fe4bebf0a25f6458009dc0d
Loki
d4fadd4ee8d3864f9a07149decba872260789b39654db894c95ea23e16ede112
Loki
ee98f6ee8e92f87f03ff4d3c5764a3b8d384aa0130ce1e7a4d77bd091e8beea3
Loki
error
Loki
+ 4'258 additional samples on MalwareBazaar
Result
Malware family:
mofksys
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:mofksys collection defense_evasion discovery persistence spyware stealer trojan worm
Link:
https://tria.ge/reports/250911-rhf68szpz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops startup file
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Detects Mofksys worm
Lokibot
Lokibot family
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
Mofksys
Mofksys family
Malware Config
C2 Extraction:
http://198.55.98.114/pi00/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
trojan Win.Malware.Swisyn-7610494-0
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/5d2dd408-76ed-4dfb-a182-802fa91bf676
Unpacked files
SH256 hash:
60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d
MD5 hash:
82ec03a5872682040a32b56620436705
SHA1 hash:
7d0dcc4c20a43d17954b6264d1e915c8e8f82345
Link:
https://www.unpac.me/results/42c141cc-bcc4-449c-886f-f4c24e0c0fd4/
SH256 hash:
6c50c0e46548c95e0147b4c23f694cf4b26cba9c5f680f0b496586e36e218167
MD5 hash:
05f437b3bef4776e6a7c232c43e41641
SHA1 hash:
d34b998181edbeb682f3a5e09d661245169e1811
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/42c141cc-bcc4-449c-886f-f4c24e0c0fd4/
SH256 hash:
a61e8d25ec00f203ffaecc0b9f38ee335628bbd0bc271c7fc5aa20654433a055
MD5 hash:
67f7d650343f14d894e4ee867677c0c8
SHA1 hash:
90791b8dab4c90b74fdd7affc55be82bdb0c581f
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
STEALER_Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Lokibot
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/42c141cc-bcc4-449c-886f-f4c24e0c0fd4/
Parent samples :
28a29d7b958cb08a5e9a71078387d8727881af04a454d665cb1e966b0fcbb3ad
60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60ca1d32e2a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/60ca1d32e2a19f4df9278382f81b3b460181dab8060b9ee2922ce9c497fb181d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:LokiPWS
Create hunting rule
Author:NDA0E
Description:Detects LokiBot
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26928/

Comments