MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 4 File information Comments

SHA256 hash:	9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c
SHA3-384 hash:	773388e028cdd2d35f1e78384b48026dec7860b536ccd83a69c14ea1a2d0f4a798863e09f5729816bd2f522666080aaa
SHA1 hash:	805f365ca684589e5b1f466bd5f10362c274c0f5
MD5 hash:	4f88c112e23f2e7bb169801c388bb0bd
humanhash:	wyoming-indigo-green-nitrogen
File name:	4F88C112E23F2E7BB169801C388BB0BD.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	594'944 bytes
First seen:	2026-02-12 05:10:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6a5b34ba09a4b1dcfa5c7ddce3109ef9 (1 x Loki)
ssdeep	12288:Pdo8eOaMXdoFDWDemKoW2vFpEGWa9ceVV118jc3+a03jl6c:VzeyXdoFDWDemKoW2vFp6a9/ZT0Tl
Threatray	1 similar samples on MalwareBazaar
TLSH	T1D9C48E3E61BC4A33D423267ACE3B46699932BDD13B7859892BF81CCC9F74341B536192
TrID	52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 16.8% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.5% (.EXE) OS/2 Executable (generic) (2029/13) 7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	08e2c1e0b8c2fac0 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://nonny11.xyz/sol/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://nonny11.xyz/sol/fre.php	https://threatfox.abuse.ch/ioc/1746411/

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c.exe

Verdict:

No threats detected

Analysis date:

2026-02-12 05:12:00 UTC

Tags:

delphi

Link:

https://app.any.run/tasks/073a4572-01fd-4b1f-8f16-ffca453a4cdb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/53080/

Detection(s):

Win.Trojan.Generic-0-6534112-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698d60c3edd9327103462483

Tags:

infosteal autorun delphi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Reading critical registry keys

Launching a service

Changing a file

DNS request

Connection attempt

Sending an HTTP POST request

Moving a file to the %AppData% subdirectory

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-09T08:10:00Z UTC

Last seen:

2026-02-12T04:38:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.Agent.sb Trojan.Win32.Kryptik.sb HEUR:Backdoor.Win32.Generic

Link:

https://opentip.kaspersky.com/9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c/results?tab=lookup

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c3588b7-7660-459d-ab44-e88f5de745b2

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1868097

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Creates / moves files in alternative data streams (ADS)

Deletes itself after installation

Drops VBS files to the startup folder

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Sigma detected: Drops script at startup location

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c/

Verdict:

Malicious

Threat:

Family.LOKI

Link:

https://tip.neiki.dev/file/9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c

Threat name:

Win32.Backdoor.Multiverze

Status:

Malicious

First seen:

2026-02-09 13:11:47 UTC

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=trinez7dtkjgqjsgesyfb2uluh5ct4auzif3eerc22unofnsru6a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

error

Loki

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/260212-ftwkhsat3c/

Behaviour

System Location Discovery: System Language Discovery

Unpacked files

SH256 hash:

9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c

MD5 hash:

4f88c112e23f2e7bb169801c388bb0bd

SHA1 hash:

805f365ca684589e5b1f466bd5f10362c274c0f5

Link:

https://www.unpac.me/results/c95e5048-3793-495a-9db3-a8d2798913b4/

SH256 hash:

d00c0f21d16bc5f4c276f9ed893c7fd986245f442c28ba47cd89118cf97bf30d

MD5 hash:

18ca5d88d47b937873d6582233a6905f

SHA1 hash:

8c02a0092508c1e1eca6b72718eb9358f21cefda

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

STEALER_Lokibot

SUSP_XORed_URL_In_EXE

Lokibot

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_GENInfoStealer

Link:

https://www.unpac.me/results/c95e5048-3793-495a-9db3-a8d2798913b4/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c50d267e39a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c50d267e39a9268264624b050ea8ba1fa29f014ca0bb21222d6a8d715b28d3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53080/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample