MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 20

Intelligence 20 IOCs YARA 22 File information Comments

SHA256 hash:	b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf
SHA3-384 hash:	67216acaecc578b8c33d4b70e6df4d892db2137a68a723ebdd1a9e03234b9c5d7953a1f199a5eca067438583390ce545
SHA1 hash:	84d8d9dddc1cac90f86da763e3c6c4dda9423cbf
MD5 hash:	5537ac161d334f7bf63c556f466c9f10
humanhash:	oranges-nineteen-alaska-december
File name:	LOKI9876545678900090000.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	569'344 bytes
First seen:	2025-12-12 08:47:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (70 x Formbook, 33 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:tz7hU5I5yuNHIgzSFKxWltRohBfSTso93UZ0fpSbtNtH6lzDzbhCZzQuq:tf+iN57Gtene3QF+z+Q
Threatray	4'038 similar samples on MalwareBazaar
TLSH	T15EC41292868199A1C2547330C437CCA099B43DB19E16732E836DE66A7C743D3EEA776C
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	lowmal3
Tags:	exe Loki UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	569'344 bytes
File size (de-compressed) :	1'075'712 bytes
Format:	win32/pe
Unpacked file:	3972158babfa442f37cb87d065bbaf55d52f063267c95d6c19fc9435f31160de

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

AutoIt PEPacker

Details

AutoIt

extracted scripts and files

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/0eb0cdee-25c6-4c15-ba95-1436d1ec9d6b/

Malware family:

n/a

ID:

File name:

_b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf.exe

Verdict:

Malicious activity

Analysis date:

2025-12-12 08:48:59 UTC

Tags:

auto-startup

Link:

https://app.any.run/tasks/b7a279fc-4de0-4e4c-b86f-ba7aaf66e72a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/44397/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693bd79fa675b653bd1059cc

Tags:

autorun autoit

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

autoit compiled-script microsoft_visual_cc overlay packed packed packed upx

Link:

https://www.filescan.io/uploads/693bd6ce1eac7b9b76a75007/reports/985ff3d9-1fd3-4526-89b2-d1fc1c9a2822/overview

Verdict:

Malicious

Labled as:

Injector.Autoit

Link:

https://www.hybrid-analysis.com/sample/b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-12T03:03:00Z UTC

Last seen:

2025-12-14T07:09:00Z UTC

Hits:

~1000

Detections:

Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Strab.sb Trojan.CMY3U.TCP.C&C PDM:Trojan.Win32.Generic Backdoor.Androm.HTTP.ServerRequest Trojan-PSW.Win32.Fareit.sb Trojan.Win32.Gorgon.sb Backdoor.Win32.Androm.vzjs Backdoor.Androm.TCP.C&C Backdoor.Androm.HTTP.Notification Backdoor.Androm.HTTP.C&C VHO:Backdoor.Win32.Androm.vzjt

Link:

https://opentip.kaspersky.com/b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37403428-3a0c-416f-9f09-c3832647dc83

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1831500

Signature

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf

Verdict:

Malware

YARA:

5 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/5537ac161d334f7bf63c556f466c9f10

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf/

Verdict:

Malicious

Threat:

VHO:Backdoor.Win32.Androm

Link:

https://tip.neiki.dev/file/b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf

Threat name:

Win32.Trojan.ShellcodeCrypter

Status:

Malicious

First seen:

2025-12-12 05:53:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xcn35qobvji4btok7j35uupnodanvlad4mou4bvcmwidnroz6k7q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

1e77489c920a17e0290d04e8471c20a2e3437b89bd90b6c1874f95ffe919bf2a

Loki

20f2f32534dbab75a5c3ee41786c118bdd6b638e1fd9b4e863f21e51248d45e4

Loki

44d76c2813cbcbbc38602cf85005884c492f6eb76fbdac3e8279633d75fc5a0d

Loki

51baf7fe0bb25ca0810b31eb224f2c779ccdb6086151139dfcf95ebc70bad029

Loki

911ab907376843edb05b47e615e37582276cc4af2b676727af7d61831d9fd044

Loki

af6376d7d5de38d0d7acf754db0d4c4f77ba49a48eb1cb4d240b16d3725d58dc

Loki

b25e2edf3fd594ed171241445341c53bf4013691723d0808790beaa20b503792

Loki

b89ac159c50e85f4f66fb3a0295504fd885b1d6acc96159cf1e4c5886d0afbb9

Loki

+ 4'028 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection discovery spyware stealer trojan upx

Link:

https://tria.ge/reports/251212-kqawvsck6y/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Accesses Microsoft Outlook profiles

Drops startup file

Executes dropped EXE

Lokibot

Lokibot family

Malware Config

C2 Extraction:

http://198.23.177.219/siu/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Malicious

Tags:

lokibot

YARA:

n/a

Link:

https://app.threat.zone/submission/266b4dd2-ee64-408c-92cd-d04ed38d644a

Unpacked files

SH256 hash:

b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf

MD5 hash:

5537ac161d334f7bf63c556f466c9f10

SHA1 hash:

84d8d9dddc1cac90f86da763e3c6c4dda9423cbf

Link:

https://www.unpac.me/results/333c90c3-e428-49ee-a96a-ae898ca3e514/

SH256 hash:

66ac76279add4b34db1e7567b2edca29d83a7c1f15a041b9bafdb58d590cd4fb

MD5 hash:

0e1e27387e63734371165694378214eb

SHA1 hash:

8f26a9b313732e64d826585e08a82d7b7a19afad

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

STEALER_Lokibot

SUSP_XORed_URL_In_EXE

Lokibot

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_GENInfoStealer

Link:

https://www.unpac.me/results/333c90c3-e428-49ee-a96a-ae898ca3e514/

Parent samples :

ce8bb22be29d0043943e2a2a0516d6138aae58dafcd9ad76236a4510e693d9f0
471745261953e9374e2ce9e42fc725ac1f59add047252e377aed07bbb6fd36a6
87074659e5cfae42bb2b9e475b95d9c5d729d298ac80be029f3453b853aa0cc2
b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf
3972158babfa442f37cb87d065bbaf55d52f063267c95d6c19fc9435f31160de

SH256 hash:

2e88e0cb749421a3fb24333e861c0e38d9f3d920ed02b3c17beb2de381133ef9

MD5 hash:

a97794cba12a29a1ec4a6c17b4173a1a

SHA1 hash:

255e4d7df6c029544f275ab529590f737725e563

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/333c90c3-e428-49ee-a96a-ae898ca3e514/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b89bbec1c1aa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifacts observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	LokiPWS Create hunting rule
Author:	NDA0E
Description:	Detects LokiBot

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe b89bbec1c1aa51c0cdcafa77da51ed70c0daac03e31d4e06a2659036c5d9f2bf

(this sample)

Loki

exe 3972158babfa442f37cb87d065bbaf55d52f063267c95d6c19fc9435f31160de

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/44397/

Dropping

SHA256 3972158babfa442f37cb87d065bbaf55d52f063267c95d6c19fc9435f31160de

Dropping

MD5 db13724c27742b49f3cae24ff7e03d4f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample