IOC and Incident Response Scanner

LOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full featured APT Scanner THOR. IOC stands for Indicators of Compromise. These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab.

LOKI offers a simple way to scan your systems for known IOCs.

It supports these different types of indicators
* MD5 / SHA1 / SHA256 hashes
* Yara Rules (applied to file data and process memory)
* Hard Indicator Filenames based on Regular Expression
* Soft Indicator Filenames based on Regular Expressions

Additional Checks
* Regin filesystem check (via –reginfs)
* Process anomaly check (based on [Sysforensics](
* SWF decompressed scan (new since version v0.8)
* SAM dump check

* Clone the LOKI repository (if you download LOKI as ZIP file, make sure to download the sub-repository signature-base” as well and place it in the respective subfolder)
* Provide the folder to a target system that should be scanned: removable media, network share, folder on target system
* Right-click on loki.exe and select “Run as Administrator” or open a command line as Administrator and run it from there (you can also run LOKI without administrative privileges but some checks will be disabled and relevant objects on disk will not be accessible)

Included IOCs
Loki currently includes the following IOCs:
* Equation Group Malware (Hashes, Yara Rules by Kaspersky and 10 custom rules generated by us)
* Carbanak APT – Kaspersky Report (Hashes, Filename IOCs – no service detection and Yara rules)
* Arid Viper APT – Trendmicro (Hashes)
* Anthem APT Deep Panda Signatures (not officialy confirmed) ( – see Blog Post)
* Regin Malware (GCHQ / NSA / FiveEyes) (incl. Legspin and Hopscotch)
* Five Eyes QUERTY Malware (Regin Keylogger Module – see: Kaspesky Report)
* Skeleton Key Malware (other state-sponsored Malware) – Source: Dell SecureWorks Counter Threat Unit(TM)
* WoolenGoldfish – (SHA1 hashes, Yara rules) Trendmicro Report
* OpCleaver (Iranian APT campaign) – Source: Cylance
* More than 180 hack tool Yara rules – Source: APT Scanner THOR
* More than 600 web shell Yara rules – Source: APT Scanner THOR
* Numerous suspicious file name regex signatures – Source: APT Scanner THOR
* Much more … (cannot update the list as fast as I include new signatures)


usage: loki.exe [-h] [-p path] [-s kilobyte] [--printAll] [--noprocscan]
                [--nofilescan] [--noindicator] [--debug]
Loki - Simple IOC Scanner
optional arguments:
  -h, --help     show this help message and exit
  -p path        Path to scan
  -s kilobyte    Maximum file site to check in KB (default 2000 KB)
  --printAll     Print all files that are scanned
  --noprocscan   Skip the process scan
  --nofilescan   Skip the file scan
  --noindicator  Do not show a progress indicator
  --debug        Debug output

Download from Github.

git clone