Showing posts tagged #loki

Return Home

Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself.

Preface

Loki is a credential harvester bot sold in Russian underground forums and black markets.

Loki as advertised

Goal

For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly analyze malicious behavior.

Analysis

Initial triage

File hashes for the sample I'll be using:

MD5: 09D2E274F1F50AB81105A3A6B9BE34CF
SHA-1: 04AD370BFE1A0AFA273568EE18F8C14BD8E612DC
SHA-256: D7AAAFB88B91A937D1EF8BCAA97F88A13545364269F510A95DAB4A72B68A4313

The sample has a pretty low detection ratio (8/58) as of now (29/03/2017) on VirusTotal.

TrID report:

Win32 Executable Delphi generic (37.4%)
Windows screen saver (34.

Read More