Home Malware Programs Trojans LokiBot

LokiBot

Posted: February 24, 2017

Threat Metric

Ranking: 13,536
Threat Level: 8/10
Infected PCs: 176
First Seen: February 24, 2017
Last Seen: August 22, 2023
OS(es) Affected: Windows


LokiBot is a spyware program that can collect passwords, logins, and other information from your computer. LokiBot campaigns use spam e-mails for their infection vectors frequently and don't create visually detectable symptoms while they're collecting and transferring data. Let your anti-malware products detect and uninstall LokiBot automatically, and take appropriate precautions afterward for re-securing any vulnerable accounts.

Trickster-Gods in Your Inbox

LokiBot campaigns, while not the largest in quantity in the threatening software industry necessarily, are highly regular incidents, with new attack attempts arriving each day. This spyware product is available on the dark Web for rental to third parties, enabling criminals to collect information while needing no coding experience. It includes a wide array of data-exfiltrating features that would be useful against various targets, including both website administrators, business or government networks or recreational-purpose Windows systems.

Different versions of LokiBot, which takes its name from the Norse trickster deity of Loki, sometimes install themselves through various methods, although malware experts trace all of them to spam e-mail attachments. A general overview of the LokiBot's core features for collecting data include, but aren't limited to, all of the following:

  • LokiBot accesses the Windows Credentials Manager for compromising other PCs on the same network by harvesting the associated usernames and passwords.
  • LokiBot uses specialized functions for harvesting data from other applications, including most brands of Web browsers, many FTP clients, and different cryptocurrency wallets.
  • LokiBot also contains a keylogger function for capturing the user's keyboard input, which covers the typed information that isn't necessarily already captured from the previous applications.

Unlike some spyware types, LokiBot isn't a one-time-use application. It registers a Mutex and auto-launches its executable from the AppData folder whenever a user logs in to Windows, which lets it continue harvesting confidential information and uploading it to the threat actor's recipient server.

Keeping Ancient Myths from Snatching Your Data

Spam e-mails and accompanying attachments and Web links are traditional infection vectors for different threats besides spyware, including backdoor Trojans and file-locker Trojans like Hidden Tear. Malware analysts are seeing few similarities between the tactics and disguises that LokiBot's campaigns use, which is, likely, due to different threat actors involving themselves in the deployment processes. However, all variants, so far, include either Word macro-based installation exploits or attach the executable after compressing it in an archive, such as a ZIP file directly.

The users can hamper the LokiBot's capability for uploading the collected data by implementing firewall rules that block its known C&C domains, such as festy18.info. Without appropriate network-traffic restrictions, the spyware may compromise a range of targets, including Bitcoin wallets, FTP accounts, credit cards, and even other systems sharing the same network. As usual, malware experts rate the threat as being specific to Windows, and OS-specific anti-malware protection should be available for deleting LokiBot before it attacks.

The average LokiBot installer's exploit can use advanced, document-based content or fake extensions on executables for tricking the users into compromising their PCs. The identity of any download is always only as trustworthy as its source, and forgetting that can bring a cascading series of issues involving all of your information virtually.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 244.73 KB (244736 bytes)
MD5: 2baa56f364907b6687f4a6d392d27a8f
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 15, 2017
file.exe File name: file.exe
Size: 332.8 KB (332800 bytes)
MD5: 6c53237e57f4e4741d94ee4516850ea7
Detection count: 76
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 8, 2017
ssx.exe File name: ssx.exe
Size: 671.74 KB (671744 bytes)
MD5: f4f7713fec294c7344655c8ddded266b
Detection count: 76
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
file.exe File name: file.exe
Size: 344.06 KB (344064 bytes)
MD5: fcaaa897743d219dd068d1b5daf7a84b
Detection count: 72
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 18, 2017
file.exe File name: file.exe
Size: 561.15 KB (561152 bytes)
MD5: ea305af3668d63046659711057c09ff7
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 30, 2017
file.exe File name: file.exe
Size: 184.32 KB (184320 bytes)
MD5: 90cf399b337479372f89f9ac52ef4c73
Detection count: 51
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 24, 2017
file.exe File name: file.exe
Size: 801.79 KB (801792 bytes)
MD5: ac6829c09d6e1ff82721d99f219b6ce2
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%APPDATA%\Microsoft\WHost\w32host.exe File name: w32host.exe
Size: 728.06 KB (728064 bytes)
MD5: 979b0c6904dfc8ee329705e93f804fc7
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\WHost
Group: Malware file
Last Updated: October 28, 2017
%APPDATA%\Microsoft\WHost\w32host.exe File name: w32host.exe
Size: 747.52 KB (747520 bytes)
MD5: f62ae3a83ae40c3503ea193581a82b78
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\WHost
Group: Malware file
Last Updated: October 28, 2017
%APPDATA%\Microsoft\WHost\w32host.exe File name: w32host.exe
Size: 837.63 KB (837632 bytes)
MD5: bde54939438664911981d525b12329a7
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\WHost
Group: Malware file
Last Updated: October 28, 2017
%APPDATA%\Microsoft\WHost\w32host.exe File name: w32host.exe
Size: 744.96 KB (744960 bytes)
MD5: bd030f64e2219b2a4e8dea41126c8e10
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\WHost
Group: Malware file
Last Updated: October 28, 2017
file.exe File name: file.exe
Size: 438.27 KB (438272 bytes)
MD5: 91072ab67693d55655781c1ac624e04a
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 6, 2022
C:\Users\<username>\Desktop\file.exe File name: file.exe
Size: 964.07 KB (964072 bytes)
MD5: a91d75970c089ccd042d477982a9a5be
Detection count: 3
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\Desktop
Group: Malware file
Last Updated: October 3, 2018

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\ASound.exe%APPDATA%\Microsoft\WHost\w32host.exe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vscdme.vbe%APPDATA%\mixcver\vscdme.exe

Related Posts

Loading...