SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lokipws (Back to overview)

Loki Password Stealer (PWS)

aka: Burkina, Loki, LokiBot, LokiPWS

Actor(s): SWEED, The Gorgon Group, Cobalt

URLhaus        

"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMe

Loki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.

Loki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.

The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.

Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\ C98066\”.

There can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:

FILE EXTENSION FILE DESCRIPTION
.exe A copy of the malware that will execute every time the user account is logged into
.lck A lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts
.hdb A database of hashes for data that has already been exfiltrated to the C2 server
.kdb A database of keylogger data that has yet to be sent to the C2 server

If the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.

The first packet transmitted by Loki-Bot contains application data.

The second packet transmitted by Loki-Bot contains decrypted Windows credentials.

The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.

Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.

The first WORD of the HTTP Payload represents the Loki-Bot version.

The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:

BYTE PAYLOAD TYPE
0x26 Stolen Cryptocurrency Wallet
0x27 Stolen Application Data
0x28 Get C2 Commands from C2 Server
0x29 Stolen File
0x2A POS (Point of Sale?)
0x2B Keylogger Data
0x2C Screenshot

The 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!

Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.

The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.

Loki-Bot can accept the following instructions from the C2 Server:

BYTE INSTRUCTION DESCRIPTION
0x00 Download EXE & Execute
0x01 Download DLL & Load #1
0x02 Download DLL & Load #2
0x08 Delete HDB File
0x09 Start Keylogger
0x0A Mine & Steal Data
0x0E Exit Loki-Bot
0x0F Upgrade Loki-Bot
0x10 Change C2 Polling Frequency
0x11 Delete Executables & Exit

Suricata Signatures
RULE SID RULE NAME
2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected
2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1
2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1
2024314 ET TROJAN Loki Bot File Exfiltration Detected
2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1
2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected
2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2
2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2
2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2

References
2023-01-30CheckpointArie Olshtein
@online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-050xIvanTwitter (@viljoenivan)
@online{viljoenivan:20220805:lokibot:bb5fd5d, author = {Twitter (@viljoenivan)}, title = {{LokiBot Analysis}}, date = {2022-08-05}, organization = {0xIvan}, url = {https://ivanvza.github.io/posts/lokibot_analysis}, language = {English}, urldate = {2022-08-17} } LokiBot Analysis
Loki Password Stealer (PWS)
2022-06-30Cyber Geeks (CyberMasterV)Vlad Pasca
@online{pasca:20220630:how:78e5c24, author = {Vlad Pasca}, title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}}, date = {2022-06-30}, organization = {Cyber Geeks (CyberMasterV)}, url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/}, language = {English}, urldate = {2022-07-05} } How to Expose a Potential Cybercriminal due to Misconfigurations
Loki Password Stealer (PWS)
2022-06-30CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20220630:how:035d973, author = {CyberMasterV}, title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}}, date = {2022-06-30}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations}, language = {English}, urldate = {2022-08-31} } How to Expose a Potential Cybercriminal due to Misconfigurations
Loki Password Stealer (PWS)
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-04-17Malcatmalcat team
@online{team:20220417:reversing:4e53a3a, author = {malcat team}, title = {{Reversing a NSIS dropper using quick and dirty shellcode emulation}}, date = {2022-04-17}, organization = {Malcat}, url = {https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/}, language = {English}, urldate = {2022-04-29} } Reversing a NSIS dropper using quick and dirty shellcode emulation
Loki Password Stealer (PWS)
2022-03-07LAC WATCHCyber ​​Emergency Center
@online{center:20220307:i:aadcf34, author = {Cyber ​​Emergency Center}, title = {{I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS}}, date = {2022-03-07}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20220307_002893.html}, language = {Japanese}, urldate = {2022-04-05} } I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS
Xloader Agent Tesla Formbook Loki Password Stealer (PWS)
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-01-28Atomic Matryoshkaz3r0day_504
@online{z3r0day504:20220128:malware:3628b1b, author = {z3r0day_504}, title = {{Malware Headliners: LokiBot}}, date = {2022-01-28}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-lokibot}, language = {English}, urldate = {2022-02-01} } Malware Headliners: LokiBot
Loki Password Stealer (PWS)
2021-11-17InfobloxGaetano Pellegrino
@techreport{pellegrino:20211117:deep:404458b, author = {Gaetano Pellegrino}, title = {{Deep Analysis of a Recent Lokibot Attack}}, date = {2021-11-17}, institution = {Infoblox}, url = {https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf}, language = {English}, urldate = {2022-01-03} } Deep Analysis of a Recent Lokibot Attack
Loki Password Stealer (PWS)
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus)
2021-08-25Trend MicroWilliam Gamazo Sanchez, Bin Lin
@online{sanchez:20210825:new:f09ef7d, author = {William Gamazo Sanchez and Bin Lin}, title = {{New Campaign Sees LokiBot Delivered Via Multiple Methods}}, date = {2021-08-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html}, language = {English}, urldate = {2021-08-31} } New Campaign Sees LokiBot Delivered Via Multiple Methods
Loki Password Stealer (PWS)
2021-08-23YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210823:2:0b5dba8, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite}}, date = {2021-08-23}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=N0wAh26wShE}, language = {English}, urldate = {2021-08-25} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
CloudEyE Loki Password Stealer (PWS)
2021-08-16Malcatmalcat team
@online{team:20210816:statically:665b400, author = {malcat team}, title = {{Statically unpacking a simple .NET dropper}}, date = {2021-08-16}, organization = {Malcat}, url = {https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/}, language = {English}, urldate = {2022-01-05} } Statically unpacking a simple .NET dropper
Loki Password Stealer (PWS)
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-07YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210707:2:85ce7e9, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python}}, date = {2021-07-07}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=-FxyzuRv6Wg}, language = {English}, urldate = {2021-07-20} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS)
2021-07-06YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210706:1:be25f45, author = {Jiří Vinopal}, title = {{[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2}}, date = {2021-07-06}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=K3Yxu_9OUxU}, language = {English}, urldate = {2021-07-20} } [1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS)
2021-06-08ilbaroni
@online{ilbaroni:20210608:lokibot:26e4005, author = {ilbaroni}, title = {{LOKIBOT - A commodity malware}}, date = {2021-06-08}, url = {http://reversing.fun/posts/2021/06/08/lokibot.html}, language = {English}, urldate = {2022-01-05} } LOKIBOT - A commodity malware
Loki Password Stealer (PWS)
2021-04-06InfoSec Handlers Diary BlogJan Kopriva
@online{kopriva:20210406:malspam:817a035, author = {Jan Kopriva}, title = {{Malspam with Lokibot vs. Outlook and RFCs}}, date = {2021-04-06}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27282}, language = {English}, urldate = {2021-04-06} } Malspam with Lokibot vs. Outlook and RFCs
Loki Password Stealer (PWS)
2021-01-06TalosIrshad Muhammad, Holger Unterbrink
@online{muhammad:20210106:deep:8fa3a1f, author = {Irshad Muhammad and Holger Unterbrink}, title = {{A Deep Dive into Lokibot Infection Chain}}, date = {2021-01-06}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html}, language = {English}, urldate = {2021-01-10} } A Deep Dive into Lokibot Infection Chain
Loki Password Stealer (PWS)
2020-12-07ProofpointProofpoint Threat Research Team
@online{team:20201207:commodity:027b864, author = {Proofpoint Threat Research Team}, title = {{Commodity .NET Packers use Embedded Images to Hide Payloads}}, date = {2020-12-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads}, language = {English}, urldate = {2020-12-10} } Commodity .NET Packers use Embedded Images to Hide Payloads
Agent Tesla Loki Password Stealer (PWS) Remcos
2020-10-01SpiderLabs BlogDiana Lopera
@online{lopera:20201001:evasive:c15da47, author = {Diana Lopera}, title = {{Evasive URLs in Spam: Part 2}}, date = {2020-10-01}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/}, language = {English}, urldate = {2020-10-12} } Evasive URLs in Spam: Part 2
Loki Password Stealer (PWS)
2020-08-26Lab52Jagaimo Kawaii
@online{kawaii:20200826:twisted:b91cfb5, author = {Jagaimo Kawaii}, title = {{A twisted malware infection chain}}, date = {2020-08-26}, organization = {Lab52}, url = {https://lab52.io/blog/a-twisted-malware-infection-chain/}, language = {English}, urldate = {2020-08-31} } A twisted malware infection chain
Agent Tesla Loki Password Stealer (PWS)
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-04-28Trend MicroMiguel Ang
@online{ang:20200428:loki:169b27e, author = {Miguel Ang}, title = {{Loki Info Stealer Propagates through LZH Files}}, date = {2020-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files}, language = {English}, urldate = {2020-08-14} } Loki Info Stealer Propagates through LZH Files
Loki Password Stealer (PWS)
2020-03-31Click All the Things! BlogJamie
@online{jamie:20200331:lokibot:f927742, author = {Jamie}, title = {{LokiBot: Getting Equation Editor Shellcode}}, date = {2020-03-31}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/}, language = {English}, urldate = {2020-04-07} } LokiBot: Getting Equation Editor Shellcode
Loki Password Stealer (PWS)
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-02-14Virus BulletinAditya K. Sood
@online{sood:20200214:lokibot:c4e5d9d, author = {Aditya K. Sood}, title = {{LokiBot: dissecting the C&C panel deployments}}, date = {2020-02-14}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/}, language = {English}, urldate = {2020-02-25} } LokiBot: dissecting the C&C panel deployments
Loki Password Stealer (PWS)
2020-02-06PrevailionDanny Adamitis
@online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } The Triune Threat: MasterMana Returns
Azorult Loki Password Stealer (PWS)
2019-12-28Paul Burbage
@online{burbage:20191228:tale:2e5f361, author = {Paul Burbage}, title = {{The Tale of the Pija-Droid Firefinch}}, date = {2019-12-28}, url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2}, language = {English}, urldate = {2020-02-14} } The Tale of the Pija-Droid Firefinch
Loki Password Stealer (PWS)
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-10-28Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20191028:sweed:bce7adf, author = {Marco Ramilli}, title = {{SWEED Targeting Precision Engineering Companies in Italy}}, date = {2019-10-28}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/}, language = {English}, urldate = {2019-12-17} } SWEED Targeting Precision Engineering Companies in Italy
Loki Password Stealer (PWS)
2019-08-10Check PointOmer Gull
@online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-15Cisco TalosEdmund Brumaghin
@online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2019-04-05TrustwavePhil Hay, Rodel Mendrez
@online{hay:20190405:spammed:82cb5e3, author = {Phil Hay and Rodel Mendrez}, title = {{Spammed PNG file hides LokiBot}}, date = {2019-04-05}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/}, language = {English}, urldate = {2022-08-15} } Spammed PNG file hides LokiBot
Loki Password Stealer (PWS)
2018-12-04Brad Duncan
@online{duncan:20181204:malspam:8e2d810, author = {Brad Duncan}, title = {{Malspam pushing Lokibot malware}}, date = {2018-12-04}, url = {https://isc.sans.edu/diary/24372}, language = {English}, urldate = {2019-10-29} } Malspam pushing Lokibot malware
Loki Password Stealer (PWS)
2018-08-29Kaspersky LabsTatyana Shcherbakova
@online{shcherbakova:20180829:loki:c239728, author = {Tatyana Shcherbakova}, title = {{Loki Bot: On a hunt for corporate passwords}}, date = {2018-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/loki-bot-stealing-corporate-passwords/87595/}, language = {English}, urldate = {2019-12-20} } Loki Bot: On a hunt for corporate passwords
Loki Password Stealer (PWS)
2018-08-02Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-07-06Github (d00rt)d00rt
@techreport{d00rt:20180706:lokibot:6508667, author = {d00rt}, title = {{LokiBot Infostealer Jihacked Version}}, date = {2018-07-06}, institution = {Github (d00rt)}, url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf}, language = {English}, urldate = {2020-01-10} } LokiBot Infostealer Jihacked Version
Loki Password Stealer (PWS)
2017-12-19LastlineAndy Norton
@online{norton:20171219:novel:2a852a7, author = {Andy Norton}, title = {{Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot}}, date = {2017-12-19}, organization = {Lastline}, url = {https://www.lastline.com/blog/password-stealing-malware-loki-bot/}, language = {English}, urldate = {2020-01-13} } Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot
Loki Password Stealer (PWS)
2017-06-22SANS Institute Information Security Reading RoomRob Pantazopoulos
@online{pantazopoulos:20170622:lokibot:cb24973, author = {Rob Pantazopoulos}, title = {{Loki-Bot: InformationStealer, Keylogger, &More!}}, date = {2017-06-22}, organization = {SANS Institute Information Security Reading Room}, url = {https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850}, language = {English}, urldate = {2019-07-11} } Loki-Bot: InformationStealer, Keylogger, &More!
Loki Password Stealer (PWS)
2017-05-17FortinetXiaopeng Zhang, Hua Liu
@online{zhang:20170517:new:15004ed, author = {Xiaopeng Zhang and Hua Liu}, title = {{New Loki Variant Being Spread via PDF File}}, date = {2017-05-17}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file}, language = {English}, urldate = {2020-01-05} } New Loki Variant Being Spread via PDF File
Loki Password Stealer (PWS)
2017-05-07R3MRUMR3MRUM
@online{r3mrum:20170507:lokibot:5a6975d, author = {R3MRUM}, title = {{Loki-Bot: Come out, come out, wherever you are!}}, date = {2017-05-07}, organization = {R3MRUM}, url = {https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/}, language = {English}, urldate = {2020-01-12} } Loki-Bot: Come out, come out, wherever you are!
Loki Password Stealer (PWS)
2017-05-05Github (R3MRUM)R3MRUM
@online{r3mrum:20170505:lokiparse:c8a2916, author = {R3MRUM}, title = {{loki-parse}}, date = {2017-05-05}, organization = {Github (R3MRUM)}, url = {https://github.com/R3MRUM/loki-parse}, language = {English}, urldate = {2019-11-29} } loki-parse
Loki Password Stealer (PWS)
2017-03-23CofenseCofense
@online{cofense:20170323:tales:cbdee9a, author = {Cofense}, title = {{Tales from the Trenches: Loki Bot Malware}}, date = {2017-03-23}, organization = {Cofense}, url = {https://phishme.com/loki-bot-malware/}, language = {English}, urldate = {2019-12-02} } Tales from the Trenches: Loki Bot Malware
Loki Password Stealer (PWS)
2017-02-16CysinfoWinston M
@online{m:20170216:nefarious:a0ed57b, author = {Winston M}, title = {{Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!}}, date = {2017-02-16}, organization = {Cysinfo}, url = {https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/}, language = {English}, urldate = {2019-10-23} } Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!
Loki Password Stealer (PWS)
Yara Rules
[TLP:WHITE] win_lokipws_auto (20230407 | Detects win.lokipws.)
rule win_lokipws_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.lokipws."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75fc ff35???????? e8???????? 83c44c 6a00 6a01 53 }
            // n = 7, score = 300
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff35????????         |                     
            //   e8????????           |                     
            //   83c44c               | add                 esp, 0x4c
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   53                   | push                ebx

        $sequence_1 = { 58 6a49 6689856affffff 58 6a32 6689856cffffff 33c0 }
            // n = 7, score = 300
            //   58                   | pop                 eax
            //   6a49                 | push                0x49
            //   6689856affffff       | mov                 word ptr [ebp - 0x96], ax
            //   58                   | pop                 eax
            //   6a32                 | push                0x32
            //   6689856cffffff       | mov                 word ptr [ebp - 0x94], ax
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { c78540fdffff00b91000 c78544fdffff0000488b c78548fdffffc60f1f80 899d4cfdffff c78550fdffff4c89304c c78554fdffff8970084c c78558fdffff89701048 }
            // n = 7, score = 300
            //   c78540fdffff00b91000     | mov    dword ptr [ebp - 0x2c0], 0x10b900
            //   c78544fdffff0000488b     | mov    dword ptr [ebp - 0x2bc], 0x8b480000
            //   c78548fdffffc60f1f80     | mov    dword ptr [ebp - 0x2b8], 0x801f0fc6
            //   899d4cfdffff         | mov                 dword ptr [ebp - 0x2b4], ebx
            //   c78550fdffff4c89304c     | mov    dword ptr [ebp - 0x2b0], 0x4c30894c
            //   c78554fdffff8970084c     | mov    dword ptr [ebp - 0x2ac], 0x4c087089
            //   c78558fdffff89701048     | mov    dword ptr [ebp - 0x2a8], 0x48107089

        $sequence_3 = { a5 a5 a5 ff5124 85c0 0f8881000000 395dfc }
            // n = 7, score = 300
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   ff5124               | call                dword ptr [ecx + 0x24]
            //   85c0                 | test                eax, eax
            //   0f8881000000         | js                  0x87
            //   395dfc               | cmp                 dword ptr [ebp - 4], ebx

        $sequence_4 = { 85c0 750e 50 ff35???????? e8???????? 59 59 }
            // n = 7, score = 300
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   50                   | push                eax
            //   ff35????????         |                     
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_5 = { 59 8935???????? 5f 5e 33c0 5b 8be5 }
            // n = 7, score = 300
            //   59                   | pop                 ecx
            //   8935????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_6 = { e8???????? 59 83f802 7649 33db 53 6a01 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f802               | cmp                 eax, 2
            //   7649                 | jbe                 0x4b
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   6a01                 | push                1

        $sequence_7 = { e8???????? 83c418 8bf8 68???????? 68???????? 53 85ff }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8bf8                 | mov                 edi, eax
            //   68????????           |                     
            //   68????????           |                     
            //   53                   | push                ebx
            //   85ff                 | test                edi, edi

        $sequence_8 = { c745acf8870304 c745b04e7f6ec1 c745b40b67c770 c745b87818d318 c745bcc2202182 c745c082df524e c745c4c7724986 }
            // n = 7, score = 300
            //   c745acf8870304       | mov                 dword ptr [ebp - 0x54], 0x40387f8
            //   c745b04e7f6ec1       | mov                 dword ptr [ebp - 0x50], 0xc16e7f4e
            //   c745b40b67c770       | mov                 dword ptr [ebp - 0x4c], 0x70c7670b
            //   c745b87818d318       | mov                 dword ptr [ebp - 0x48], 0x18d31878
            //   c745bcc2202182       | mov                 dword ptr [ebp - 0x44], 0x822120c2
            //   c745c082df524e       | mov                 dword ptr [ebp - 0x40], 0x4e52df82
            //   c745c4c7724986       | mov                 dword ptr [ebp - 0x3c], 0x864972c7

        $sequence_9 = { 83c40c 85db 7411 6a02 53 e8???????? 53 }
            // n = 7, score = 300
            //   83c40c               | add                 esp, 0xc
            //   85db                 | test                ebx, ebx
            //   7411                 | je                  0x13
            //   6a02                 | push                2
            //   53                   | push                ebx
            //   e8????????           |                     
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 1327104
}
Download all Yara Rules