{
	"id": "2133c77d-0f67-4147-a106-49d6cf3e41cc",
	"created_at": "2026-04-06T00:12:54.903958Z",
	"updated_at": "2026-04-10T13:12:42.875633Z",
	"deleted_at": null,
	"sha1_hash": "5dcdfd9c89bdad4648053c7d682891a07ba6cc1e",
	"title": "Malware Analysis - LokiBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 706515,
	"plain_text": "Malware Analysis - LokiBot\r\nBy Bar Magnezi\r\nPublished: 2024-12-01 · Archived: 2026-04-05 21:48:23 UTC\r\nSample:\r\n2f402635e17b4f0d9c0d6922d384936a\r\nBackgroundPermalink\r\nLokibot is trojan, infostealer malware that commonly targets Android phones and Windows devices. The primary\r\npurpose of Lokibot is to act as an infostealer Once it has infected a device, it will look for applications that store\r\nlogin credentials, such as browsers or email programs, and steal and exfiltrate those credentials to the attacker.\r\nLokibot also includes keylogging functionality, enabling it to capture login credentials as they are entered into the\r\nsystem by the user.\r\nStatic Analysis - Stage 1Permalink\r\nFigure 1: Malware Bazaar Entry\r\nWhat initially seemed like a typical malware analysis revealed a more sophisticated technique involving\r\nsteganography.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 1 of 11\n\nFigure 2: Using Detect It Easy\r\nAt first, I will use DIE on the sample to gather more information about it, including the programming language in\r\nwhich it was written, as shown in Figure 2.\r\nFigure 3: Using CAPA\r\nBased on the CAPA output, I speculated that this is likely only the first stage, and there are likely additional stages\r\nto the malware. The malware was analyzed using dnSpy because it was written in .NET.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 2 of 11\n\nAfter some time spent searching through the code, something interesting was observed: 2 images being loaded,\r\nwhich was then passed through several functions as shown in Figure 4+5.\r\nFigure 4: BMP File Being Loaded\r\nFigure 5: The BMP File\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 3 of 11\n\nThe BMP file was then passed to a function named F6, where it underwent some manipulations, resulting in an\r\noutput as a byte array, the function can be seen in Figure 6.\r\nFigure 6: \"F6\" Function\r\nTo avoid accidentally running the malware, a Python script was written that takes the BMP file, applies the same\r\nmanipulations as the malware, and outputs the resulting hex array. It was clear that the conversion was correct\r\nbecause the output indicated the presence of a PE header as shown in Figure 7.\r\nFigure 7: Python Code\r\nThe output was saved to a new file for further investigation.\r\nThis technique is called Steganography, Steganography is a technique used to hide data within innocent-looking\r\nfiles, making it undetectable. It often involves embedding malicious payloads, within files such as images or\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 4 of 11\n\naudio.\r\nDynamic Analysis - Stage 1Permalink\r\nThe first technique demonstrated how to extract the file statically, while at this part, the second BMP file was\r\nextracted dynamically. The malware was executed, and the embedded PE file was extracted dynamically from the\r\nrunning process as shown in Figure 8.\r\nFigure 8: Extracting The Second Implented PE\r\nStatic Analysis - Stage 2Permalink\r\nTwo files were extracted from the original malware: one EXE and one DLL.\r\nDLL:\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 5 of 11\n\nFigure 9: PEStudio On The DLL\r\nEXE:\r\nFigure 11: PEStudio On The EXE\r\nDLL:\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 6 of 11\n\nFigure 10: Capabilities Of The DLL\r\nEXE:\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 7 of 11\n\nFigure 12: Capabilities Of The EXE\r\nBased on the information gathered statically using dedicated tools, we can infer that we are dealing with a type of\r\ndata stealer, which also incorporates keylogging functionality.\r\nDynamic AnalysisPermalink\r\nAfter executing the malware, it was observed that the executable was deleted from its original folder and moved to\r\na new location in C:\\Users[Username]\\AppData\\Roaming, where it was hidden to ensure persistence and evade\r\ndetection.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 8 of 11\n\nFigure 13: New Location In AppData\r\nIn addition, as a persistence mechanism, the malware created a scheduled task that runs every time the computer\r\nstarts. The action of the task is to execute the malware from its new location in\r\nC:\\Users[Username]\\AppData\\Roaming.\r\nFigure 13: New Schedule Task\r\nAs an evasion technique, the malware also attempted to exclude itself from Windows Defender, as shown in\r\nFigure 14.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 9 of 11\n\nFigure 14: PS Code To Exclude\r\nNetwork AnalysisPermalink\r\nUsing FakeNet, I was able to identify the command-and-control (C2) server that the malware communicates with\r\nas shown in Figure 15.\r\nFigure 15: FakeNet Connection\r\nFigure 16: FakeNet Captured Data That Was Sent\r\nSummaryPermalink\r\nLokiBot is a stealthy and versatile malware that leverages steganography to conceal its payload within seemingly\r\ninnocuous images. Once executed, it establishes persistence through scheduled tasks, evades detection by\r\ntampering with security software, and exfiltrates sensitive information to a remote command-and-control server.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 10 of 11\n\nIOCsPermalink\r\nHash:\r\n2f402635e17b4f0d9c0d6922d384936a\r\n3bf1a57e62e5c534d8010118b13b3932\r\n4c365c45e9b8dc76ded51832dbd5523f\r\nfe39c5bf53c5bfc25280d73852d35dae\r\nf8a70072c0e0c58dd3411e94a5350833\r\n828fc37071bb61dc053007ed03a29a3d\r\nURL:\r\nhttp[:]//94[.]156[.]177[.]41/soja/five/fre[.]php\r\nDomain:\r\nckav[.]ru\r\nIP:\r\n94[.]156[.]177[.]41\r\n62[.]122[.]170[.]171\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LokiBot/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/"
	],
	"report_names": [
		"LokiBot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434374,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5dcdfd9c89bdad4648053c7d682891a07ba6cc1e.pdf",
		"text": "https://archive.orkl.eu/5dcdfd9c89bdad4648053c7d682891a07ba6cc1e.txt",
		"img": "https://archive.orkl.eu/5dcdfd9c89bdad4648053c7d682891a07ba6cc1e.jpg"
	}
}