Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
17
Global rank
33 infographic chevron month
Month rank
35
Week rank
0
IOCs

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Stealer
Type
ex-USSR territory
Origin
3 May, 2015
First seen
10 October, 2025
Last seen
Also known as
Loki
LokiPWS

How to analyze LokiBot with ANY.RUN

Type
ex-USSR territory
Origin
3 May, 2015
First seen
10 October, 2025
Last seen

IOCs

IP addresses
178.159.39.36
164.90.194.235
198.187.30.47
64.227.48.212
2.59.254.19
94.156.177.41
168.100.10.152
85.31.47.84
46.183.222.162
Hashes
48b595428b2e25e856d4fdd098da82bc1f00f6590318bd68120a61bf67f13cb1
b4c49f1975bc76113917ce22ea1b0a04be74b6b0a944e8e05a1e40d3ec4977b2
6c0612e71239972d92121249145948eec8ccfab90e1e47d0337fabccaaa5ade2
4bfa55fd46cd1456d84b1e745a5d3d9f3dd693c65cb4770c8d1bcf43d0b3b2a8
8d3fabdf1cf9711a818e05c047d7edc4013449171f5a8075d22174ff2191ee1b
2d0dc2d153fec6c07244624c2a1d6d91582faace5abbda88906f13a59d8dc2e6
6e119e456952a5217547ebc3bb215f550afa081d89068e71e20fd9a966c19948
f062736ad90e8498868c79823ef649292941204adf54cd18ce33af6912b7f0da
f00d8e425ff5b95c85c7273156e763aaeff1856804aebef55d83bbeeec40bc3f
12a61e3e74a6aa8bebe2164a57985fbbb2781d40e30cc5be1b62f5cb70a6bfed
ad919f7be9014a77f2f468d695180e4784642f15aeed0ede7117fcc815110bcc
80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22
41a3442445aa886b81e361e5e288459d8325895445bb36f9e4c1be54f76b92cb
3be112e4807d9f624e19e1843e83a8c371d05632629d83b6e487d7b4703195b2
af4d18f604793162eac9bc260e67eb46ebdcde2f93681a638c9f91c0d8011410
0dd5bb3d9008bd72a8967cb903d80203c4b26882c6d2ad5b1a82a7ef55990a3c
fdcbef10ba86a2c22e2d5b8f6c5a63c51e71b0f268644c4523c2c9d8fa3014b5
6d043b33b33e6baaf7514b9ca56f8dbd8aa57bc71a9040bf438bc780c1a4ad5f
afaf22184049b576f2faabcb256faf4cbcfc848f9940bd80b1092a9e233faff8
553fbc47b93d74c135ed8352864bef68be1aad924a9c1bbf252dcff2f15fe502
Domains
publicspeaking.co.id
atelierdodoce.com.br
centrehotel.vn
blesblochem.com
secure01-redirect.net
efvsx.gq
164.90.194.235
touxzw.ir
rottot.shop
ddrtot.shop
64.227.48.212
168.100.10.152
94.156.177.41
sebel.sbs
URLs
http://94.131.105.161/geot/f/pin.php
http://171.22.30.147/ugopounds/five/fre.php
http://194.180.48.58/blessedjay/five/fre.php
http://161.35.102.56/~nikol/
http://171.22.30.164/fresh1/five/fre.php
http://185.246.220.60/fred2/five/fre.php
http://171.22.30.164/kung/five/fre.php
http://185.246.220.60/seth2/five/fre.php
http://104.156.227.195/~blog/
http://171.22.30.147/fletch/five/fre.php
http://185.246.220.60/bugg/five/fre.php
http://171.22.30.147/zino/five/fre.php
http://171.22.30.164/tmglobal/five/fre.php
http://208.67.105.148/blessedjay/five/fre.php
http://185.246.220.85/zang1/five/fre.php
http://171.22.30.147/lee/five/fre.php
http://208.67.105.148/blessedjay/five/fre,php
http://171.22.30.147/kelly/five/fre.php
http://31.220.2.200/~glklife/service/five/fre.php
http://185.246.220.60/office1/five/fre.php
Last Seen at
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 366
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 1980
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 4962
comments 0

What is LokiBot malware?

LokiBot, also known as Loki-bot or Loki bot, is an information stealer malware that collects credentials from the most widely used web browsers, FTP, email clients, and over a hundred software tools installed on the infected system. It was developed in one of the ex-USSR countries.

The trojan was discovered for the first time on May 3rd, 2015, from a sale announcement made by the creator, and the malware is still active to this day.

General description of LokiBot

Initially created and sold by a hacker known as "lokistov" or "Carter," the first versions of LokiBot spyware used to cost up to $400. However, almost identical malware appeared on hacker forums soon after, available for as little as $80 from several sellers. As it is thought, "lokistov" himself was hacked, and the virus's source code was leaked, allowing others to use its techniques and sell remarkably similar malware.

Curiously, a researcher subsequently found out that the first version of the virus got patched by someone without accessing the source code, which gave the hacker community the ability to set a series of individual domains used to receive the retrieved data.

Even though several versions of the virus exist today, after the analysis, it was found that all of them are actually modifications of the original malware. Interestingly, the server to which LokiBot stealer sends data is unique for every particular malware sample.

In the latest versions of LokiBot, a third stage is added to the process of compromising systems, besides more encryption, a technique to escape detection. Each layer of the trojan is encrypted to attempt to hide the eventual source of code.

The malware uses the known technique of blurring images in documents to force users to enable macros. This trick infects machines quite successfully.

LokiBot malware analysis

An analysis session displaying the simulation of the contamination process created by the ANY.RUN interactive malware hunting service provides the perfect opportunity for malware analysis to see how the contamination process unfolds on an infected machine. As shown in the simulation, LokiBot trojan needs email attachments, such as a Microsoft Office file or an archive file to be opened to enter an active phase.

process graph of lokibot stealer execution Figure 1: Process graph generated by the ANY.RUN malware hunting service

During the analysis, we found out that the malware life cycle can be broken down into the following stages:

  • Contamination. The victim downloads a malicious archive or a Microsoft Office file which eventually downloads the malware;
  • Being packed initially, the keylogger unpacks itself and begins the execution of the main payload;
  • The virus creates unique loop-functions for each application that it is targeting and saves retrieved data into a buffer;
  • Then, a registry key is modified, and the trojan is explicitly copied into a folder with a specific name unique name under the %APPDATA% folder. This allows the virus to establish persistence. MachineGuid MD5 is used for the name generation, and the name can also be used as a Mutex as well as bot-id. As the last action of this step, the virus generates a registry key that points to the file it copied before to the specific folder inside the %APPDATA% folder;
  • Then, depending on if the current user is privileged or not, the virus sets persistence either under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER;
  • Next, general system information is sent to the C&C server;
  • For persistence, the keylogger then applies the triple-DES encryption technique to the URL and the registry key;
  • After this, the virus starts waiting for commands from C&C, creating a new thread to detect the C&C response.

How to avoid infection by LokiBot virus?

Since LokiBot spyware requires macros to be activated to infect the system, attackers will do everything in their power to make the victim enable them. Thus keeping macros turned off is the best bet to stay protected from the trojan. Notably, extra caution should be exhibited when a document downloaded from a suspicious source or an unknown email address prompts to enable macros.

Also, having antivirus software from trusted developers and keeping it updated is an excellent way to decrease the probability of becoming the malware's victim and protecting credentials. Another good common practice is to be highly mindful when opening attachments or clicking links in emails from unidentified sources as it's a popular method of malware spreading, including FormBook and Dridex.

Distribution of LokiBot

LokiBot stealer is distributed mostly via mail-spam campaigns, prompting the user to download a malicious file that is attached. Remarkably, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files containing a Loki-Bot executable or ISO files, and a Loki-Bot executable.

LokiBot execution process

Interactive sandbox simulation conducted on the ANY.RUN malware hunting service allows us to take a closer look at how the execution process of LokiBot unfolds in a case when a contaminated Microsoft Office file is the infection source.

  • The simulation starts with opening a Microsoft Office file. Immediately, WINWORD.EXE is executed with enable macros.
  • Then, through the exploitation of the CVE-2017-11882 vulnerability, Microsoft Office Equation Editor proceeds to download a malicious executable file;
  • Finally, a malicious executable file runs itself and then proceeds to steal the personal data and connect to the C&C server.

process tree of a lokibot stealer execution Figure 2: Illustrates the execution processes of LokiBot as shown by ANY.RUN simulation

a text report of a lokibot analysis Figure 3: A text report created by ANY.RUN

The virus generates multiple artifacts during its execution process. Particularly, four types of files can be simultaneously stored in the secret %APPDATA% directory at any point in time. Those files can have ".exe," ".lck," ".hdb" or ".kdb." extensions, and each file type is used for a specific purpose:

  • .exe files contain an executable copy of the trojan that triggers when a user logs into an account,
  • .lck files are generated to prevent resource conflicts when either Windows Credentials or Keylogging are decrypted,
  • .hdb files are used to store the hashes of all data samples already transmitted to the C&C server
  • .kdb files are in turn used to hold information about the data that is yet to be sent to the server

Based on the analysis, the keylogger uses the following algorithm to name the files:

  1. First, LokiBot takes the value of MachineGuid from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography . In the case of our simulation, it was set to dc5131b5-5fbc-4f85-b1ed-28d4392080ca.

lokibot mutex creation GUID registry

  1. Then, the virus uses the MD5 algorithm to calculate the hash sum of the MachineGuid, which in our case ended up being c83ba0aa282a966263dda560052b3caf.

lokibot mutex creation md5

  1. Finally, characters from the 8th to the 13th of the resulting hash amount are used as the subdirectory's name, and the characters from the 13th to the 18th are used as the name of the files.

lokibot mutex creation

LokiBot communication with C&C

To communicate with the C&C server, the patched version of the virus, which is also the most widely spread strain, sends a "ckav.ru" string. Interestingly, the sent data is also is a substring of "fuckav.ru."

How to detect LokiBot malware using ANY.RUN?

Among other things, you can detect whether it is LokiBot in front of you or not by looking inside sending packets - there's always text "ckav.ru" inside them. Just click on the sent packet in the "HTTP REQUESTS" tab and take a look inside a packet.

lokibot network stream Figure 4: Lokibot network stream

Conclusion

Lastly, since the first version of the malware was leaked and cloned, eventually becoming available for a significantly lower price than the original, LokiBot spyware became a widely spread malware that continues to appear in several mail-spam campaigns. In fact, the virus has become so popular that its set-up explanation videos on stealing credentials are publically available on YouTube.

Fortunately, modern malware hunting tools like ANY.RUN provides the ability to examine the malware behavior in detail and establish solid protection against the hazard.

Create your free ANY.RUN account today and enjoy unlimited malware analysis!

HAVE A LOOK AT

Crypto malware screenshot
Crypto malware
miner xmrig jsminer
Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
DarkComet screenshot
DarkComet
darkcomet rat darkcomet rat
DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Salvador Stealer screenshot
Salvador Stealer
salvador
Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.
Read More