This repository contains a narrated malware analysis presentation focused on LokiBot, a widely distributed information stealer and remote access trojan. The investigation includes static analysis, behavioral trait identification, and MITRE ATT&CK mapping. The sample was analyzed using tools such as FlareVM, REMnux, VirusTotal, and Hybrid Analysis.
π This narrated presentation walks through LokiBot sample analysis using VirusTotal, REMnux, FlareVM, and Hybrid Analysis. Hosted externally due to file size.
- First seen: 2015 (source code leaked in 2018)
- Type: Info-stealer, keylogger, RAT loader
- Targets: Windows and Android devices
- Capabilities:
- Credential theft from browsers, email clients, FTP tools
- Exfiltration over HTTP (C2 communications)
- Keylogging and input capture
- Process hollowing and obfuscation
- Anti-forensics: hides itself in hidden directories
| Tactic | Technique | ID |
|---|---|---|
| Discovery | System Info & User Discovery | T1016, T1033, T1082 |
| Execution | User Execution via Malicious Files | T1204.002 |
| Credential Access | Web & Password Store Theft | T1555.003 |
| Defense Evasion | Obfuscation & Packing | T1027, T1027.002 |
| Collection | Keylogging | T1056.001 |
| Exfiltration | HTTP-based C2 | T1041 |
| Persistence / Loading | Process Injection (Hollowing) | T1055.012 |
| Anti-Forensics | Hidden Files & Directories | T1564.001 |
- Keep antivirus and endpoint protection up-to-date
- Maintain secure offline backups
- Update Yara rules to detect LokiBot-specific
imphashand strings - Monitor for known C2 IPs and hashes
- Use FlareVM or REMnux to test and sandbox samples safely
Michael Twining
Malware Analyst | Reverse Engineering | GitHub: @usrtem
π« michael.twining@outlook.com
π LinkedIn | YouTube
This project is licensed under the Creative Commons Attribution 4.0 International License.