Lokibot is a password/info-stealing malware, delivered through malware spam (malspam) campaigns, and notably known for the wide range of applications that it targets.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Lokibot is commonly delivered through malicious spam (malspam) campaigns. There are numerous ways that the payload has been seen to be delivered through these spam mails:
Files & Mutexes
Lokibot ensures that only a single instance of the malware is running on an infected system by creating a mutex. The mutex string is computed as the MD5 hash of the MachineGUID (obtained through registry).
Additionally, Lokibot creates a folder which contains multiple files. The folder path is %AppData%/ <MD5_MACHINEGUID>[7:12]/.
The folder contains:
This malware is notably known for stealing credentials from browsers, mail clients, file sharing programs, remote connection programs, and more. It also contains a keylogger component, which can be utilized by the malefactor.
Lokibot is capable of stealing data from the following applications:
Catalina Group Citrio
Epic Privacy Browser
Ghisler Total Commander
Google Chrome SxS
Maple Studio ChromePlus
Odin Secure FTP Expert
The payload initiates a communication with the C&C server to exfiltrate the stolen data and receive commands. Besides the stolen data, it sends the Windows product name and version, username, computer name, and domain name to the C&C server.
Lokibot is most commonly seen to send a POST request to <DOMAIN>/subdir/subdir1/../fre[.]php, although other less-common patterns have also been observed in the wild (e.g. <DOMAIN>/subdir/subdir1/cat[.]php).
User-Agent: Mozilla/4.08 (Charon; Inferno)
Analysis on file: 55589f10cbf2e9efa809a09c9d75bd8ff6aacd16
Date Created: 25 Nov 2019
Date Last Modified: -