user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:MSIL/LokiBot.ALB!MTB
Trojan:MSIL/LokiBot.ALB!MTB - Windows Defender threat signature analysis

Trojan:MSIL/LokiBot.ALB!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:MSIL/LokiBot.ALB!MTB
Classification:
Type:Trojan
Platform:MSIL
Family:LokiBot
Detection Type:Concrete
Known malware family with identified signatures
Variant:ALB
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family LokiBot

Summary:

This is a behavioral detection of the LokiBot information-stealing trojan. The malware is designed to steal credentials from web browsers, email clients, and other applications, using techniques like process hooking and leveraging legitimate Windows tools for persistence and execution.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_MSIL_LokiBot_ALB_2147931830_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MSIL/LokiBot.ALB!MTB"
        threat_id = "2147931830"
        type = "Trojan"
        platform = "MSIL: .NET intermediate language scripts"
        family = "LokiBot"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "5"
        strings_accuracy = "Low"
    strings:
        $x_5_1 = {09 09 16 1a 09 14 13 16 12 16 11 05 11 04 28 ?? 00 00 06 26 08 02 08 1f 3c d6 6a 1a 6a 28 ?? 00 00 06 d6 13 09 02 11 09 1f 34 d6 6a 1a 6a}  //weight: 5, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: Comprobante.transferencia.exe
e9a2e9ce85efba103622a6abf25c4e0d280eb5ca8012e43db46b5394b8a1db10
03/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network to prevent data exfiltration. Use an updated antivirus tool to perform a full scan and remove the detected threat. Since this is a credential stealer, immediately reset all passwords for accounts used on the machine and enable multi-factor authentication (MFA).
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 03/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$