Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself.
Loki is a credential harvester bot sold in Russian underground forums and black markets.
For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly analyze malicious behavior.
File hashes for the sample I'll be using:
MD5: 09D2E274F1F50AB81105A3A6B9BE34CF SHA-1: 04AD370BFE1A0AFA273568EE18F8C14BD8E612DC SHA-256: D7AAAFB88B91A937D1EF8BCAA97F88A13545364269F510A95DAB4A72B68A4313
The sample has a pretty low detection ratio (8/58) as of now (29/03/2017) on VirusTotal.
Win32 Executable Delphi generic (37.4%) Windows screen saver (34.