analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL.doc

Full analysis: https://app.any.run/tasks/79d7e3dc-8fbe-4dd5-9549-bb466502a917
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 19, 2019, 11:59:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
trojan
opendir
exploit
CVE-2017-11882
loader
lokibot
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

252BE298408B4BBA60FEAC946352E46A

SHA1:

7FF17AB53AB2B5C21CE8C55386C875013618FB30

SHA256:

004BA534D63E1D9ACF2C9646D2425D1E8D30CCCD8351427ABA9B5270AF6407C7

SSDEEP:

1536:aBsG2OiYC8XnxdHoP13Gm+xaA2KUm4MSRh2radcnwa:alhiYC8Tx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3500)
    • Application was dropped or rewritten from another process

      • 3.exe (PID: 3180)
      • yiysg.exe (PID: 3364)
      • yiysg.exe (PID: 3128)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3500)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3500)
    • Writes to a start menu file

      • yiysg.exe (PID: 3364)
    • Detected artifacts of LokiBot

      • yiysg.exe (PID: 3128)
    • Connects to CnC server

      • yiysg.exe (PID: 3128)
    • LOKIBOT was detected

      • yiysg.exe (PID: 3128)
    • Actions looks like stealing of personal data

      • yiysg.exe (PID: 3128)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3500)
      • 3.exe (PID: 3180)
      • yiysg.exe (PID: 3128)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3500)
      • 3.exe (PID: 3180)
      • yiysg.exe (PID: 3364)
      • yiysg.exe (PID: 3128)
    • Starts itself from another location

      • 3.exe (PID: 3180)
    • Loads DLL from Mozilla Firefox

      • yiysg.exe (PID: 3128)
    • Application launched itself

      • yiysg.exe (PID: 3364)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2952)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Windows User
LastModifiedBy: Windows User
CreateDate: 2019:01:20 14:19:00
ModifyDate: 2019:01:20 14:19:00
RevisionNumber: 2
TotalEditTime: -
Pages: 1
Words: -
Characters: 4
CharactersWithSpaces: 4
InternalVersionNumber: 85
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe 3.exe yiysg.exe #LOKIBOT yiysg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\DHL.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3500"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3180C:\Users\Public\3.exeC:\Users\Public\3.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3364"C:\Users\admin\AppData\Roaming\sithe\yiysg.exe"C:\Users\admin\AppData\Roaming\sithe\yiysg.exe
3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3128"C:\Users\admin\AppData\Roaming\sithe\yiysg.exe"C:\Users\admin\AppData\Roaming\sithe\yiysg.exe
yiysg.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 293
Read events
937
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
5
Unknown types
7

Dropped files

PID
Process
Filename
Type
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8C0A.tmp.cvr
MD5:
SHA256:
31803.exeC:\Users\admin\AppData\Roaming\sithe\yiysg.exe:ZoneIdentifier
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C4CDEA1A-6ED1-4448-B2F6-47D15656626F}.tmp
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2BC72A48-70A6-4A29-9AD3-CCF2668974DF}.tmp
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F375F3E0-13D2-47A2-A361-F64115B99807}.tmp
MD5:
SHA256:
3128yiysg.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
3500EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\9511062[1].jpgexecutable
MD5:4DEE42175908CCFC59E17E85332D626E
SHA256:925539F9A6905246A221FFC8440487433C5CCD08DA12BB4001597E0E00FCCA03
2952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:350A6AB3E642AD77B9E327B84E93FF24
SHA256:961AA9C799AC2BC892E5FA8DE785D60F887D08804BFFBED4C29E34366375306C
3500EQNEDT32.EXEC:\Users\Public\3.exeexecutable
MD5:4DEE42175908CCFC59E17E85332D626E
SHA256:925539F9A6905246A221FFC8440487433C5CCD08DA12BB4001597E0E00FCCA03
3500EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:C0C0F2E90E4F8D3F54CEBDEA738EE67E
SHA256:A425BE0D22B215990BDE2CFF8A0CAA2F54C1BA7DF16E0682128CC069D23F9D1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3128
yiysg.exe
POST
45.62.248.107:80
http://noveit.cf/92/30ddy/cat.php
CA
malicious
3500
EQNEDT32.EXE
GET
200
177.153.227.108:80
http://thecomicsburger.com.br/wp-1/9511062.jpg
BR
executable
575 Kb
malicious
3500
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2V8YA7t
US
html
133 b
shared
3128
yiysg.exe
POST
45.62.248.107:80
http://noveit.cf/92/30ddy/cat.php
CA
malicious
3128
yiysg.exe
POST
45.62.248.107:80
http://noveit.cf/92/30ddy/cat.php
CA
malicious
3128
yiysg.exe
POST
45.62.248.107:80
http://noveit.cf/92/30ddy/cat.php
CA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3500
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
3500
EQNEDT32.EXE
177.153.227.108:80
thecomicsburger.com.br
Locaweb Serviços de Internet S/A
BR
suspicious
3128
yiysg.exe
45.62.248.107:80
noveit.cf
2267921 ONTARIO LTD
CA
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
thecomicsburger.com.br
  • 177.153.227.108
malicious
noveit.cf
  • 45.62.248.107
malicious

Threats

PID
Process
Class
Message
3500
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3500
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3500
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Windows Executable Downloaded With Image Content-Type Header
3500
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
3128
yiysg.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3128
yiysg.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3128
yiysg.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.cf Domain
3128
yiysg.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3128
yiysg.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2 ETPRO signatures available at the full report
No debug info