File name:

Payment_Confirmation_pdf.arj

Full analysis: https://app.any.run/tasks/04ff070b-0514-4479-998c-337d7be421c8
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 05:55:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2DA7EF40A091A1AC72C361ED4BCE250D

SHA1:

3FD6C75A6DBA78C8C202E99E7829FD97710B9085

SHA256:

0E105B15130E106414F248D2616BC83E7997DB737BAE5EFF4F0A78A3A3BE473B

SSDEEP:

3072:FUgL/UxJQ9qFgQsIOCHilsfTsbWHvKSJtN/sc55LQIhMhspCxRFtWJl809UWIdCD:NrT4FGblKRdv15CxRFk0s505y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Payment_Confirmation_pdf.exe (PID: 2428)
      • Payment_Confirmation_pdf.exe (PID: 2984)

    • Connects to CnC server

      • Payment_Confirmation_pdf.exe (PID: 2984)

    • LOKIBOT was detected

      • Payment_Confirmation_pdf.exe (PID: 2984)

    • Detected artifacts of LokiBot

      • Payment_Confirmation_pdf.exe (PID: 2984)

    • Actions looks like stealing of personal data

      • Payment_Confirmation_pdf.exe (PID: 2984)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • explorer.exe (PID: 1896)
      • WinRAR.exe (PID: 2892)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2892)
      • Payment_Confirmation_pdf.exe (PID: 2984)

    • Application launched itself

      • Payment_Confirmation_pdf.exe (PID: 2428)

    • Creates files in the user directory

      • explorer.exe (PID: 1896)
      • Payment_Confirmation_pdf.exe (PID: 2984)

  • INFO

    • Reads settings of System Certificates

      • explorer.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2000:06:23 08:00:29
ZipCRC: 0xa357ea6a
ZipCompressedSize: 181195
ZipUncompressedSize: 1306984
ZipFileName: Payment_Confirmation_pdf.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe payment_confirmation_pdf.exe no specs explorer.exe #LOKIBOT payment_confirmation_pdf.exe

Process information

PID
CMD
Path
Indicators
Parent process
1896C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2428"C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exeWinRAR.exe
User:
admin
Company:
kerchiefs10
Integrity Level:
MEDIUM
Description:
Vacuumed
Exit code:
0
Version:
1.03.0005
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2892.24868\payment_confirmation_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2892"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Payment_Confirmation_pdf.arj.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2984C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe
Payment_Confirmation_pdf.exe
User:
admin
Company:
kerchiefs10
Integrity Level:
MEDIUM
Description:
Vacuumed
Exit code:
0
Version:
1.03.0005
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2892.24868\payment_confirmation_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
2 569
Read events
2 443
Write events
124
Delete events
2

Modification events

(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2892) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1896) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts
Operation:delete keyName:
Value:
(PID) Process:(1896) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts
Operation:writeName:C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk
Value:
1
(PID) Process:(1896) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts
Operation:writeName:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk
Value:
1
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Payment_Confirmation_pdf.arj.zip
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
3
Text files
1
Unknown types
5

Dropped files

PID
Process
Filename
Type
2892WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2892.25158\Payment_Confirmation_pdf.exe
MD5:
SHA256:
1896explorer.exeC:\Users\admin\AppData\Local\Temp\CabC7C2.tmp
MD5:
SHA256:
1896explorer.exeC:\Users\admin\AppData\Local\Temp\TarC7C3.tmp
MD5:
SHA256:
2984Payment_Confirmation_pdf.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2892WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exeexecutable
MD5:
SHA256:
1896explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\46f433176bc0b3d2.automaticDestinations-msautomaticdestinations-ms
MD5:
SHA256:
2428Payment_Confirmation_pdf.exeC:\Users\admin\AppData\Local\Temp\~DFB460B4411DD9C2B2.TMPbinary
MD5:
SHA256:
1896explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:
SHA256:
1896explorer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
1896explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Payment_Confirmation_pdf.arj.lnklnk
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
3
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1896
explorer.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba95d2f30a40bcb9
US
compressed
55.2 Kb
whitelisted
2984
Payment_Confirmation_pdf.exe
POST
404
194.87.94.91:80
http://maedilaxx.xyz/levels/maro/fre.php
RU
text
15 b
malicious
2984
Payment_Confirmation_pdf.exe
POST
404
194.87.94.91:80
http://maedilaxx.xyz/levels/maro/fre.php
RU
binary
23 b
malicious
2984
Payment_Confirmation_pdf.exe
POST
404
194.87.94.91:80
http://maedilaxx.xyz/levels/maro/fre.php
RU
text
15 b
malicious
2984
Payment_Confirmation_pdf.exe
POST
404
185.62.103.193:80
http://maedilaxx.xyz/levels/maro/fre.php
RU
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2984
Payment_Confirmation_pdf.exe
194.87.94.91:80
maedilaxx.xyz
JSC Mediasoft ekspert
RU
malicious
1896
explorer.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2984
Payment_Confirmation_pdf.exe
185.62.103.193:80
maedilaxx.xyz
Start LLC
RU
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
maedilaxx.xyz
  • 194.87.94.91
  • 185.62.103.193
malicious

Threats

PID
Process
Class
Message
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984
Payment_Confirmation_pdf.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Payment_Confirmation_pdf.arj