File name: | Payment_Confirmation_pdf.arj |
Full analysis: | https://app.any.run/tasks/04ff070b-0514-4479-998c-337d7be421c8 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | March 21, 2019, 05:55:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2DA7EF40A091A1AC72C361ED4BCE250D |
SHA1: | 3FD6C75A6DBA78C8C202E99E7829FD97710B9085 |
SHA256: | 0E105B15130E106414F248D2616BC83E7997DB737BAE5EFF4F0A78A3A3BE473B |
SSDEEP: | 3072:FUgL/UxJQ9qFgQsIOCHilsfTsbWHvKSJtN/sc55LQIhMhspCxRFtWJl809UWIdCD:NrT4FGblKRdv15CxRFk0s505y |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Payment_Confirmation_pdf.exe |
---|---|
ZipUncompressedSize: | 1306984 |
ZipCompressedSize: | 181195 |
ZipCRC: | 0xa357ea6a |
ZipModifyDate: | 2000:06:23 08:00:29 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2892 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Payment_Confirmation_pdf.arj.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2428 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe | — | WinRAR.exe |
User: admin Company: kerchiefs10 Integrity Level: MEDIUM Description: Vacuumed Exit code: 0 Version: 1.03.0005 | ||||
1896 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2984 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe | Payment_Confirmation_pdf.exe | |
User: admin Company: kerchiefs10 Integrity Level: MEDIUM Description: Vacuumed Version: 1.03.0005 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2892 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2892.25158\Payment_Confirmation_pdf.exe | — | |
MD5:— | SHA256:— | |||
1896 | explorer.exe | C:\Users\admin\AppData\Local\Temp\CabC7C2.tmp | — | |
MD5:— | SHA256:— | |||
1896 | explorer.exe | C:\Users\admin\AppData\Local\Temp\TarC7C3.tmp | — | |
MD5:— | SHA256:— | |||
2984 | Payment_Confirmation_pdf.exe | C:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck | — | |
MD5:— | SHA256:— | |||
1896 | explorer.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:C9100620C51813777BEEA4132F912E8A | SHA256:9A54601315E5CD8071AF4F3DBF02112DC5ED7DE9E4FAED7B973A89228704126A | |||
1896 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\46f433176bc0b3d2.automaticDestinations-ms | automaticdestinations-ms | |
MD5:335C81881F5577AC44AAAE3068964DAD | SHA256:C1D85B40138B3D89534F7CB721E20E5930A3950F435C02E114074714FCDC4740 | |||
1896 | explorer.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:02C1120F28378FD32B58CEC3BB9458C2 | SHA256:F3C77083FE5D71225CEEA0337E819ED7049E2A5692E6C662C5A0EAA97DB3DFF9 | |||
2984 | Payment_Confirmation_pdf.exe | C:\Users\admin\AppData\Roaming\03B51E\EE03AE.exe | executable | |
MD5:27340053E4976928E34C1F7F34752650 | SHA256:83A7A176E7B95BA29859C03D3545BD04CA657CB0BADCABD9657083745A59FE42 | |||
2892 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe | executable | |
MD5:27340053E4976928E34C1F7F34752650 | SHA256:83A7A176E7B95BA29859C03D3545BD04CA657CB0BADCABD9657083745A59FE42 | |||
1896 | explorer.exe | C:\Users\admin\Desktop\Payment_Confirmation_pdf.exe | executable | |
MD5:27340053E4976928E34C1F7F34752650 | SHA256:83A7A176E7B95BA29859C03D3545BD04CA657CB0BADCABD9657083745A59FE42 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1896 | explorer.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba95d2f30a40bcb9 | US | compressed | 55.2 Kb | whitelisted |
2984 | Payment_Confirmation_pdf.exe | POST | 404 | 194.87.94.91:80 | http://maedilaxx.xyz/levels/maro/fre.php | RU | text | 15 b | malicious |
2984 | Payment_Confirmation_pdf.exe | POST | 404 | 194.87.94.91:80 | http://maedilaxx.xyz/levels/maro/fre.php | RU | text | 15 b | malicious |
2984 | Payment_Confirmation_pdf.exe | POST | 404 | 194.87.94.91:80 | http://maedilaxx.xyz/levels/maro/fre.php | RU | binary | 23 b | malicious |
2984 | Payment_Confirmation_pdf.exe | POST | 404 | 185.62.103.193:80 | http://maedilaxx.xyz/levels/maro/fre.php | RU | binary | 23 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2984 | Payment_Confirmation_pdf.exe | 194.87.94.91:80 | maedilaxx.xyz | JSC Mediasoft ekspert | RU | malicious |
2984 | Payment_Confirmation_pdf.exe | 185.62.103.193:80 | maedilaxx.xyz | Start LLC | RU | malicious |
1896 | explorer.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
maedilaxx.xyz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2984 | Payment_Confirmation_pdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |