File name:	Payment_Confirmation_pdf.arj
Full analysis:	https://app.any.run/tasks/04ff070b-0514-4479-998c-337d7be421c8
Verdict:	Malicious activity
Threats:	LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 21, 2019, 05:55:20
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trojan lokibot
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	2DA7EF40A091A1AC72C361ED4BCE250D
SHA1:	3FD6C75A6DBA78C8C202E99E7829FD97710B9085
SHA256:	0E105B15130E106414F248D2616BC83E7997DB737BAE5EFF4F0A78A3A3BE473B
SSDEEP:	3072:FUgL/UxJQ9qFgQsIOCHilsfTsbWHvKSJtN/sc55LQIhMhspCxRFtWJl809UWIdCD:NrT4FGblKRdv15CxRFk0s505y

ZipFileName:	Payment_Confirmation_pdf.exe
ZipUncompressedSize:	1306984
ZipCompressedSize:	181195
ZipCRC:	0xa357ea6a
ZipModifyDate:	2000:06:23 08:00:29
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

PID	CMD	Path	Indicators	Parent process
2892	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Payment_Confirmation_pdf.arj.zip"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
2428	"C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe	—	WinRAR.exe
User: admin Company: kerchiefs10 Integrity Level: MEDIUM Description: Vacuumed Exit code: 0 Version: 1.03.0005
1896	C:\Windows\Explorer.EXE	C:\Windows\explorer.exe		—
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2984	C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe		Payment_Confirmation_pdf.exe
User: admin Company: kerchiefs10 Integrity Level: MEDIUM Description: Vacuumed Version: 1.03.0005

PID	Process	Filename		Type
2892	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2892.25158\Payment_Confirmation_pdf.exe		—
		MD5:—	SHA256:—
1896	explorer.exe	C:\Users\admin\AppData\Local\Temp\CabC7C2.tmp		—
		MD5:—	SHA256:—
1896	explorer.exe	C:\Users\admin\AppData\Local\Temp\TarC7C3.tmp		—
		MD5:—	SHA256:—
2984	Payment_Confirmation_pdf.exe	C:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck		—
		MD5:—	SHA256:—
1896	explorer.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:C9100620C51813777BEEA4132F912E8A	SHA256:9A54601315E5CD8071AF4F3DBF02112DC5ED7DE9E4FAED7B973A89228704126A
1896	explorer.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\46f433176bc0b3d2.automaticDestinations-ms		automaticdestinations-ms
		MD5:335C81881F5577AC44AAAE3068964DAD	SHA256:C1D85B40138B3D89534F7CB721E20E5930A3950F435C02E114074714FCDC4740
1896	explorer.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:02C1120F28378FD32B58CEC3BB9458C2	SHA256:F3C77083FE5D71225CEEA0337E819ED7049E2A5692E6C662C5A0EAA97DB3DFF9
2984	Payment_Confirmation_pdf.exe	C:\Users\admin\AppData\Roaming\03B51E\EE03AE.exe		executable
		MD5:27340053E4976928E34C1F7F34752650	SHA256:83A7A176E7B95BA29859C03D3545BD04CA657CB0BADCABD9657083745A59FE42
2892	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.24868\Payment_Confirmation_pdf.exe		executable
		MD5:27340053E4976928E34C1F7F34752650	SHA256:83A7A176E7B95BA29859C03D3545BD04CA657CB0BADCABD9657083745A59FE42
1896	explorer.exe	C:\Users\admin\Desktop\Payment_Confirmation_pdf.exe		executable
		MD5:27340053E4976928E34C1F7F34752650	SHA256:83A7A176E7B95BA29859C03D3545BD04CA657CB0BADCABD9657083745A59FE42

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1896	explorer.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba95d2f30a40bcb9	US	compressed	55.2 Kb	whitelisted
2984	Payment_Confirmation_pdf.exe	POST	404	194.87.94.91:80	http://maedilaxx.xyz/levels/maro/fre.php	RU	text	15 b	malicious
2984	Payment_Confirmation_pdf.exe	POST	404	194.87.94.91:80	http://maedilaxx.xyz/levels/maro/fre.php	RU	text	15 b	malicious
2984	Payment_Confirmation_pdf.exe	POST	404	194.87.94.91:80	http://maedilaxx.xyz/levels/maro/fre.php	RU	binary	23 b	malicious
2984	Payment_Confirmation_pdf.exe	POST	404	185.62.103.193:80	http://maedilaxx.xyz/levels/maro/fre.php	RU	binary	23 b	malicious

Domain	IP	Reputation
ctldl.windowsupdate.com	93.184.221.240	whitelisted
maedilaxx.xyz	194.87.94.91 185.62.103.193	malicious

PID	Process	Class	Message
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot Checkin
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	MALWARE [PTsecurity] Loki Bot Check-in M2
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot Checkin
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984	Payment_Confirmation_pdf.exe	A Network Trojan was detected	MALWARE [PTsecurity] Loki Bot Check-in M2

PID	Process	IP	Domain	ASN	CN	Reputation
2984	Payment_Confirmation_pdf.exe	194.87.94.91:80	maedilaxx.xyz	JSC Mediasoft ekspert	RU	malicious
2984	Payment_Confirmation_pdf.exe	185.62.103.193:80	maedilaxx.xyz	Start LLC	RU	malicious
1896	explorer.exe	93.184.221.240:80	ctldl.windowsupdate.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted

General Info

Payment_Confirmation_pdf.arj

2DA7EF40A091A1AC72C361ED4BCE250D

3FD6C75A6DBA78C8C202E99E7829FD97710B9085

0E105B15130E106414F248D2616BC83E7997DB737BAE5EFF4F0A78A3A3BE473B

3072:FUgL/UxJQ9qFgQsIOCHilsfTsbWHvKSJtN/sc55LQIhMhspCxRFtWJl809UWIdCD:NrT4FGblKRdv15CxRFk0s505y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

LOKIBOT was detected

Detected artifacts of LokiBot

Connects to CnC server

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Reads the machine GUID from the registry

Application launched itself

INFO

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings