analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SKBM Purchase Order ZE5 471144308.pdf.gz

Full analysis: https://app.any.run/tasks/272a822d-cb77-471c-acfc-80e8b39393c9
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: September 11, 2019, 08:31:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/gzip
File info: gzip compressed data, was "SKBM Purchase Order ZE5 471144308,pdf.exe", last modified: Wed Sep 11 00:34:54 2019, from FAT filesystem (MS-DOS, OS/2, NT)
MD5:

6D0109016DAE28A4AF99822DFBB5929C

SHA1:

73113C0C2640FBC2C0E57782A7B606D711BA2ABE

SHA256:

1DBC4F71CA4782BA2C4B24EEA654D64922A785428C1A8C6C49E5000DC251B0B8

SSDEEP:

6144:eg9QlABGR8LLWADjQKR9JFO2DYgReckQrvChY4cviflSWZbfOf5szgSuuGqtb:eMQlAB4Kfjrlo2MgRecHrvCtcKfEWZGs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
    • Runs app for hidden code execution

      • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
    • Loads dropped or rewritten executable

      • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
    • Known privilege escalation attack

      • DllHost.exe (PID: 1812)
    • LokiBot was detected

      • cmd.exe (PID: 3688)
    • Connects to CnC server

      • cmd.exe (PID: 3688)
    • Actions looks like stealing of personal data

      • cmd.exe (PID: 3688)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
      • DllHost.exe (PID: 1812)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2776)
      • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
      • cmd.exe (PID: 3688)
    • Creates files in the user directory

      • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
      • cmd.exe (PID: 3688)
    • Executed via COM

      • DllHost.exe (PID: 1812)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2104)
    • Loads DLL from Mozilla Firefox

      • cmd.exe (PID: 3688)
    • Connects to server without host name

      • cmd.exe (PID: 3688)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

Compression: Deflated
Flags: FileName
ModifyDate: 2019:09:11 02:34:54+02:00
ExtraFlags: (none)
OperatingSystem: FAT filesystem (MS-DOS, OS/2, NT/Win32)
ArchivedFileName: SKBM Purchase Order ZE5 471144308,pdf.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe skbm purchase order ze5 471144308,pdf.exe #LOKIBOT cmd.exe CMSTPLUA no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2776"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SKBM Purchase Order ZE5 471144308.pdf.gz.z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2748"C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3688"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe
SKBM Purchase Order ZE5 471144308,pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1812C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2104"C:\Windows\system32\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\Sonar" /t REG_DWORD /d 0"C:\Windows\system32\cmd.exeDllHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3640reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\Sonar" /t REG_DWORD /d 0C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
22 233
Read events
1 183
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
3
Text files
11
Unknown types
12

Dropped files

PID
Process
Filename
Type
2776WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exeexecutable
MD5:C31ACD5E24DBD11866E7FFED59E5A91C
SHA256:E9ECEA88BE2206882F3F040E1390F20C5F5D004A57BEDDA43AC77722A678FA64
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\croseci2c.koo
MD5:982EF9265A0408838723CFEC9D529022
SHA256:85AD8FBF5405A22284F68903960F3F4039B429F9BCE1C350A5F7DD59842E8485
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\regcap.exeexecutable
MD5:5FE8A1A2693FB4BE7EAB5190C15A9207
SHA256:3CE855F86C63158D1D9F45DA7E6B6096E107DC9BCA2928B02B79E08A354D040B
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\Local903113851vbcalendar1.gifimage
MD5:D407F091E74FDC406007DC52583B72B1
SHA256:965F56B03D76936A329716FDA679A4E2A74DF0C0A81550D1029394EDAF94B284
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\io.pagure.lohit.tamil.font.metainfo.xmlxml
MD5:DFD6ECE482B01BA11184D93D4578E77A
SHA256:F9AA0A05B7A957154E5D280F9C60680499860A2ECD824CDAED7682C2C96308EC
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\sbssystementerpriseservices.dllexecutable
MD5:98B030CFCEC9B1981BEFD6FE1BF29D6B
SHA256:D25D6D7675F6E0233162B189CDEBEFDE95D2A3E7FA61C6CBE4729A3A4943102C
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\thresholds.xmlxml
MD5:04D4A80687F7073AE81C91907889DB42
SHA256:793FA5347285E56CD1591F10A3F0655531465FFF5979C7F800BF3D4EDBE57B3B
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\vnd.android.package-archive.xmlxml
MD5:DC571042D83000283E6F697C62B0BF93
SHA256:7687FD25A5C2709C28FF4AF9DAC64FE6FB496688F7A75CC44D80719D5ABE528A
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\crtowordsjp.dllexecutable
MD5:3E4BCF2DE196EF44475F8962D2C510A7
SHA256:6B939CA71A60206953CEA7340BC3754B7EDEFB77FFFBD98A6A78EC08FD667834
2748SKBM Purchase Order ZE5 471144308,pdf.exeC:\Users\admin\AppData\Local\Temp\VsMacroHierarchyLib.dllexecutable
MD5:FA8B9B8C019621EE87F6DC589A50DB99
SHA256:165882E496E37CEB73174D921D7A07DE38750C5E43F2BC4F0F8A052FAA5A5B97
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3688
cmd.exe
POST
404
86.106.102.103:80
http://86.106.102.103/Sammybiggy/fre.php
RU
binary
23 b
malicious
3688
cmd.exe
POST
404
86.106.102.103:80
http://86.106.102.103/Sammybiggy/fre.php
RU
text
15 b
malicious
3688
cmd.exe
POST
404
86.106.102.103:80
http://86.106.102.103/Sammybiggy/fre.php
RU
text
15 b
malicious
3688
cmd.exe
POST
404
86.106.102.103:80
http://86.106.102.103/Sammybiggy/fre.php
RU
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3688
cmd.exe
86.106.102.103:80
Mir Telematiki Ltd
RU
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3688
cmd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3688
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3688
cmd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
4 ETPRO signatures available at the full report
No debug info