File name: | SKBM Purchase Order ZE5 471144308.pdf.gz |
Full analysis: | https://app.any.run/tasks/272a822d-cb77-471c-acfc-80e8b39393c9 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | September 11, 2019, 08:31:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/gzip |
File info: | gzip compressed data, was "SKBM Purchase Order ZE5 471144308,pdf.exe", last modified: Wed Sep 11 00:34:54 2019, from FAT filesystem (MS-DOS, OS/2, NT) |
MD5: | 6D0109016DAE28A4AF99822DFBB5929C |
SHA1: | 73113C0C2640FBC2C0E57782A7B606D711BA2ABE |
SHA256: | 1DBC4F71CA4782BA2C4B24EEA654D64922A785428C1A8C6C49E5000DC251B0B8 |
SSDEEP: | 6144:eg9QlABGR8LLWADjQKR9JFO2DYgReckQrvChY4cviflSWZbfOf5szgSuuGqtb:eMQlAB4Kfjrlo2MgRecHrvCtcKfEWZGs |
.z/gz/gzip | | | GZipped data (100) |
---|
Compression: | Deflated |
---|---|
Flags: | FileName |
ModifyDate: | 2019:09:11 02:34:54+02:00 |
ExtraFlags: | (none) |
OperatingSystem: | FAT filesystem (MS-DOS, OS/2, NT/Win32) |
ArchivedFileName: | SKBM Purchase Order ZE5 471144308,pdf.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2776 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SKBM Purchase Order ZE5 471144308.pdf.gz.z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2748 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3688 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | SKBM Purchase Order ZE5 471144308,pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1812 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2104 | "C:\Windows\system32\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\Sonar" /t REG_DWORD /d 0" | C:\Windows\system32\cmd.exe | — | DllHost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3640 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\Sonar" /t REG_DWORD /d 0 | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2776 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe | executable | |
MD5:C31ACD5E24DBD11866E7FFED59E5A91C | SHA256:E9ECEA88BE2206882F3F040E1390F20C5F5D004A57BEDDA43AC77722A678FA64 | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\croseci2c.ko | o | |
MD5:982EF9265A0408838723CFEC9D529022 | SHA256:85AD8FBF5405A22284F68903960F3F4039B429F9BCE1C350A5F7DD59842E8485 | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\regcap.exe | executable | |
MD5:5FE8A1A2693FB4BE7EAB5190C15A9207 | SHA256:3CE855F86C63158D1D9F45DA7E6B6096E107DC9BCA2928B02B79E08A354D040B | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\Local903113851vbcalendar1.gif | image | |
MD5:D407F091E74FDC406007DC52583B72B1 | SHA256:965F56B03D76936A329716FDA679A4E2A74DF0C0A81550D1029394EDAF94B284 | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\io.pagure.lohit.tamil.font.metainfo.xml | xml | |
MD5:DFD6ECE482B01BA11184D93D4578E77A | SHA256:F9AA0A05B7A957154E5D280F9C60680499860A2ECD824CDAED7682C2C96308EC | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\sbssystementerpriseservices.dll | executable | |
MD5:98B030CFCEC9B1981BEFD6FE1BF29D6B | SHA256:D25D6D7675F6E0233162B189CDEBEFDE95D2A3E7FA61C6CBE4729A3A4943102C | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\thresholds.xml | xml | |
MD5:04D4A80687F7073AE81C91907889DB42 | SHA256:793FA5347285E56CD1591F10A3F0655531465FFF5979C7F800BF3D4EDBE57B3B | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\vnd.android.package-archive.xml | xml | |
MD5:DC571042D83000283E6F697C62B0BF93 | SHA256:7687FD25A5C2709C28FF4AF9DAC64FE6FB496688F7A75CC44D80719D5ABE528A | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\crtowordsjp.dll | executable | |
MD5:3E4BCF2DE196EF44475F8962D2C510A7 | SHA256:6B939CA71A60206953CEA7340BC3754B7EDEFB77FFFBD98A6A78EC08FD667834 | |||
2748 | SKBM Purchase Order ZE5 471144308,pdf.exe | C:\Users\admin\AppData\Local\Temp\VsMacroHierarchyLib.dll | executable | |
MD5:FA8B9B8C019621EE87F6DC589A50DB99 | SHA256:165882E496E37CEB73174D921D7A07DE38750C5E43F2BC4F0F8A052FAA5A5B97 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3688 | cmd.exe | POST | 404 | 86.106.102.103:80 | http://86.106.102.103/Sammybiggy/fre.php | RU | binary | 23 b | malicious |
3688 | cmd.exe | POST | 404 | 86.106.102.103:80 | http://86.106.102.103/Sammybiggy/fre.php | RU | text | 15 b | malicious |
3688 | cmd.exe | POST | 404 | 86.106.102.103:80 | http://86.106.102.103/Sammybiggy/fre.php | RU | text | 15 b | malicious |
3688 | cmd.exe | POST | 404 | 86.106.102.103:80 | http://86.106.102.103/Sammybiggy/fre.php | RU | binary | 23 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3688 | cmd.exe | 86.106.102.103:80 | — | Mir Telematiki Ltd | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3688 | cmd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3688 | cmd.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3688 | cmd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |