analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

XWS11244_INQUIRY-V1902.doc

Full analysis: https://app.any.run/tasks/542e3213-3e62-4c4a-ad24-14019bd05066
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: February 19, 2019, 11:31:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
trojan
lokibot
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

6D9998AB026434B35FAC86DDE06F5593

SHA1:

60DD5015B5A940090F0C6D6C93156D6D8EA8377C

SHA256:

20EBD4678FE8524109140FC12306187E8585FF0A36C22B5BBB59C0718AF699E8

SSDEEP:

24576:adete9ejhH5hOcdOgQDj/6tiQxzYTdsZ4eHL6vqC2b0UtmeB:b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3888)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2900)
    • Application was dropped or rewritten from another process

      • A.R (PID: 3020)
    • Detected artifacts of LokiBot

      • A.R (PID: 3020)
    • LOKIBOT was detected

      • A.R (PID: 3020)
    • Connects to CnC server

      • A.R (PID: 3020)
    • Actions looks like stealing of personal data

      • A.R (PID: 3020)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3888)
    • Starts application with an unusual extension

      • CmD.exe (PID: 2528)
    • Loads DLL from Mozilla Firefox

      • A.R (PID: 3020)
    • Creates files in the user directory

      • A.R (PID: 3020)
    • Executable content was dropped or overwritten

      • A.R (PID: 3020)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2900)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2900)
    • Application was crashed

      • EQNEDT32.EXE (PID: 3888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: wuyan
LastModifiedBy: wuyan
CreateDate: 2019:01:03 16:14:00
ModifyDate: 2019:01:03 16:34:00
RevisionNumber: 3
TotalEditTime: 1 minute
Pages: 1
Words: 4
Characters: 24
CharactersWithSpaces: 27
InternalVersionNumber: 57435
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe cmd.exe no specs #LOKIBOT a.r

Process information

PID
CMD
Path
Indicators
Parent process
2900"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\XWS11244_INQUIRY-V1902.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3888"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2528CmD /c %tMp%\A.RC:\Windows\system32\CmD.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3020C:\Users\admin\AppData\Local\Temp\A.RC:\Users\admin\AppData\Local\Temp\A.R
CmD.exe
User:
admin
Company:
SolarWinds
Integrity Level:
MEDIUM
Description:
Sqlcmmand Crashes Especially Else
Total events
1 458
Read events
796
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
3
Unknown types
7

Dropped files

PID
Process
Filename
Type
2900WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE706.tmp.cvr
MD5:
SHA256:
3020A.RC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2900WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DDD43DB.emfemf
MD5:F7961E44FE51CEEE06391905162E18E0
SHA256:DCD5C765BCCFAC9339A8985357B391A3FAC1AE571AC0E5A971938573742F306D
2900WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\XWS11244_INQUIRY-V1902.doc.rtf.LNKlnk
MD5:F32395C3DC263164AE0D0ACAB34C224F
SHA256:A252367DD50D28C74920CF9AE611BA81FC05232AF9995E11DD138E7A1726D6ED
3020A.RC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:818FD2DF0A69788200E2DB476B7DC351
SHA256:2D8349F614DC0B13AA04A8270C48B59728E5332BB9AD12A2411CD35501F546B0
2900WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:90215C64DE854FEBB3145CD1477EDE7A
SHA256:DFB67D0FAEAB859037429FC34EB5C89687A56C9F4AD47EE47BB321E4AA658F66
2900WINWORD.EXEC:\Users\admin\AppData\Roaming\~$S11244_INQUIRY-V1902.doc.rtfpgc
MD5:1FDDB4F2740FCACDA8AE2631B90D1864
SHA256:147C5C07427F7D335CF68801EE35A556DB73DB8D1BFBAA5C96B5D4BAFE7F489C
3020A.RC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:5302B1B5EC232D44E2D9507FB847FC49
SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684
3020A.RC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
2900WINWORD.EXEC:\Users\admin\AppData\Local\Temp\A.Rexecutable
MD5:818FD2DF0A69788200E2DB476B7DC351
SHA256:2D8349F614DC0B13AA04A8270C48B59728E5332BB9AD12A2411CD35501F546B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3020
A.R
POST
404
77.221.146.5:80
http://splitbiin.co/liyoo/memz/fre.php
RU
text
15 b
malicious
3020
A.R
POST
404
77.221.146.5:80
http://splitbiin.co/liyoo/memz/fre.php
RU
text
15 b
malicious
3020
A.R
POST
404
77.221.146.5:80
http://splitbiin.co/liyoo/memz/fre.php
RU
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3020
A.R
77.221.146.5:80
splitbiin.co
LeaseWeb Netherlands B.V.
RU
malicious

DNS requests

Domain
IP
Reputation
splitbiin.co
  • 77.221.146.5
malicious

Threats

PID
Process
Class
Message
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3020
A.R
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3020
A.R
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3020
A.R
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3 ETPRO signatures available at the full report
No debug info