analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

cbe1be4dcff91641055021001104d28b01daec7a

Full analysis: https://app.any.run/tasks/ba3b9f52-60f0-4a3a-bb19-afbb349f8b7d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 09:18:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
trojan
opendir
lokibot
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Last Saved By: User, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 6 20:43:11 2018, Last Saved Time/Date: Tue Mar 31 00:19:09 2020, Security: 0
MD5:

A998058805323BCD389A1E37F5B9138F

SHA1:

CBE1BE4DCFF91641055021001104D28B01DAEC7A

SHA256:

322343F33B2F2550445DB3D6D73432A0665199392498566432F601E619233DB2

SSDEEP:

3072:9rxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAbf+FRg64N8lPTKM0Y9/3n5/hqc0JN3y:ZxEtjPOtioVjDGUU1qfDlavx+W2QnALJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2896)

    • Changes the autorun value in the registry

      • VCQZP.exe (PID: 3424)
      • Elevte.exe (PID: 2668)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2896)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2896)

    • Application was dropped or rewritten from another process

      • Elevte.exe (PID: 1812)
      • VCQZP.exe (PID: 3424)
      • VCQZP.exe (PID: 2232)
      • Elevte.exe (PID: 2668)

    • Downloads executable files from IP

      • EXCEL.EXE (PID: 2896)

    • Actions looks like stealing of personal data

      • Elevte.exe (PID: 1812)

    • Connects to CnC server

      • Elevte.exe (PID: 1812)

    • LOKIBOT was detected

      • Elevte.exe (PID: 1812)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 2896)

    • Executable content was dropped or overwritten

      • VCQZP.exe (PID: 2232)
      • Elevte.exe (PID: 1812)

    • Application launched itself

      • VCQZP.exe (PID: 3424)

    • Starts itself from another location

      • VCQZP.exe (PID: 2232)

    • Reads Internet Cache Settings

      • Elevte.exe (PID: 1812)

    • Loads DLL from Mozilla Firefox

      • Elevte.exe (PID: 1812)

    • Creates files in the user directory

      • Elevte.exe (PID: 1812)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2896)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2896)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: admin
LastModifiedBy: User
Software: Microsoft Excel
CreateDate: 2018:12:06 20:43:11
ModifyDate: 2020:03:30 23:19:09
Security: None
CodePage: Windows Latin 1 (Western European)
AppVersion: 14
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start excel.exe vcqzp.exe vcqzp.exe elevte.exe #LOKIBOT elevte.exe

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3424C:\Users\admin\AppData\Roaming\VCQZP.exeC:\Users\admin\AppData\Roaming\VCQZP.exe
EXCEL.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00.0009
2232C:\Users\admin\AppData\Roaming\VCQZP.exeC:\Users\admin\AppData\Roaming\VCQZP.exe
VCQZP.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00.0009
2668"C:\Users\admin\BATT\Elevte.exe" C:\Users\admin\BATT\Elevte.exe
VCQZP.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00.0009
1812"C:\Users\admin\BATT\Elevte.exe" C:\Users\admin\BATT\Elevte.exe
Elevte.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Version:
1.00.0009
Total events
873
Read events
793
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2896EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5DD8.tmp.cvr
MD5:
SHA256:
1812Elevte.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
1812Elevte.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:5302B1B5EC232D44E2D9507FB847FC49
SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684
2896EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\salles[1].exeexecutable
MD5:53A789EB057876B0F25F9ACE6578018B
SHA256:0DCE71CE0E840022044127BEDC710369F032A61E6CB7B237F2129C6AE08BE26B
2896EXCEL.EXEC:\Users\admin\AppData\Roaming\VCQZP.exeexecutable
MD5:53A789EB057876B0F25F9ACE6578018B
SHA256:0DCE71CE0E840022044127BEDC710369F032A61E6CB7B237F2129C6AE08BE26B
3424VCQZP.exeC:\Users\admin\AppData\Local\Temp\~DFEBCB39D83417245F.TMPbinary
MD5:FFFCFD45DF64861B19B7B4AC305FBA4F
SHA256:9FEEFBE267982883127137E7FB3BE3C4B58FBDC4CB3EB155B8099490AEB1F5B5
2232VCQZP.exeC:\Users\admin\BATT\Elevte.exeexecutable
MD5:53A789EB057876B0F25F9ACE6578018B
SHA256:0DCE71CE0E840022044127BEDC710369F032A61E6CB7B237F2129C6AE08BE26B
2896EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\cbe1be4dcff91641055021001104d28b01daec7a.xls.LNKlnk
MD5:C258A53A8E413ACB36A2A3381B9995DC
SHA256:937F269F2DB080AF81B5B25D2D4F7CBAD43C33AFDA52C0E8BEE5EAF0B9FD7A8E
2668Elevte.exeC:\Users\admin\AppData\Local\Temp\~DF533BE4FCC90A7365.TMPbinary
MD5:FFFCFD45DF64861B19B7B4AC305FBA4F
SHA256:9FEEFBE267982883127137E7FB3BE3C4B58FBDC4CB3EB155B8099490AEB1F5B5
2232VCQZP.exeC:\Users\admin\BATT\Elevte.vbstext
MD5:9087E9864E1238D384D1D2C8E3515DD7
SHA256:5740193FB608C8AAE7035911E3E88B2EC2CBC263402D063E1AEB2443F6FD6DEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
7
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
1812
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
2896
EXCEL.EXE
GET
200
46.183.220.117:80
http://46.183.220.117/salles.exe
LV
executable
100 Kb
malicious
1812
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
1812
Elevte.exe
GET
200
46.183.220.117:80
http://46.183.220.117/buildna.bin
LV
binary
104 Kb
malicious
1812
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
1812
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1812
Elevte.exe
46.183.220.117:80
DataClub S.A.
LV
malicious
1812
Elevte.exe
192.3.202.210:80
speedfolks.com.ng
ColoCrossing
US
malicious
2896
EXCEL.EXE
46.183.220.117:80
DataClub S.A.
LV
malicious

DNS requests

Domain
IP
Reputation
speedfolks.com.ng
  • 192.3.202.210
malicious

Threats

PID
Process
Class
Message
2896
EXCEL.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2896
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
1812
Elevte.exe
A Network Trojan was detected
ET TROJAN Generic .bin download from Dotted Quad
1812
Elevte.exe
A Network Trojan was detected
MALWARE [PTsecurity] EJNT_Loader
1812
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1812
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1812
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1812
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1812
Elevte.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
1812
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
cbe1be4dcff91641055021001104d28b01daec7a