analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PARTE DE CUMPLIMIENTO PLAN 5-5-22.xlsx

Full analysis: https://app.any.run/tasks/9b626965-4027-4e7f-9527-0838a7c5ff7b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 20, 2022, 15:50:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
trojan
lokibot
stealer
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

AD252501044EA45E9C23DE6F457CC3CA

SHA1:

5454897F31EA61FFB03A631E56AD1840B143F66B

SHA256:

348302549C6A9C7B823E89E164C3B115FEEF206257E5EB8D5743C58AD2C5A31A

SSDEEP:

6144:l5xXljJndLtB/IZTb89GRogKEplF/9xlYGxazXuAgkkO:NXljpdL/I9Rogp/YGxJA4O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 268)

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 268)
      • vbc.exe (PID: 3664)

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 3664)
      • vbc.exe (PID: 2364)
      • vbc.exe (PID: 3164)

    • Connects to CnC server

      • vbc.exe (PID: 3664)

    • LOKIBOT was detected

      • vbc.exe (PID: 3664)

    • Steals credentials from Web Browsers

      • vbc.exe (PID: 3664)

    • LOKIBOT detected by memory dumps

      • vbc.exe (PID: 3664)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3664)

  • SUSPICIOUS

    • Checks supported languages

      • EQNEDT32.EXE (PID: 268)
      • vbc.exe (PID: 2364)
      • vbc.exe (PID: 3664)

    • Executed via COM

      • EQNEDT32.EXE (PID: 268)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 268)
      • vbc.exe (PID: 2364)
      • vbc.exe (PID: 3664)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 268)
      • vbc.exe (PID: 3664)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 268)
      • vbc.exe (PID: 3664)

    • Application launched itself

      • vbc.exe (PID: 2364)

    • Creates files in the user directory

      • vbc.exe (PID: 3664)

    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 3664)

  • INFO

    • Reads the computer name

      • EXCEL.EXE (PID: 2940)

    • Checks supported languages

      • EXCEL.EXE (PID: 2940)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

LokiBot

(PID) Process(3664) vbc.exe
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://sempersim.su/gg2/fre.php
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe vbc.exe no specs vbc.exe no specs #LOKIBOT vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
268"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2364"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Project 0
Exit code:
0
Version:
1.0.0.0
3164"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Project 0
Exit code:
4294967295
Version:
1.0.0.0
3664"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe
vbc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Project 0
Version:
1.0.0.0
LokiBot
(PID) Process(3664) vbc.exe
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://sempersim.su/gg2/fre.php
Total events
2 681
Read events
2 595
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2940EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD20C.tmp.cvr
MD5:
SHA256:
268EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:4CDAF23ECD5A6A6AC3710F263395E9DC
SHA256:2D7121BE69E95A2ACC1014789A1C3C9C7FC00993331D02EB0AB0D54EE8D3B289
3664vbc.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:4CDAF23ECD5A6A6AC3710F263395E9DC
SHA256:2D7121BE69E95A2ACC1014789A1C3C9C7FC00993331D02EB0AB0D54EE8D3B289
268EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\vbc[1].exeexecutable
MD5:4CDAF23ECD5A6A6AC3710F263395E9DC
SHA256:2D7121BE69E95A2ACC1014789A1C3C9C7FC00993331D02EB0AB0D54EE8D3B289
2940EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EC6C4A1.emfemf
MD5:894A796F9211E1080192AC72B6D54A9D
SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A
3664vbc.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lckbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3664vbc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fabr
MD5:D898504A722BFF1524134C6AB6A5EAA5
SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
2940EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8C4F20.emfemf
MD5:8E3A74F7AA420B02D34C69E625969C0A
SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
3664vbc.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:F93EEDDC7806D631C5E35AD6C33EB8AB
SHA256:32BA3839E8045109C78A62AE312130ADE9C8DE6EBD98FDA5BF394327D7A6AB43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
268
EQNEDT32.EXE
GET
200
185.29.8.61:80
http://185.29.8.61/0077/vbc.exe
SE
executable
646 Kb
suspicious
3664
vbc.exe
POST
404
45.10.245.123:80
http://sempersim.su/gg2/fre.php
unknown
text
15 b
malicious
3664
vbc.exe
POST
404
45.10.245.123:80
http://sempersim.su/gg2/fre.php
unknown
text
15 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
268
EQNEDT32.EXE
185.29.8.61:80
DataClub S.A.
SE
suspicious
45.10.245.123:80
sempersim.su
malicious
3664
vbc.exe
45.10.245.123:80
sempersim.su
malicious

DNS requests

Domain
IP
Reputation
sempersim.su
  • 45.10.245.123
malicious

Threats

PID
Process
Class
Message
268
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
268
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
268
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
268
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
268
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
268
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3664
vbc.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3664
vbc.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3664
vbc.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PARTE DE CUMPLIMIENTO PLAN 5-5-22.xlsx