analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Scan_11219.iso

Full analysis: https://app.any.run/tasks/1f4e5fdd-5fbf-4ce6-b37a-38a4864b885c
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: February 11, 2019, 04:51:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'Scan_11219'
MD5:

B150F6B8F1ABC584997B658816C3FCD6

SHA1:

DB841D5F2AEADFF5CBFCD93079D9AF9D3BC48BE2

SHA256:

48A6613747F853209778D2CCC8F131127B3040C0635264AEE0887AAE627CB8ED

SSDEEP:

24576:22uxYT4FYjuFjmXvnDi7/xaw6L8mn6gcst8rl4a+o:oqKpFjgvnOZaw6L8A6gcst8rlx+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Scan_11219.com (PID: 2984)
      • Scan_11219.com (PID: 3020)

    • LokiBot was detected

      • Scan_11219.com (PID: 2984)

    • LOKIBOT was detected

      • Scan_11219.com (PID: 2984)

    • Connects to CnC server

      • Scan_11219.com (PID: 2984)

    • Actions looks like stealing of personal data

      • Scan_11219.com (PID: 2984)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • Scan_11219.com (PID: 3020)
      • 7zFM.exe (PID: 2076)

    • Executable content was dropped or overwritten

      • 7zFM.exe (PID: 2076)
      • Scan_11219.com (PID: 2984)

    • Creates files in the user directory

      • Scan_11219.com (PID: 2984)

    • Reads the machine GUID from the registry

      • explorer.exe (PID: 1848)
      • 7zFM.exe (PID: 2076)

    • Connects to server without host name

      • Scan_11219.com (PID: 2984)

    • Application launched itself

      • Scan_11219.com (PID: 3020)

  • INFO

    • Reads settings of System Certificates

      • explorer.exe (PID: 1848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 918 kB

ISO

VolumeModifyDate: 2019:02:10 23:33:42.00+01:00
VolumeCreateDate: 2019:02:10 23:33:42.00+01:00
Software: PowerISO
RootDirectoryCreateDate: 2019:02:10 23:33:42+01:00
VolumeBlockSize: 2048
VolumeBlockCount: 459
VolumeName: Scan_11219
System: Win32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 7zfm.exe scan_11219.com no specs #LOKIBOT scan_11219.com explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2076"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\Desktop\Scan_11219.iso"C:\Program Files\7-Zip\7zFM.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip File Manager
Version:
18.01
3020"C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com" C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com7zFM.exe
User:
admin
Company:
DISTRIBUTES4
Integrity Level:
MEDIUM
Version:
3.02.0008
2984C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com" C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com
Scan_11219.com
User:
admin
Company:
DISTRIBUTES4
Integrity Level:
MEDIUM
Version:
3.02.0008
1848C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 299
Read events
2 258
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
1
Unknown types
6

Dropped files

PID
Process
Filename
Type
1848explorer.exeC:\Users\admin\AppData\Local\Temp\Cab3B0D.tmp
MD5:
SHA256:
1848explorer.exeC:\Users\admin\AppData\Local\Temp\Tar3B0E.tmp
MD5:
SHA256:
2984Scan_11219.comC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2984Scan_11219.comC:\Users\admin\AppData\Roaming\03B51E\EE03AE.hdbtext
MD5:2DBD505943C0CB1C3F33EAAA80E1501F
SHA256:853D72CF4010CAF259D21BDE8AA766C32121702758C8DAAAF90FEB9C66555C6C
1848explorer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:F648EA27F9C3C6D5EE209E0531222B13
SHA256:FED94B5FBCF44772A7DC1F0E372C794E5D738A8A7D6F64D8335601D769764178
1848explorer.exeC:\Users\admin\Desktop\Scan_11219.comexecutable
MD5:A81FCDC59D744166B07A357B7C9C7974
SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363
20767zFM.exeC:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.comexecutable
MD5:A81FCDC59D744166B07A357B7C9C7974
SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363
20767zFM.exeC:\Users\admin\AppData\Local\Temp\7zEC187323C\Scan_11219.comexecutable
MD5:A81FCDC59D744166B07A357B7C9C7974
SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363
2984Scan_11219.comC:\Users\admin\AppData\Roaming\03B51E\EE03AE.exeexecutable
MD5:A81FCDC59D744166B07A357B7C9C7974
SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363
1848explorer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:BB377DF27A55C05BB3793CD1E125C869
SHA256:3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
text
15 b
malicious
1848
explorer.exe
GET
200
2.16.186.25:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e55f23ffb9c435b3
unknown
compressed
55.2 Kb
whitelisted
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
binary
23 b
malicious
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
binary
23 b
malicious
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
text
15 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1848
explorer.exe
2.16.186.25:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2984
Scan_11219.com
81.92.202.196:80
Venus Business Communications Limited
GB
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 2.16.186.25
  • 2.16.186.33
whitelisted

Threats

PID
Process
Class
Message
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984
Scan_11219.com
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984
Scan_11219.com
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Scan_11219.iso