File name: | Scan_11219.iso |
Full analysis: | https://app.any.run/tasks/1f4e5fdd-5fbf-4ce6-b37a-38a4864b885c |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | February 11, 2019, 04:51:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'Scan_11219' |
MD5: | B150F6B8F1ABC584997B658816C3FCD6 |
SHA1: | DB841D5F2AEADFF5CBFCD93079D9AF9D3BC48BE2 |
SHA256: | 48A6613747F853209778D2CCC8F131127B3040C0635264AEE0887AAE627CB8ED |
SSDEEP: | 24576:22uxYT4FYjuFjmXvnDi7/xaw6L8mn6gcst8rl4a+o:oqKpFjgvnOZaw6L8A6gcst8rlx+ |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 918 kB |
---|
VolumeModifyDate: | 2019:02:10 23:33:42.00+01:00 |
---|---|
VolumeCreateDate: | 2019:02:10 23:33:42.00+01:00 |
Software: | PowerISO |
RootDirectoryCreateDate: | 2019:02:10 23:33:42+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 459 |
VolumeName: | Scan_11219 |
System: | Win32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2076 | "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\Desktop\Scan_11219.iso" | C:\Program Files\7-Zip\7zFM.exe | explorer.exe | |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip File Manager Version: 18.01 | ||||
3020 | "C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com" | C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com | — | 7zFM.exe |
User: admin Company: DISTRIBUTES4 Integrity Level: MEDIUM Version: 3.02.0008 | ||||
2984 | C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com" | C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com | Scan_11219.com | |
User: admin Company: DISTRIBUTES4 Integrity Level: MEDIUM Version: 3.02.0008 | ||||
1848 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1848 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Cab3B0D.tmp | — | |
MD5:— | SHA256:— | |||
1848 | explorer.exe | C:\Users\admin\AppData\Local\Temp\Tar3B0E.tmp | — | |
MD5:— | SHA256:— | |||
2984 | Scan_11219.com | C:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck | — | |
MD5:— | SHA256:— | |||
2984 | Scan_11219.com | C:\Users\admin\AppData\Roaming\03B51E\EE03AE.hdb | text | |
MD5:2DBD505943C0CB1C3F33EAAA80E1501F | SHA256:853D72CF4010CAF259D21BDE8AA766C32121702758C8DAAAF90FEB9C66555C6C | |||
1848 | explorer.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:F648EA27F9C3C6D5EE209E0531222B13 | SHA256:FED94B5FBCF44772A7DC1F0E372C794E5D738A8A7D6F64D8335601D769764178 | |||
1848 | explorer.exe | C:\Users\admin\Desktop\Scan_11219.com | executable | |
MD5:A81FCDC59D744166B07A357B7C9C7974 | SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363 | |||
2076 | 7zFM.exe | C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com | executable | |
MD5:A81FCDC59D744166B07A357B7C9C7974 | SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363 | |||
2076 | 7zFM.exe | C:\Users\admin\AppData\Local\Temp\7zEC187323C\Scan_11219.com | executable | |
MD5:A81FCDC59D744166B07A357B7C9C7974 | SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363 | |||
2984 | Scan_11219.com | C:\Users\admin\AppData\Roaming\03B51E\EE03AE.exe | executable | |
MD5:A81FCDC59D744166B07A357B7C9C7974 | SHA256:1FE402D7A511F1C7103D3A1778ED00DB08F52ED67748907937EE9A0706751363 | |||
1848 | explorer.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:BB377DF27A55C05BB3793CD1E125C869 | SHA256:3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2984 | Scan_11219.com | POST | 404 | 81.92.202.196:80 | http://81.92.202.196/hook/logs/fre.php | GB | text | 15 b | malicious |
1848 | explorer.exe | GET | 200 | 2.16.186.25:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e55f23ffb9c435b3 | unknown | compressed | 55.2 Kb | whitelisted |
2984 | Scan_11219.com | POST | 404 | 81.92.202.196:80 | http://81.92.202.196/hook/logs/fre.php | GB | binary | 23 b | malicious |
2984 | Scan_11219.com | POST | 404 | 81.92.202.196:80 | http://81.92.202.196/hook/logs/fre.php | GB | binary | 23 b | malicious |
2984 | Scan_11219.com | POST | 404 | 81.92.202.196:80 | http://81.92.202.196/hook/logs/fre.php | GB | text | 15 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1848 | explorer.exe | 2.16.186.25:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
2984 | Scan_11219.com | 81.92.202.196:80 | — | Venus Business Communications Limited | GB | malicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2984 | Scan_11219.com | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2984 | Scan_11219.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2984 | Scan_11219.com | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |