File name:

Scan_11219.iso

Full analysis: https://app.any.run/tasks/1f4e5fdd-5fbf-4ce6-b37a-38a4864b885c
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: February 11, 2019, 04:51:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'Scan_11219'
MD5:

B150F6B8F1ABC584997B658816C3FCD6

SHA1:

DB841D5F2AEADFF5CBFCD93079D9AF9D3BC48BE2

SHA256:

48A6613747F853209778D2CCC8F131127B3040C0635264AEE0887AAE627CB8ED

SSDEEP:

24576:22uxYT4FYjuFjmXvnDi7/xaw6L8mn6gcst8rl4a+o:oqKpFjgvnOZaw6L8A6gcst8rlx+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Scan_11219.com (PID: 3020)
      • Scan_11219.com (PID: 2984)

    • Connects to CnC server

      • Scan_11219.com (PID: 2984)

    • LokiBot was detected

      • Scan_11219.com (PID: 2984)

    • LOKIBOT was detected

      • Scan_11219.com (PID: 2984)

    • Actions looks like stealing of personal data

      • Scan_11219.com (PID: 2984)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7zFM.exe (PID: 2076)
      • Scan_11219.com (PID: 2984)

    • Starts application with an unusual extension

      • Scan_11219.com (PID: 3020)
      • 7zFM.exe (PID: 2076)

    • Application launched itself

      • Scan_11219.com (PID: 3020)

    • Reads the machine GUID from the registry

      • explorer.exe (PID: 1848)
      • 7zFM.exe (PID: 2076)

    • Connects to server without host name

      • Scan_11219.com (PID: 2984)

    • Creates files in the user directory

      • Scan_11219.com (PID: 2984)

  • INFO

    • Reads settings of System Certificates

      • explorer.exe (PID: 1848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

ISO

System: Win32
VolumeName: Scan_11219
VolumeBlockCount: 459
VolumeBlockSize: 2048
RootDirectoryCreateDate: 2019:02:10 23:33:42+01:00
Software: PowerISO
VolumeCreateDate: 2019:02:10 23:33:42.00+01:00
VolumeModifyDate: 2019:02:10 23:33:42.00+01:00

Composite

VolumeSize: 918 kB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 7zfm.exe scan_11219.com no specs #LOKIBOT scan_11219.com explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1848C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2076"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\Desktop\Scan_11219.iso"C:\Program Files\7-Zip\7zFM.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip File Manager
Exit code:
0
Version:
18.01
Modules
Images
c:\program files\7-zip\7zfm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2984C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com" C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com
Scan_11219.com
User:
admin
Company:
DISTRIBUTES4
Integrity Level:
MEDIUM
Exit code:
0
Version:
3.02.0008
Modules
Images
c:\users\admin\appdata\local\temp\7zoc186152c\scan_11219.com
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
3020"C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com" C:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.com7zFM.exe
User:
admin
Company:
DISTRIBUTES4
Integrity Level:
MEDIUM
Exit code:
0
Version:
3.02.0008
Modules
Images
c:\users\admin\appdata\local\temp\7zoc186152c\scan_11219.com
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
2 299
Read events
2 258
Write events
41
Delete events
0

Modification events

(PID) Process:(2076) 7zFM.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2076) 7zFM.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2076) 7zFM.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2076) 7zFM.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1848) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mSZ.rkr
Value:
00000000000000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(1848) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
00000000150000001A000000578907000400000009000000075803007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0000100000000000000000000000000586783FBFE0700000000000000000000A0000100000000005C00520045004700490053005400520000E1A10200000000450052005C00530000E1A102000000000000000000000000000000000000000022BB9DFF0000000000E1A10200000000A000010000000000A21000000000000039002D0038003600A000010000000000EFCB9DFF00000000A210000000000000000000000000000000E1A102000000005C0043004C0053000100000000000000D46983FBFE07000004000000090000000F5403007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A66882FDFE07000000000020A18A1C4100000020A18A1C4100000020A18A1C4100000020A18A1C4100000000000000002C5D72FDFE070000000000000000000001000000000000003C97AEFDFE070000A89A880300000000010000000400000009000000075803007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0000100000000000000000000000000586783FBFE0700000000000000000000A0000100000000005C00520045004700490053005400520000E1A10200000000450052005C00530000E1A102000000000000000000000000000000000000000022BB9DFF0000000000E1A10200000000A000010000000000A21000000000000039002D0038003600A000010000000000EFCB9DFF00000000A210000000000000000000000000000000E1A102000000005C0043004C0053000100000000000000D46983FBFE07000004000000090000000F5403007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A66882FDFE07000000000020A18A1C4100000020A18A1C4100000020A18A1C4100000020A18A1C4100000000000000002C5D72FDFE070000000000000000000001000000000000003C97AEFDFE070000A89A880300000000010000000400000009000000075803007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0000100000000000000000000000000586783FBFE0700000000000000000000A0000100000000005C00520045004700490053005400520000E1A10200000000450052005C00530000E1A102000000000000000000000000000000000000000022BB9DFF0000000000E1A10200000000A000010000000000A21000000000000039002D0038003600A000010000000000EFCB9DFF00000000A210000000000000000000000000000000E1A102000000005C0043004C0053000100000000000000D46983FBFE07000004000000090000000F5403007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A66882FDFE07000000000020A18A1C4100000020A18A1C4100000020A18A1C4100000020A18A1C4100000000000000002C5D72FDFE070000000000000000000001000000000000003C97AEFDFE070000A89A88030000000001000000
(PID) Process:(1848) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{6Q809377-6NS0-444O-8957-N3773S02200R}\7-Mvc\7mSZ.rkr
Value:
0000000000000000000000000F000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(1848) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
00000000150000001A000000668907000400000009000000075803007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0000100000000000000000000000000586783FBFE0700000000000000000000A0000100000000005C00520045004700490053005400520000E1A10200000000450052005C00530000E1A102000000000000000000000000000000000000000022BB9DFF0000000000E1A10200000000A000010000000000A21000000000000039002D0038003600A000010000000000EFCB9DFF00000000A210000000000000000000000000000000E1A102000000005C0043004C0053000100000000000000D46983FBFE07000004000000090000000F5403007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A66882FDFE07000000000020A18A1C4100000020A18A1C4100000020A18A1C4100000020A18A1C4100000000000000002C5D72FDFE070000000000000000000001000000000000003C97AEFDFE070000A89A880300000000010000000400000009000000075803007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0000100000000000000000000000000586783FBFE0700000000000000000000A0000100000000005C00520045004700490053005400520000E1A10200000000450052005C00530000E1A102000000000000000000000000000000000000000022BB9DFF0000000000E1A10200000000A000010000000000A21000000000000039002D0038003600A000010000000000EFCB9DFF00000000A210000000000000000000000000000000E1A102000000005C0043004C0053000100000000000000D46983FBFE07000004000000090000000F5403007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A66882FDFE07000000000020A18A1C4100000020A18A1C4100000020A18A1C4100000020A18A1C4100000000000000002C5D72FDFE070000000000000000000001000000000000003C97AEFDFE070000A89A880300000000010000000400000009000000075803007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A0000100000000000000000000000000586783FBFE0700000000000000000000A0000100000000005C00520045004700490053005400520000E1A10200000000450052005C00530000E1A102000000000000000000000000000000000000000022BB9DFF0000000000E1A10200000000A000010000000000A21000000000000039002D0038003600A000010000000000EFCB9DFF00000000A210000000000000000000000000000000E1A102000000005C0043004C0053000100000000000000D46983FBFE07000004000000090000000F5403007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000A66882FDFE07000000000020A18A1C4100000020A18A1C4100000020A18A1C4100000020A18A1C4100000000000000002C5D72FDFE070000000000000000000001000000000000003C97AEFDFE070000A89A88030000000001000000
(PID) Process:(1848) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1848) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
Value:
00000000040000000900000007580300000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF30333D7B6085D40100000000
Executable files
4
Suspicious files
2
Text files
1
Unknown types
6

Dropped files

PID
Process
Filename
Type
1848explorer.exeC:\Users\admin\AppData\Local\Temp\Cab3B0D.tmp
MD5:
SHA256:
1848explorer.exeC:\Users\admin\AppData\Local\Temp\Tar3B0E.tmp
MD5:
SHA256:
2984Scan_11219.comC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2984Scan_11219.comC:\Users\admin\AppData\Roaming\03B51E\EE03AE.hdbtext
MD5:
SHA256:
1848explorer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:
SHA256:
20767zFM.exeC:\Users\admin\AppData\Local\Temp\7zOC186152C\Scan_11219.comexecutable
MD5:
SHA256:
1848explorer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
2984Scan_11219.comC:\Users\admin\AppData\Roaming\03B51E\EE03AE.exeexecutable
MD5:
SHA256:
2984Scan_11219.comC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4bdbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
20767zFM.exeC:\Users\admin\AppData\Local\Temp\7zEC187323C\Scan_11219.comexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
text
15 b
malicious
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
binary
23 b
malicious
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
text
15 b
malicious
1848
explorer.exe
GET
200
2.16.186.25:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e55f23ffb9c435b3
unknown
compressed
55.2 Kb
whitelisted
2984
Scan_11219.com
POST
404
81.92.202.196:80
http://81.92.202.196/hook/logs/fre.php
GB
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1848
explorer.exe
2.16.186.25:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2984
Scan_11219.com
81.92.202.196:80
Venus Business Communications Limited
GB
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 2.16.186.25
  • 2.16.186.33
whitelisted

Threats

PID
Process
Class
Message
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984
Scan_11219.com
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2984
Scan_11219.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2984
Scan_11219.com
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Scan_11219.iso