File name: | Shipping Documents.rar |
Full analysis: | https://app.any.run/tasks/765506c1-7b65-4255-9f0c-dd57a41e4536 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | March 14, 2019, 09:02:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 7FBD3BFCA679284DA67467C1562D99CF |
SHA1: | AFF2E9D6872CD11FCD84D066139AA0778AA646CA |
SHA256: | 4B6B03C8E724FCC72D4FDF7B16EFFAF74D31893739A8C22B705E7A63C9EA6981 |
SSDEEP: | 6144:E+mYYwwHcR97mnFO9tmoazGTNQXZNBJITKuaYFPHtAd3jWborNj:ZYwN7mncjmoDoBJYZzPHtpborNj |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | Shipping Documents.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2009:11:06 20:00:23 |
OperatingSystem: | Win32 |
UncompressedSize: | 1046792 |
CompressedSize: | 327098 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Shipping Documents.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2520 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.14035\Shipping Documents.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.14035\Shipping Documents.exe | — | WinRAR.exe |
User: admin Company: hypoacid1 Integrity Level: MEDIUM Description: Bourr Exit code: 0 Version: 9.03.0003 | ||||
3800 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\shippingcheap.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3040 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\settingsmexico.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1060 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.14035\Shipping Documents.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.14035\Shipping Documents.exe | Shipping Documents.exe | |
User: admin Company: hypoacid1 Integrity Level: MEDIUM Description: Bourr Version: 9.03.0003 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1963.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4A94133-BF20-41B7-8FCF-FE7F42F88EA5}.tmp | — | |
MD5:— | SHA256:— | |||
3800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{72388DE4-B130-477F-9E22-E1F9748E65A9}.tmp | — | |
MD5:— | SHA256:— | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR91EE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A36C1E6-A7AE-48C9-AD2E-8735FCE1BF63}.tmp | — | |
MD5:— | SHA256:— | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4EFDC7A2-6CDA-45CD-B4A2-EC6789EC1CA6}.tmp | — | |
MD5:— | SHA256:— | |||
1060 | Shipping Documents.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
2520 | Shipping Documents.exe | C:\Users\admin\AppData\Local\Temp\~DFBDBC661467BFD142.TMP | binary | |
MD5:5661BD3A166262482BB0602139AE0F5D | SHA256:3ABD2DF8461E8ADD650B7E6C0CAAB71CF60BF6287B7F0D35187725270C8D5EE6 | |||
3800 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:74375045CD2BB4A655117285995FDB56 | SHA256:D0406977B30495218A7CBBD3E3E808BCA5B9ED9A9F49B31DCA9552466A40739F | |||
3800 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\shippingcheap.rtf.LNK | lnk | |
MD5:871668D4C6E1040555F7A4163AA8E5C3 | SHA256:EFABC3EE6AECB6B39AE3CF01752BD6A08D6292D259823209F2F78ACF8360DFA6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1060 | Shipping Documents.exe | POST | — | 199.19.224.185:80 | http://mail00server.cf/kill3/playbook/onelove/fre.php | US | — | — | malicious |
1060 | Shipping Documents.exe | POST | — | 199.19.224.185:80 | http://mail00server.cf/kill3/playbook/onelove/fre.php | US | — | — | malicious |
1060 | Shipping Documents.exe | POST | — | 199.19.224.185:80 | http://mail00server.cf/kill3/playbook/onelove/fre.php | US | — | — | malicious |
1060 | Shipping Documents.exe | POST | — | 199.19.224.185:80 | http://mail00server.cf/kill3/playbook/onelove/fre.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1060 | Shipping Documents.exe | 199.19.224.185:80 | mail00server.cf | FranTech Solutions | US | malicious |
Domain | IP | Reputation |
---|---|---|
mail00server.cf |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |
1060 | Shipping Documents.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
1060 | Shipping Documents.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
1060 | Shipping Documents.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.cf Domain |
1060 | Shipping Documents.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
1060 | Shipping Documents.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
1060 | Shipping Documents.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
1060 | Shipping Documents.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
1060 | Shipping Documents.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
1060 | Shipping Documents.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.cf Domain |