analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.zip

Full analysis: https://app.any.run/tasks/5451ccab-5070-4a49-abd4-6fb2028e5ebf
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: June 12, 2019, 12:01:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8D196ADD96FFB0AAF733165BDA7C3F9C

SHA1:

1C4492C7656E15ACAACC242EE807F51A1FD93B0C

SHA256:

5E47C298E3449DCB42BDCCA080DDAD3A554FF575A789748EDD959A9989272F41

SSDEEP:

3072:1chTQq2WnNwNIMEmMNGyvGktfE7hOT0ScX9Y5CRP3V8k:2jSMNnpO7ck25ChVr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe (PID: 2468)
      • leviand.exe (PID: 2996)
      • leviand.exe (PID: 2944)
      • leviand.exe (PID: 3360)
      • jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe (PID: 3540)
      • leviand.exe (PID: 2076)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 2812)
      • WScript.exe (PID: 3208)
    • Detected artifacts of LokiBot

      • leviand.exe (PID: 2944)
    • LOKIBOT was detected

      • leviand.exe (PID: 2944)
    • Connects to CnC server

      • leviand.exe (PID: 2944)
    • Actions looks like stealing of personal data

      • leviand.exe (PID: 2944)
  • SUSPICIOUS

    • Application launched itself

      • leviand.exe (PID: 2996)
      • leviand.exe (PID: 3360)
    • Executes scripts

      • jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe (PID: 2468)
      • jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe (PID: 3540)
    • Starts itself from another location

      • jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe (PID: 3540)
      • jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe (PID: 2468)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2924)
      • jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe (PID: 2468)
      • leviand.exe (PID: 2944)
    • Loads DLL from Mozilla Firefox

      • leviand.exe (PID: 2944)
    • Creates files in the user directory

      • leviand.exe (PID: 2944)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2013:12:29 22:00:24
ZipCRC: 0x3421c124
ZipCompressedSize: 153973
ZipUncompressedSize: 942080
ZipFileName: jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
9
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe jtc-qa hamad international airport expansion, doha.exe jtc-qa hamad international airport expansion, doha.exe no specs wscript.exe leviand.exe no specs wscript.exe leviand.exe no specs #LOKIBOT leviand.exe leviand.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2468"C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.44500\jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.44500\jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe
WinRAR.exe
User:
admin
Company:
VolumeStichoi
Integrity Level:
MEDIUM
Description:
VolumeMUDDS2
Exit code:
0
Version:
2.07.0003
3540"C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.45656\jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.45656\jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exeWinRAR.exe
User:
admin
Company:
VolumeStichoi
Integrity Level:
MEDIUM
Description:
VolumeMUDDS2
Exit code:
0
Version:
2.07.0003
2812"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\leviand.vbs" C:\Windows\System32\WScript.exe
jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2996"C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exe" C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exejtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe
User:
admin
Company:
VolumeStichoi
Integrity Level:
MEDIUM
Description:
VolumeMUDDS2
Exit code:
0
Version:
2.07.0003
3208"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\leviand.vbs" C:\Windows\System32\WScript.exe
jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3360"C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exe" C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exejtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exe
User:
admin
Company:
VolumeStichoi
Integrity Level:
MEDIUM
Description:
VolumeMUDDS2
Exit code:
0
Version:
2.07.0003
2944C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exe" C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exe
leviand.exe
User:
admin
Company:
VolumeStichoi
Integrity Level:
MEDIUM
Description:
VolumeMUDDS2
Version:
2.07.0003
2076C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exe" C:\Users\admin\AppData\Local\Temp\subfolder\leviand.exeleviand.exe
User:
admin
Company:
VolumeStichoi
Integrity Level:
MEDIUM
Description:
VolumeMUDDS2
Exit code:
0
Version:
2.07.0003
Total events
1 178
Read events
1 155
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2944leviand.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2468jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exeC:\Users\admin\AppData\Local\Temp\~DF3118A9BC1D54AE6B.TMPbinary
MD5:41D52D9C5BE9AE2CE9E5F1BB4139A78E
SHA256:4360BBABA4BF9164E680CE54DF3C822EC1BF7D36A9847E9CED09A45FA608589A
2944leviand.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:5302B1B5EC232D44E2D9507FB847FC49
SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684
3360leviand.exeC:\Users\admin\AppData\Local\Temp\~DF9FE863FF4FF0463C.TMPbinary
MD5:41D52D9C5BE9AE2CE9E5F1BB4139A78E
SHA256:4360BBABA4BF9164E680CE54DF3C822EC1BF7D36A9847E9CED09A45FA608589A
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2924.44500\jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exeexecutable
MD5:1E1F1F0A61834A2FFF91D9A0F94209F7
SHA256:B14AE7D9E00F70E0235F644C38C19BEE2B64AA22226CB2858B7B837273BA9C6F
2468jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exeC:\Users\admin\AppData\Local\Temp\subfolder\leviand.exeexecutable
MD5:1E1F1F0A61834A2FFF91D9A0F94209F7
SHA256:B14AE7D9E00F70E0235F644C38C19BEE2B64AA22226CB2858B7B837273BA9C6F
3540jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exeC:\Users\admin\AppData\Local\Temp\~DFB9508BF6847E14A2.TMPbinary
MD5:41D52D9C5BE9AE2CE9E5F1BB4139A78E
SHA256:4360BBABA4BF9164E680CE54DF3C822EC1BF7D36A9847E9CED09A45FA608589A
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2924.45656\jtc-qa HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.exeexecutable
MD5:1E1F1F0A61834A2FFF91D9A0F94209F7
SHA256:B14AE7D9E00F70E0235F644C38C19BEE2B64AA22226CB2858B7B837273BA9C6F
2996leviand.exeC:\Users\admin\AppData\Local\Temp\~DFED4FE5385E7F1F33.TMPbinary
MD5:41D52D9C5BE9AE2CE9E5F1BB4139A78E
SHA256:4360BBABA4BF9164E680CE54DF3C822EC1BF7D36A9847E9CED09A45FA608589A
2944leviand.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:1E1F1F0A61834A2FFF91D9A0F94209F7
SHA256:B14AE7D9E00F70E0235F644C38C19BEE2B64AA22226CB2858B7B837273BA9C6F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
leviand.exe
POST
54.38.141.142:80
http://www.sherwoodpest.com/lavidaloca/Panel/five/fre.php
FR
malicious
2944
leviand.exe
POST
54.38.141.142:80
http://www.sherwoodpest.com/lavidaloca/Panel/five/fre.php
FR
malicious
2944
leviand.exe
POST
54.38.141.142:80
http://www.sherwoodpest.com/lavidaloca/Panel/five/fre.php
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
leviand.exe
54.38.141.142:80
www.sherwoodpest.com
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.sherwoodpest.com
  • 54.38.141.142
malicious

Threats

PID
Process
Class
Message
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2944
leviand.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2944
leviand.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2944
leviand.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3 ETPRO signatures available at the full report
No debug info