analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW QUOTATION ORDER.gz

Full analysis: https://app.any.run/tasks/2834b4a3-3df2-4058-b24e-3817346ebfd4
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: April 24, 2019, 07:32:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/gzip
File info: gzip compressed data, was "NEW QUOTATION ORDER.exe", last modified: Tue Apr 23 03:24:32 2019, from FAT filesystem (MS-DOS, OS/2, NT)
MD5:

ABAB61DDF284B67492678E75775B43F5

SHA1:

5FD2792D7ADE5BD41D2479CBFD542B6DDC818F34

SHA256:

6B7108F6A66FE86668C1AC2CE2E71B63EB3E24B4C56556C2EA2664B1A0C7344B

SSDEEP:

3072:K+AspKM83NqLB/2qkUEN97A4gTS9F27skruVInOzL9rxrKHDt2Qo:+pM89qLojUT4lUEVInO9rx8oP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NEW QUOTATION ORDER.exe (PID: 2192)
      • NEW QUOTATION ORDER.exe (PID: 2624)
      • NEW QUOTATION ORDER.exe (PID: 2920)
    • LOKIBOT was detected

      • NEW QUOTATION ORDER.exe (PID: 2920)
    • Detected artifacts of LokiBot

      • NEW QUOTATION ORDER.exe (PID: 2920)
    • Connects to CnC server

      • NEW QUOTATION ORDER.exe (PID: 2920)
    • Actions looks like stealing of personal data

      • NEW QUOTATION ORDER.exe (PID: 2920)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2488)
      • NEW QUOTATION ORDER.exe (PID: 2920)
    • Application launched itself

      • NEW QUOTATION ORDER.exe (PID: 2192)
      • NEW QUOTATION ORDER.exe (PID: 2624)
    • Loads DLL from Mozilla Firefox

      • NEW QUOTATION ORDER.exe (PID: 2920)
    • Creates files in the user directory

      • NEW QUOTATION ORDER.exe (PID: 2920)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

ArchivedFileName: NEW QUOTATION ORDER.exe
OperatingSystem: FAT filesystem (MS-DOS, OS/2, NT/Win32)
ExtraFlags: (none)
ModifyDate: 2019:04:23 05:24:32+02:00
Flags: FileName
Compression: Deflated
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe new quotation order.exe no specs new quotation order.exe no specs #LOKIBOT new quotation order.exe

Process information

PID
CMD
Path
Indicators
Parent process
2488"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\NEW QUOTATION ORDER.gz.z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2192"C:\Users\admin\Desktop\NEW QUOTATION ORDER.exe" C:\Users\admin\Desktop\NEW QUOTATION ORDER.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2624"C:\Users\admin\Desktop\NEW QUOTATION ORDER.exe" C:\Users\admin\Desktop\NEW QUOTATION ORDER.exeNEW QUOTATION ORDER.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2920"C:\Users\admin\Desktop\NEW QUOTATION ORDER.exe" C:\Users\admin\Desktop\NEW QUOTATION ORDER.exe
NEW QUOTATION ORDER.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.00
Total events
342
Read events
331
Write events
11
Delete events
0

Modification events

(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2488) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\NEW QUOTATION ORDER.gz.z
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2920) NEW QUOTATION ORDER.exeKey:HKEY_CURRENT_USER\������К������ќ�Ш���Я����Й��я��
Operation:writeName:F63AAA
Value:
%APPDATA%\F63AAA\A71D80.exe
Executable files
2
Suspicious files
2
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2920NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2488WinRAR.exeC:\Users\admin\Desktop\NEW QUOTATION ORDER.exeexecutable
MD5:EC7B4566A92F678B10ABDFD13E073F1B
SHA256:DB1DAE2766CCA6C9FC80E89731BD0B3136D89CF7B95668CC98834CC04C5A9288
2920NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:5302B1B5EC232D44E2D9507FB847FC49
SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684
2192NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Local\Temp\~DF8C7C268603594097.TMPbinary
MD5:77BE72624E09F4D0B9C4DFF4D6CD212E
SHA256:DC64B561C172F0532B5B25DEAC54ED37B286A5182F42F592B511A5CA452B006E
2920NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:EC7B4566A92F678B10ABDFD13E073F1B
SHA256:DB1DAE2766CCA6C9FC80E89731BD0B3136D89CF7B95668CC98834CC04C5A9288
2624NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Local\Temp\~DFA17B79382BB952D2.TMPbinary
MD5:77BE72624E09F4D0B9C4DFF4D6CD212E
SHA256:DC64B561C172F0532B5B25DEAC54ED37B286A5182F42F592B511A5CA452B006E
2920NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
2192NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
2624NEW QUOTATION ORDER.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2920
NEW QUOTATION ORDER.exe
POST
47.254.71.47:80
http://ensthip.ca/WU30/Panel/fre.php
US
malicious
2920
NEW QUOTATION ORDER.exe
POST
47.254.71.47:80
http://ensthip.ca/WU30/Panel/fre.php
US
malicious
2920
NEW QUOTATION ORDER.exe
POST
47.254.71.47:80
http://ensthip.ca/WU30/Panel/fre.php
US
malicious
2920
NEW QUOTATION ORDER.exe
POST
47.254.71.47:80
http://ensthip.ca/WU30/Panel/fre.php
US
malicious
2920
NEW QUOTATION ORDER.exe
POST
47.254.71.47:80
http://ensthip.ca/WU30/Panel/fre.php
US
malicious
2920
NEW QUOTATION ORDER.exe
POST
47.254.71.47:80
http://ensthip.ca/WU30/Panel/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2920
NEW QUOTATION ORDER.exe
47.254.71.47:80
ensthip.ca
Alibaba (China) Technology Co., Ltd.
US
malicious

DNS requests

Domain
IP
Reputation
ensthip.ca
  • 47.254.71.47
malicious

Threats

PID
Process
Class
Message
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2920
NEW QUOTATION ORDER.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
6 ETPRO signatures available at the full report
No debug info