analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4

Full analysis: https://app.any.run/tasks/47782a57-e7c2-482f-b910-347fd47b3545
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: April 15, 2019, 12:18:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1FFBE3BBF231B230D602FBCD91963B13

SHA1:

E3372E6523AB31500B3B2980CB196DA951E1555A

SHA256:

6F38E2682C93AA775DA8EC2BA1E947358F89781E7FFE362BC2D1AB8060ED2AF4

SSDEEP:

6144:zIZmbSIK23Yqw9cA1cGj92z3LgKL4xRjSSYIinroX9oB5wp+lgg6/31Z:zBbHbYqw67Gpy3LghxJ+IwGM5wpMKH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • objectAfgrsninger4.exe (PID: 3292)
      • objectAfgrsninger4.exe (PID: 3812)
      • objectAfgrsninger4.exe (PID: 3608)
    • Changes the autorun value in the registry

      • objectAfgrsninger4.exe (PID: 3812)
    • Detected artifacts of LokiBot

      • objectAfgrsninger4.exe (PID: 3608)
    • Actions looks like stealing of personal data

      • objectAfgrsninger4.exe (PID: 3608)
  • SUSPICIOUS

    • Application launched itself

      • objectAfgrsninger4.exe (PID: 3812)
      • 6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe (PID: 3296)
      • objectAfgrsninger4.exe (PID: 3292)
    • Executable content was dropped or overwritten

      • 6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe (PID: 2180)
      • objectAfgrsninger4.exe (PID: 3608)
    • Loads DLL from Mozilla Firefox

      • objectAfgrsninger4.exe (PID: 3608)
    • Creates files in the user directory

      • objectAfgrsninger4.exe (PID: 3608)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (84.4)
.dll | Win32 Dynamic Link Library (generic) (6.7)
.exe | Win32 Executable (generic) (4.6)
.exe | Generic Win/DOS Executable (2)
.exe | DOS Executable Generic (2)

EXIF

EXE

OriginalFileName: objectSpinderis8.exe
InternalName: objectSpinderis8
ProductVersion: 1
FileVersion: 1
ProductName: objectAeolotropic9
CompanyName: alcATEl
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x128c
UninitializedDataSize: -
InitializedDataSize: 45056
CodeSize: 561152
LinkerVersion: 6
PEType: PE32
TimeStamp: 2019:04:15 06:03:48+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 15-Apr-2019 04:03:48
Detected languages:
  • English - United States
CompanyName: alcATEl
ProductName: objectAeolotropic9
FileVersion: 1.00
ProductVersion: 1.00
InternalName: objectSpinderis8
OriginalFilename: objectSpinderis8.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 15-Apr-2019 04:03:48
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00088D6C
0x00089000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.33368
.data
0x0008A000
0x00004D34
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0008F000
0x00005C7A
0x00006000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.05178

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.22086
596
Unicode (UTF 16LE)
English - United States
RT_VERSION
7
1.57542
60
Unicode (UTF 16LE)
UNKNOWN
RT_STRING
30001
4.86103
3752
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
5.14774
2216
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
4.1785
1384
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30004
4.50387
9640
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30005
5.61086
4264
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30006
5.98278
1128
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start 6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe no specs 6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe objectafgrsninger4.exe objectafgrsninger4.exe no specs #LOKIBOT objectafgrsninger4.exe

Process information

PID
CMD
Path
Indicators
Parent process
3296"C:\Users\admin\AppData\Local\Temp\6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe" C:\Users\admin\AppData\Local\Temp\6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exeexplorer.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2180"C:\Users\admin\AppData\Local\Temp\6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe" C:\Users\admin\AppData\Local\Temp\6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe
6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
3812"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe
6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
3292"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exeobjectAfgrsninger4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
3608"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe
objectAfgrsninger4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Version:
1.00
Total events
130
Read events
124
Write events
6
Delete events
0

Modification events

(PID) Process:(2180) 6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2180) 6f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3812) objectAfgrsninger4.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:objectDroskens
Value:
wscript "C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.vbs"
(PID) Process:(3608) objectAfgrsninger4.exeKey:HKEY_CURRENT_USER\http://tiwasavage.tk/anyi/fre.php
Operation:writeName:F63AAA
Value:
%APPDATA%\F63AAA\A71D80.exe
Executable files
2
Suspicious files
4
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
3608objectAfgrsninger4.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
21806f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exeC:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exeexecutable
MD5:AC2D5C6A6E95A6D37DBC76383DC1C29E
SHA256:1F71C7A2A7C038DF2431C5800FA56904D184F892E8D923D6625540AF44F4C30F
3292objectAfgrsninger4.exeC:\Users\admin\AppData\Local\Temp\~DFE69B187A2D81B9DB.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
21806f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exeC:\Users\admin\AppData\Local\Temp\~DF82509638BE537B73.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
3812objectAfgrsninger4.exeC:\Users\admin\AppData\Local\Temp\~DFA4C5F2A842E2D995.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
32966f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exeC:\Users\admin\AppData\Local\Temp\~DF1667DFCA898D47FE.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
21806f38e2682c93aa775da8ec2ba1e947358f89781e7ffe362bc2d1ab8060ed2af4.exeC:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.vbstext
MD5:E1508AF85DEB6540B2EA0B8D8A497E89
SHA256:3955025C00811CFE6EEAD2A4C8D8A17607EB033B0E3CED080D5BEDECAD04C16E
3608objectAfgrsninger4.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:AC2D5C6A6E95A6D37DBC76383DC1C29E
SHA256:1F71C7A2A7C038DF2431C5800FA56904D184F892E8D923D6625540AF44F4C30F
3812objectAfgrsninger4.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
3292objectAfgrsninger4.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
tiwasavage.tk
malicious

Threats

No threats detected
No debug info