File name:

6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe

Full analysis: https://app.any.run/tasks/c725ceca-cd72-477b-8a3a-6f7d9c697991
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: May 16, 2024, 17:12:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lokibot
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

4EABADC99A3505B71E02E73C43BCDDAB

SHA1:

E43800B98D91D4F048857947DB541F16990CE808

SHA256:

6F79A7492A3E9D4CD4AF6142795F10FDE07B3788253E6A75742B979168588038

SSDEEP:

24576:2AK4oOOb+8lyQT5rvC84B+HlrOxIhfvDEvn9WxdEWsTWQTuolWJ:rFdOb+8lyQtrvn4+HlrOxIhfvDwn9Wxt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Steals credentials from Web Browsers

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Lokibot is detected

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • LOKIBOT has been detected (YARA)

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Scans artifacts that could help determine the target

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Actions looks like stealing of personal data

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Executable content was dropped or overwritten

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Starts a Microsoft application from unusual location

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Reads security settings of Internet Explorer

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Reads the date of Windows installation

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)

    • Application launched itself

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)

  • INFO

    • Checks supported languages

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Reads the computer name

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Reads the machine GUID from the registry

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Process checks computer location settings

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)

    • Create files in a temporary directory

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)

    • Creates files or folders in the user directory

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6220)
      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)

    • Reads Microsoft Office registry keys

      • 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe (PID: 6684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

LokiBot

(PID) Process(6684) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
C2193.238.153.15/evie1/five/fre.php
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
No Malware configuration.

TRiD

.scr | Windows screen saver (46.4)
.dll | Win32 Dynamic Link Library (generic) (23.3)
.exe | Win32 Executable (generic) (15.9)
.exe | Generic Win/DOS Executable (7.1)
.exe | DOS Executable Generic (7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2057:07:20 02:37:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 588288
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x917e6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 94.82.72.66
ProductVersionNumber: 94.82.72.66
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: AppID Certificate Store Verification Task
CompanyName: Microsoft Corporation
FileDescription: appidcertstorecheck
FileVersion: 94.82.72.66
InternalName: vSiS.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks: AppID Certificate Store Verification Task
OriginalFileName: vSiS.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 94.82.72.66
AssemblyVersion: 1.2.3.8
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe schtasks.exe no specs conhost.exe no specs #LOKIBOT 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5620C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6220"C:\Users\admin\AppData\Local\Temp\6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe" C:\Users\admin\AppData\Local\Temp\6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
appidcertstorecheck
Exit code:
0
Version:
94.82.72.66
Modules
Images
c:\users\admin\appdata\local\temp\6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6564"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WxqBrPkNeOv" /XML "C:\Users\admin\AppData\Local\Temp\tmp72EB.tmp"C:\Windows\SysWOW64\schtasks.exe6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6684"C:\Users\admin\AppData\Local\Temp\6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe"C:\Users\admin\AppData\Local\Temp\6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
appidcertstorecheck
Version:
94.82.72.66
Modules
Images
c:\users\admin\appdata\local\temp\6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
LokiBot
(PID) Process(6684) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
C2193.238.153.15/evie1/five/fre.php
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
Total events
2 805
Read events
2 793
Write events
12
Delete events
0

Modification events

(PID) Process:(6220) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6220) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6220) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6220) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6684) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6684) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6684) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6684) 6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeKey:HKEY_CURRENT_USER\193.238.153.15/evie1/five/fre.php
Operation:writeName:F3F363
Value:
%APPDATA%\F3F363\3C28B3.exe
Executable files
2
Suspicious files
5
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
66846f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792abr
MD5:D898504A722BFF1524134C6AB6A5EAA5
SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
62206f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeC:\Users\admin\AppData\Roaming\WxqBrPkNeOv.exeexecutable
MD5:4EABADC99A3505B71E02E73C43BCDDAB
SHA256:6F79A7492A3E9D4CD4AF6142795F10FDE07B3788253E6A75742B979168588038
5620FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-16.1713.5620.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
62206f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeC:\Users\admin\AppData\Local\Temp\tmp72EB.tmpxml
MD5:5BB988307A69F0960B7D4DB5C84CC0D4
SHA256:024EEF0E9E195DD7CE799D875C91C01074764634E1B789FB72318A9454F3F879
66846f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.lckbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
66846f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.exeexecutable
MD5:4EABADC99A3505B71E02E73C43BCDDAB
SHA256:6F79A7492A3E9D4CD4AF6142795F10FDE07B3788253E6A75742B979168588038
5620FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-16.1713.5620.1.odlbinary
MD5:4C3EC5CA3DE07D82E655A52CF13AF6F4
SHA256:0FF83A95007B49BCC1FF6B7E6D2E925A057E4407FCF59D417D4392C2AC61C723
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
52
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5228
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5228
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6036
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
5256
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
4680
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
5256
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
239.255.255.250:1900
unknown
5228
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5944
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5228
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5228
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5228
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6684
6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe
193.238.153.15:80
ITL LLC
UA
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.218.209.163
whitelisted
www.bing.com
  • 104.126.37.186
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.185
  • 104.126.37.171
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.179
whitelisted
r.bing.com
  • 104.126.37.128
  • 104.126.37.186
  • 104.126.37.179
  • 104.126.37.171
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.170
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
  • 20.114.59.183
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6f79a7492a3e9d4cd4af6142795f10fde07b3788253e6a75742b979168588038.exe