analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://gg.gg/d7qst

Full analysis: https://app.any.run/tasks/f97c280d-0b1b-4944-ab3e-1989d6185414
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 14, 2019, 09:33:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
lokibot
opendir
Indicators:
MD5:

EE75B74D5E6EB2C3A51B82A7CCEB2CC7

SHA1:

2ACAFCE3A337ED53ED0BA815D007BBEAA2184144

SHA256:

740AA228520A025EEB409C0D49EEBA8B84915474C7E28AF225FF0ACF732B6793

SSDEEP:

3:N1KZCLBKdWR:C8QUR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2792)
      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3268)
    • Connects to CnC server

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
    • LOKIBOT was detected

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
    • Detected artifacts of LokiBot

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
    • Actions looks like stealing of personal data

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3268)
      • iexplore.exe (PID: 2972)
      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
    • Application launched itself

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2792)
    • Loads DLL from Mozilla Firefox

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
    • Creates files in the user directory

      • 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe (PID: 2592)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2972)
    • Creates files in the user directory

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 3268)
    • Application launched itself

      • iexplore.exe (PID: 2972)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3268)
      • iexplore.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe no specs #LOKIBOT 0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3268"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2972 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2792"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exeiexplore.exe
User:
admin
Company:
REWAN
Integrity Level:
MEDIUM
Description:
Zech
Exit code:
0
Version:
6.02.0003
2592C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
User:
admin
Company:
REWAN
Integrity Level:
MEDIUM
Description:
Zech
Version:
6.02.0003
Total events
668
Read events
615
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
6
Unknown types
6

Dropped files

PID
Process
Filename
Type
2972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2972iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF79A71B108FFC8065.TMP
MD5:
SHA256:
2972iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD586805A138CF09F.TMP
MD5:
SHA256:
2972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{48409A6D-463C-11E9-AA93-5254004A04AF}.dat
MD5:
SHA256:
25920930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exeexecutable
MD5:9C7A15CDD963E58DE6FD2076905E490A
SHA256:38E2E9DD8294CF72738633C1ED24F9CA3E9F29D0A6EE649B94BEA6CC01F97272
2972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.datdat
MD5:5DB5C119FD80EC45C7CD1CD4F3CBC83A
SHA256:9F727EE87A46B51A7C64C5BBD5B584558DB1B025A2C679E1567F9A6FD223E36C
27920930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exeC:\Users\admin\AppData\Local\Temp\~DFA368A939FBF91B2F.TMPbinary
MD5:B94DC54F7A0194F3A80D9A483521475E
SHA256:323D8519BC894ABB7FF7195BF39DA0D080128FD4FC0F821F9E5B9D03F957508F
2972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{48409A6E-463C-11E9-AA93-5254004A04AF}.datbinary
MD5:EAF6DF80155B6CD78A167EE849DC10D9
SHA256:D254DC302B1CDC1091329128FB162AE283BBCE146E5A47F0325BF844E383438B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3268
iexplore.exe
GET
301
91.224.140.71:80
http://gg.gg/d7qst
NL
shared
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
POST
137.59.52.107:80
http://elnstek.com/jude/five/fre.php
IN
malicious
3268
iexplore.exe
GET
200
192.81.132.172:80
http://grabilla.com/0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee.exe?download
US
executable
265 Kb
suspicious
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
POST
137.59.52.107:80
http://elnstek.com/jude/five/fre.php
IN
malicious
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
POST
137.59.52.107:80
http://elnstek.com/jude/five/fre.php
IN
malicious
2972
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2972
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
137.59.52.107:80
elnstek.com
RackBank Datacenters Private Ltd
IN
malicious
3268
iexplore.exe
91.224.140.71:80
gg.gg
Innovation IT Solutions LTD
NL
suspicious
3268
iexplore.exe
192.81.132.172:80
grabilla.com
Linode, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
gg.gg
  • 91.224.140.71
shared
grabilla.com
  • 192.81.132.172
suspicious
elnstek.com
  • 137.59.52.107
malicious

Threats

PID
Process
Class
Message
3268
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3268
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2592
0930c-9b102a99-df95-4bc5-92b4-609fdd4442ee[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3 ETPRO signatures available at the full report
No debug info