File name: | Payment Swift Copy HK LTGD #6736722.iso |
Full analysis: | https://app.any.run/tasks/768e6f78-bfe3-4551-a69a-b93b1501b0e2 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | December 18, 2018, 16:02:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'Payment Swift Copy HK LTGD #6736' |
MD5: | E0823F9E97AEF806C8F8B163129D00EC |
SHA1: | 3C4AC2D0F179F90E2583BC4C4968B9CE602A1E7D |
SHA256: | 787829C97DB186CFBC162A349F5D4AB5F256EA0B4BADFD996B6618FEDCF0CE2E |
SSDEEP: | 3072:q0wFY5FbfmPyg7DIFpRqzgxAxl+9BmntzFRoSxFEAWLT1djAB:q0ocFbfmP9DIFpRY7DQm9ob |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
System: | Win32 |
---|---|
VolumeName: | Payment Swift Copy HK LTGD #6736 |
VolumeBlockCount: | 168 |
VolumeBlockSize: | 2048 |
RootDirectoryCreateDate: | 2018:12:18 11:35:01+04:30 |
Software: | PowerISO |
VolumeCreateDate: | 2018:12:18 11:35:01.00+04:30 |
VolumeModifyDate: | 2018:12:18 11:35:01.00+04:30 |
VolumeSize: | 336 kB |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2812 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Payment Swift Copy HK LTGD #6736722.iso | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2996 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Swift Copy HK LTGD #6736722.iso" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2872 | "C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe" | C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe | — | explorer.exe |
User: admin Company: PHIliPs Integrity Level: MEDIUM Description: PIRifOrm LTD Version: 1.00 | ||||
3624 | "C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe" | C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe | Payment Swift Copy HK LTGD #6736722.exe | |
User: admin Company: PHIliPs Integrity Level: MEDIUM Description: PIRifOrm LTD Version: 1.00 | ||||
1912 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
3748 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3624 | Payment Swift Copy HK LTGD #6736722.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
3624 | Payment Swift Copy HK LTGD #6736722.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe | executable | |
MD5:11A775B09526209FA1EF829042C34E4A | SHA256:CCB342A5293C4893089DB3EEE51056F54A88BD8695CD9C043624B5C1369F1505 | |||
2996 | WinRAR.exe | C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe | executable | |
MD5:11A775B09526209FA1EF829042C34E4A | SHA256:CCB342A5293C4893089DB3EEE51056F54A88BD8695CD9C043624B5C1369F1505 | |||
3624 | Payment Swift Copy HK LTGD #6736722.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdb | text | |
MD5:5302B1B5EC232D44E2D9507FB847FC49 | SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684 | |||
1912 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:A8D78200679D57D072E78230E617800E | SHA256:3BC0E569B22343618299A53E6BEA804B4B3F5DF4A4BA04528080F34545AD6E3D | |||
1912 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:31401E84150FDD475E79C0F607AF1D50 | SHA256:AB20E3EAE7C4EF474F9C4C279BB5A94578E39EB2E363826065D3B037F367EC9D | |||
1912 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml | xml | |
MD5:44982E1D48434C0AB3E8277E322DD1E4 | SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C | |||
3624 | Payment Swift Copy HK LTGD #6736722.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8 | SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03 | |||
1912 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\langs.xml | xml | |
MD5:E792264BEC29005B9044A435FBA185AB | SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624 | |||
1912 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini | text | |
MD5:F70F579156C93B097E656CABA577A5C9 | SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 104.107.210.17:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | NL | der | 471 b | whitelisted |
3624 | Payment Swift Copy HK LTGD #6736722.exe | POST | — | 104.18.58.33:80 | http://hgplls.tk/dei/fre.php | US | — | — | malicious |
3624 | Payment Swift Copy HK LTGD #6736722.exe | POST | — | 104.18.58.33:80 | http://hgplls.tk/dei/fre.php | US | — | — | malicious |
— | — | GET | 200 | 104.107.210.17:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D | NL | der | 727 b | whitelisted |
3624 | Payment Swift Copy HK LTGD #6736722.exe | POST | — | 104.18.58.33:80 | http://hgplls.tk/dei/fre.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3748 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
— | — | 104.107.210.17:80 | ocsp.usertrust.com | Akamai International B.V. | NL | whitelisted |
3624 | Payment Swift Copy HK LTGD #6736722.exe | 104.18.58.33:80 | hgplls.tk | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
hgplls.tk |
| malicious |
notepad-plus-plus.org |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3624 | Payment Swift Copy HK LTGD #6736722.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3624 | Payment Swift Copy HK LTGD #6736722.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
3624 | Payment Swift Copy HK LTGD #6736722.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|