File name: | scan.01.doc |
Full analysis: | https://app.any.run/tasks/8e36e152-1b6b-44c0-8e65-8cec2bdeb121 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | January 23, 2019, 06:38:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | C9DE90D1B067D29A673EA0DE9B36BA1E |
SHA1: | 15B830190CFB1442B929A19198AD905D80A8D67A |
SHA256: | 84276750AD6D01A700936B21073F1482025000153EF9D3E12AB23F416F5C39DB |
SSDEEP: | 96:um2GgOM5YnGACwplB6fKsh/8z6Qb3HoNYMFOav9s4yNK:XVgOMWnjB63/ijIYUsxK |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\scan.01.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3232 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3020 | C:\Users\admin\AppData\Roaming\assat.exe | C:\Users\admin\AppData\Roaming\assat.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4000 | C:\Users\admin\AppData\Roaming\assat.exe | C:\Users\admin\AppData\Roaming\assat.exe | assat.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8C77.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4000 | assat.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$can.01.doc | pgc | |
MD5:2C74812BEDC04725D14EF629FC2C17D8 | SHA256:B7DF1C4019E66195659A6EC06639BCB11E966414486BC3948C23723185413A7F | |||
3232 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
3232 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\oztrsl[1].exe | executable | |
MD5:B9E04A9E4B38302A4DC5D338F9B5E839 | SHA256:F27EDC5686B570A2AB494CED480BD360F1707C9402100F585D2FD032FD040D92 | |||
3232 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\assat.exe | executable | |
MD5:B9E04A9E4B38302A4DC5D338F9B5E839 | SHA256:F27EDC5686B570A2AB494CED480BD360F1707C9402100F585D2FD032FD040D92 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E38C46694F93F7B7521B835043B365A5 | SHA256:80AFEF6DBF00D7FBBFE3A67DB00E4F9E36A0D1161385E0E185863FC6F10CEB00 | |||
3232 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@dropmybin[1].txt | text | |
MD5:87A1ADCF4684CDB23E6DCD506785108A | SHA256:B0F05B87DEFEC07CD6FB314D28C9D09F5834B1E6588FA02316F30AB31FCEC1A4 | |||
4000 | assat.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdb | text | |
MD5:5302B1B5EC232D44E2D9507FB847FC49 | SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684 | |||
4000 | assat.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8 | SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3232 | EQNEDT32.EXE | GET | 301 | 104.27.151.26:80 | http://files.dropmybin.me/oztrsl.exe | US | — | — | malicious |
4000 | assat.exe | POST | — | 185.126.200.142:80 | http://tequakes.ru/five/fre.php | IR | — | — | malicious |
4000 | assat.exe | POST | — | 185.126.200.142:80 | http://tequakes.ru/five/fre.php | IR | — | — | malicious |
4000 | assat.exe | POST | — | 185.126.200.142:80 | http://tequakes.ru/five/fre.php | IR | — | — | malicious |
4000 | assat.exe | POST | — | 185.126.200.142:80 | http://tequakes.ru/five/fre.php | IR | — | — | malicious |
4000 | assat.exe | POST | — | 185.126.200.142:80 | http://tequakes.ru/five/fre.php | IR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4000 | assat.exe | 185.126.200.142:80 | tequakes.ru | Tebyan-e-Noor Cultural-Artistic Institute | IR | malicious |
3232 | EQNEDT32.EXE | 104.27.151.26:443 | files.dropmybin.me | Cloudflare Inc | US | shared |
3232 | EQNEDT32.EXE | 104.27.151.26:80 | files.dropmybin.me | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
files.dropmybin.me |
| malicious |
tequakes.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
4000 | assat.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
4000 | assat.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
4000 | assat.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |