analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SWIFT COPY.pdf.exe

Full analysis: https://app.any.run/tasks/c3ca385f-4b82-4e45-b4e3-74786842e97e
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 14:53:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B1C299C24A59CA929E077C5E22D1D3F3

SHA1:

5810390E4D200D52998CB3A3CE3732604BEA21A6

SHA256:

8682DF8104337B21A5EC19279B4F7C51A199E53DBB77B5D5A73EA8EEDA545BA0

SSDEEP:

6144:uiPdbousfAyBlqKM98KrfuIRsehtQZUtQZ5ppKGPtQi:uiVrs4yj1KlhtQZUtQZ5/KGPtQi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detected artifacts of LokiBot

      • SWIFT COPY.pdf.exe (PID: 1916)

    • LOKIBOT was detected

      • SWIFT COPY.pdf.exe (PID: 1916)

    • Connects to CnC server

      • SWIFT COPY.pdf.exe (PID: 1916)

    • Actions looks like stealing of personal data

      • SWIFT COPY.pdf.exe (PID: 1916)

  • SUSPICIOUS

    • Application launched itself

      • SWIFT COPY.pdf.exe (PID: 2920)

    • Loads DLL from Mozilla Firefox

      • SWIFT COPY.pdf.exe (PID: 1916)

    • Creates files in the user directory

      • SWIFT COPY.pdf.exe (PID: 1916)

    • Executable content was dropped or overwritten

      • SWIFT COPY.pdf.exe (PID: 1916)

  • INFO

    • Reads settings of System Certificates

      • explorer.exe (PID: 1696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

OriginalFileName: MELOID.exe
InternalName: MELOID
ProductVersion: 9.07.0001
FileVersion: 9.07.0001
ProductName: cyberview
FileDescription: coalitions9
CompanyName: Diffusers2
Comments: ODDPUT
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 9.7.0.1
FileVersionNumber: 9.7.0.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 9.7
OSVersion: 4
EntryPoint: 0x13d0
UninitializedDataSize: -
InitializedDataSize: 16384
CodeSize: 1187840
LinkerVersion: 6
PEType: PE32
TimeStamp: 2005:07:24 12:56:00+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jul-2005 10:56:00
Detected languages:
  • English - United States
Comments: ODDPUT
CompanyName: Diffusers2
FileDescription: coalitions9
ProductName: cyberview
FileVersion: 9.07.0001
ProductVersion: 9.07.0001
InternalName: MELOID
OriginalFilename: MELOID.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 24-Jul-2005 10:56:00
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00121864
0x00122000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
2.67302
.data
0x00123000
0x00000AB4
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00124000
0x00002E3E
0x00003000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.79338

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.31459
652
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
5.87829
7112
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
5.98376
3752
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start swift copy.pdf.exe no specs explorer.exe #LOKIBOT swift copy.pdf.exe

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Users\admin\Desktop\SWIFT COPY.pdf.exe" C:\Users\admin\Desktop\SWIFT COPY.pdf.exeexplorer.exe
User:
admin
Company:
Diffusers2
Integrity Level:
MEDIUM
Description:
coalitions9
Exit code:
0
Version:
9.07.0001
1696C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1916C:\Users\admin\Desktop\SWIFT COPY.pdf.exe" C:\Users\admin\Desktop\SWIFT COPY.pdf.exe
SWIFT COPY.pdf.exe
User:
admin
Company:
Diffusers2
Integrity Level:
MEDIUM
Description:
coalitions9
Version:
9.07.0001
Total events
1 931
Read events
1 844
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
5
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1696explorer.exeC:\Users\admin\AppData\Local\Temp\CabE565.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\TarE566.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\CabE577.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\TarE578.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\CabE588.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\TarE589.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\CabE607.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\TarE608.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\CabE619.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Temp\TarE61A.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1696
explorer.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
1916
SWIFT COPY.pdf.exe
POST
404
185.62.103.193:80
http://hytexxi.xyz/soft/amasko/fre.php
RU
text
15 b
malicious
1916
SWIFT COPY.pdf.exe
POST
194.87.94.91:80
http://hytexxi.xyz/soft/amasko/fre.php
RU
malicious
1916
SWIFT COPY.pdf.exe
POST
404
185.62.103.193:80
http://hytexxi.xyz/soft/amasko/fre.php
RU
text
15 b
malicious
1916
SWIFT COPY.pdf.exe
POST
404
185.62.103.193:80
http://hytexxi.xyz/soft/amasko/fre.php
RU
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1696
explorer.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
1916
SWIFT COPY.pdf.exe
185.62.103.193:80
hytexxi.xyz
Start LLC
RU
malicious
1916
SWIFT COPY.pdf.exe
194.87.94.91:80
hytexxi.xyz
JSC Mediasoft ekspert
RU
malicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
  • 205.185.216.10
  • 205.185.216.10
whitelisted
hytexxi.xyz
  • 185.62.103.193
  • 194.87.94.91
malicious

Threats

PID
Process
Class
Message
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1916
SWIFT COPY.pdf.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SWIFT COPY.pdf.exe