analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

082488136ab85f7925886cd5c5eaa452.zip

Full analysis: https://app.any.run/tasks/85fd2efb-d4a4-4862-a9d0-0fea70f72b66
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 30, 2020, 06:30:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
trojan
lokibot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2A155C176297A2640724E014709C9BCA

SHA1:

6125236E034E9D25D6EC01A76BC1FC0DA2B8D29D

SHA256:

899CEC2A92737DE8030EC075ED8DB56EE75D51D0FEA6642220DBD085B7B6838D

SSDEEP:

768:wFVEg//KIvIaKz7Q/UzNLuKhyHncOmu5LiEcISRNbiHVyUr4L+2Eex:wFIaeQ/UzFphytf5DDBHsUEFBx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • regasm.exe (PID: 464)
      • regasm.exe (PID: 2952)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3280)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3280)
    • LOKIBOT was detected

      • regasm.exe (PID: 2952)
    • Connects to CnC server

      • regasm.exe (PID: 2952)
    • Actions looks like stealing of personal data

      • regasm.exe (PID: 2952)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 3280)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3280)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3280)
      • regasm.exe (PID: 2952)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2540)
    • Application launched itself

      • regasm.exe (PID: 464)
    • Loads DLL from Mozilla Firefox

      • regasm.exe (PID: 2952)
    • Creates files in the user directory

      • regasm.exe (PID: 2952)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2020:09:30 08:24:17
ZipCRC: 0x8db3e490
ZipCompressedSize: 39516
ZipUncompressedSize: 44544
ZipFileName: 082488136ab85f7925886cd5c5eaa452
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs excel.exe no specs eqnedt32.exe regasm.exe no specs #LOKIBOT regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2540"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\082488136ab85f7925886cd5c5eaa452.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3740"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3280"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
464"C:\Users\Public\regasm.exe" C:\Users\Public\regasm.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
drawableObjects
Exit code:
0
Version:
1.0.0.0
2952"{path}"C:\Users\Public\regasm.exe
regasm.exe
User:
admin
Integrity Level:
MEDIUM
Description:
drawableObjects
Version:
1.0.0.0
Total events
1 194
Read events
1 115
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2540WinRAR.exeC:\Users\admin\AppData\Local\Temp\__rzi_2540.28267
MD5:
SHA256:
3740EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRFCA1.tmp.cvr
MD5:
SHA256:
2952regasm.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2540WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2540.28393\082488136ab85f7925886cd5c5eaa452.xlsxbinary
MD5:082488136AB85F7925886CD5C5EAA452
SHA256:2D51931F30552018B86DB9CDCD36F9368CA3F10FD96E3DDDD060D43C88493DD7
3280EQNEDT32.EXEC:\Users\Public\regasm.exeexecutable
MD5:75F5331A77E2E152E0AA955C5DA5EFE6
SHA256:0C3572F66544D34A86AFF962081FEE6904569D791D6A7489AFDB645581197E24
3280EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\regasm[1].exeexecutable
MD5:75F5331A77E2E152E0AA955C5DA5EFE6
SHA256:0C3572F66544D34A86AFF962081FEE6904569D791D6A7489AFDB645581197E24
2952regasm.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:75F5331A77E2E152E0AA955C5DA5EFE6
SHA256:0C3572F66544D34A86AFF962081FEE6904569D791D6A7489AFDB645581197E24
2540WinRAR.exeC:\Users\admin\AppData\Local\Temp\082488136ab85f7925886cd5c5eaa452.zipcompressed
MD5:1342B6F923F6E8CE73D442362D74EBF5
SHA256:CDF1D70C75C77243040A335857D375D9A8D712A44B9650828E60B15E434BBE4F
2952regasm.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:5302B1B5EC232D44E2D9507FB847FC49
SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684
2952regasm.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3280
EQNEDT32.EXE
GET
200
103.125.191.229:80
http://greenstdykegheedahatakankeadeshnaachgmz.duckdns.org/office360/regasm.exe
unknown
executable
613 Kb
malicious
2952
regasm.exe
POST
404
129.226.37.119:80
http://joovy.ga/rojas/gate.php
US
text
15 b
malicious
2952
regasm.exe
POST
404
129.226.37.119:80
http://joovy.ga/rojas/gate.php
US
binary
23 b
malicious
2952
regasm.exe
POST
404
129.226.37.119:80
http://joovy.ga/rojas/gate.php
US
binary
23 b
malicious
2952
regasm.exe
POST
404
129.226.37.119:80
http://joovy.ga/rojas/gate.php
US
text
15 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3280
EQNEDT32.EXE
103.125.191.229:80
greenstdykegheedahatakankeadeshnaachgmz.duckdns.org
malicious
2952
regasm.exe
129.226.37.119:80
joovy.ga
Unisys AsiaPac Intranet Access to Internet
US
malicious

DNS requests

Domain
IP
Reputation
greenstdykegheedahatakankeadeshnaachgmz.duckdns.org
  • 103.125.191.229
malicious
joovy.ga
  • 129.226.37.119
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3280
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
2952
regasm.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
2952
regasm.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2952
regasm.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2952
regasm.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ga Domain
2952
regasm.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2952
regasm.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2952
regasm.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
2 ETPRO signatures available at the full report
No debug info