File name:

04f4042f2f96b4c74ec2b336905d469c.exe

Full analysis: https://app.any.run/tasks/faf7a4fa-07a9-4362-8fde-808155c77fae
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 17:26:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lokibot
stealer
trojan
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

04F4042F2F96B4C74EC2B336905D469C

SHA1:

4B917EF74B8B08C44D83C4DFE8F56A40E72CAD32

SHA256:

8AF2C5CBBD64BC20FC6B292A0DCFE5EFA795B1DD5DADD1C5F68933A7A81AE388

SSDEEP:

49152:ZOlkOBkcGScSh8BR7fx2Inrn1qp1gLU+Gzh58tNmK9ZKMrUzq8xUwM7B7YpfQuzR:QZkcQm8BR7fJgOLXGlMNmRzq8xHMl7YR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LOKIBOT mutex has been found

      • dllhost.exe (PID: 7728)

    • Actions looks like stealing of personal data

      • dllhost.exe (PID: 7728)

    • Steals credentials from Web Browsers

      • dllhost.exe (PID: 7728)

    • Lokibot is detected

      • dllhost.exe (PID: 7728)

    • LOKIBOT has been detected (YARA)

      • dllhost.exe (PID: 7728)

    • Connects to the CnC server

      • dllhost.exe (PID: 7728)

    • LOKIBOT has been detected (SURICATA)

      • dllhost.exe (PID: 7728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dllhost.exe (PID: 7728)

    • Contacting a server suspected of hosting an CnC

      • dllhost.exe (PID: 7728)

  • INFO

    • The sample compiled with english language support

      • 04f4042f2f96b4c74ec2b336905d469c.exe (PID: 7672)
      • dllhost.exe (PID: 7728)

    • Reads mouse settings

      • 04f4042f2f96b4c74ec2b336905d469c.exe (PID: 7672)

    • Checks supported languages

      • 04f4042f2f96b4c74ec2b336905d469c.exe (PID: 7672)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 7728)

    • Reads Microsoft Office registry keys

      • dllhost.exe (PID: 7728)

    • Creates files or folders in the user directory

      • dllhost.exe (PID: 7728)

    • Reads the software policy settings

      • slui.exe (PID: 8128)

    • Checks proxy server information

      • slui.exe (PID: 8128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

LokiBot

(PID) Process(7728) dllhost.exe
C2http://beesco.net/second/chief3/fre.php
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2079:08:02 11:57:08+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1605632
InitializedDataSize: 4096
UninitializedDataSize: 458752
EntryPoint: 0x1f8290
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 04f4042f2f96b4c74ec2b336905d469c.exe no specs #LOKIBOT dllhost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7672"C:\Users\admin\Desktop\04f4042f2f96b4c74ec2b336905d469c.exe" C:\Users\admin\Desktop\04f4042f2f96b4c74ec2b336905d469c.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\04f4042f2f96b4c74ec2b336905d469c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7728"C:\WINDOWS\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe
04f4042f2f96b4c74ec2b336905d469c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
LokiBot
(PID) Process(7728) dllhost.exe
C2http://beesco.net/second/chief3/fre.php
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
8128C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 429
Read events
4 425
Write events
4
Delete events
0

Modification events

(PID) Process:(7728) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7728) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7728) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7728) dllhost.exeKey:HKEY_CURRENT_USER\������Н�����ё��Ќ�����М�����Й��я��
Operation:writeName:F3F363
Value:
%APPDATA%\F3F363\3C28B3.exe
Executable files
1
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7728dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D898504A722BFF1524134C6AB6A5EAA5
SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
7728dllhost.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.exeexecutable
MD5:61DF0FA6EF720DDB2C284349D848599F
SHA256:6947EC4CADE9C3F410AAFB1D30D9664F6CBDA797C983A1BC7A682006BB08A466
7728dllhost.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.lckbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
7728dllhost.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.hdbbinary
MD5:1013079A9BF8FFA458C230EA6AAF8A89
SHA256:1B1F3BCE8DF0FC7E33B518DAB09D09AF3680E39BCC3C760DADCC50C931007BE8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
7
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7728
dllhost.exe
POST
405
13.248.169.48:80
http://beesco.net/second/chief3/fre.php
unknown
malicious
7728
dllhost.exe
POST
405
13.248.169.48:80
http://beesco.net/second/chief3/fre.php
unknown
malicious
7728
dllhost.exe
POST
405
13.248.169.48:80
http://beesco.net/second/chief3/fre.php
unknown
malicious
7728
dllhost.exe
POST
405
13.248.169.48:80
http://beesco.net/second/chief3/fre.php
unknown
malicious
7728
dllhost.exe
POST
405
13.248.169.48:80
http://beesco.net/second/chief3/fre.php
unknown
malicious
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7728
dllhost.exe
13.248.169.48:80
beesco.net
AMAZON-02
US
malicious
4
System
192.168.100.255:137
whitelisted
7368
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8128
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.162
  • 23.48.23.168
  • 23.48.23.183
  • 23.48.23.173
  • 23.48.23.164
  • 23.48.23.180
  • 23.48.23.169
whitelisted
beesco.net
  • 13.248.169.48
  • 76.223.54.146
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7728
dllhost.exe
A Network Trojan was detected
ET MALWARE LokiBot User-Agent (Charon/Inferno)
7728
dllhost.exe
Malware Command and Control Activity Detected
ET MALWARE LokiBot Checkin
7728
dllhost.exe
A Network Trojan was detected
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
7728
dllhost.exe
A Network Trojan was detected
ET MALWARE LokiBot User-Agent (Charon/Inferno)
7728
dllhost.exe
Malware Command and Control Activity Detected
ET MALWARE LokiBot Checkin
7728
dllhost.exe
A Network Trojan was detected
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
7728
dllhost.exe
A Network Trojan was detected
ET MALWARE LokiBot User-Agent (Charon/Inferno)
7728
dllhost.exe
Malware Command and Control Activity Detected
ET MALWARE LokiBot Checkin
7728
dllhost.exe
Malware Command and Control Activity Detected
ET MALWARE LokiBot Request for C2 Commands Detected M1
7728
dllhost.exe
Malware Command and Control Activity Detected
ET MALWARE LokiBot Request for C2 Commands Detected M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
04f4042f2f96b4c74ec2b336905d469c.exe