| File name: | vbc.exe |
| Full analysis: | https://app.any.run/tasks/20ed5e46-707b-4094-baa9-68b7c20493c3 |
| Verdict: | Malicious activity |
| Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
| Analysis date: | March 24, 2024, 16:29:24 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 173CC49904C607C514E2F4A2054AACA0 |
| SHA1: | 0B185B7649C50D06A5D115A210AA3496ABF445C2 |
| SHA256: | 985D2A5F97ED03AE735C7F30F950846339D5FCE5C18491326EDEC9A8BE5CC509 |
| SSDEEP: | 6144:2kSHuLE2NhVVVVVVVVVCw03N0B3yAsFzMa5oBIr:2GhVVVVVVVVVCw03N0BCRFzMaz |
MALICIOUS
Drops the executable file immediately after the start
- vbc.exe (PID: 4008)
- vbc.exe (PID: 1692)
Steals credentials from Web Browsers
- vbc.exe (PID: 1692)
Lokibot is detected
- vbc.exe (PID: 1692)
- vbc.exe (PID: 1692)
LOKIBOT has been detected (YARA)
- vbc.exe (PID: 1692)
Actions looks like stealing of personal data
- vbc.exe (PID: 1692)
SUSPICIOUS
Application launched itself
- vbc.exe (PID: 4008)
Executable content was dropped or overwritten
- vbc.exe (PID: 4008)
- vbc.exe (PID: 1692)
Reads Mozilla Firefox installation path
- vbc.exe (PID: 1692)
Loads DLL from Mozilla Firefox
- vbc.exe (PID: 1692)
Reads the Internet Settings
- vbc.exe (PID: 1692)
Accesses Microsoft Outlook profiles
- vbc.exe (PID: 1692)
INFO
Create files in a temporary directory
- vbc.exe (PID: 4008)
Checks supported languages
- vbc.exe (PID: 4008)
- vbc.exe (PID: 1692)
Reads the computer name
- vbc.exe (PID: 4008)
- vbc.exe (PID: 1692)
Reads the machine GUID from the registry
- vbc.exe (PID: 1692)
Creates files or folders in the user directory
- vbc.exe (PID: 1692)
Manual execution by a user
- explorer.exe (PID: 848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
LokiBot
(PID) Process(1692) vbc.exe
C2http://bauxx.xyz/mtk1/w2/fre.php
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:08:01 02:42:47+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 25088 |
| InitializedDataSize: | 118784 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x3312 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 848 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1692 | "C:\Users\admin\AppData\Local\Temp\vbc.exe" | C:\Users\admin\AppData\Local\Temp\vbc.exe | vbc.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
LokiBot(PID) Process(1692) vbc.exe C2http://bauxx.xyz/mtk1/w2/fre.php Decoys (4)kbfvzoboss.bid/alien/fre.php alphastand.trade/alien/fre.php alphastand.win/alien/fre.php alphastand.top/alien/fre.php | |||||||||||||||
| 4008 | "C:\Users\admin\AppData\Local\Temp\vbc.exe" | C:\Users\admin\AppData\Local\Temp\vbc.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
3 944
Read events
3 940
Write events
4
Delete events
0
Modification events
| (PID) Process: | (1692) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (1692) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1692) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (1692) vbc.exe | Key: | HKEY_CURRENT_USER\http://bauxx.xyz/mtk1/w2/fre.php |
| Operation: | write | Name: | F63AAA |
Value: %APPDATA%\F63AAA\A71D80.exe | |||
Executable files
2
Suspicious files
3
Text files
0
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1692 | vbc.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe | executable | |
MD5:173CC49904C607C514E2F4A2054AACA0 | SHA256:985D2A5F97ED03AE735C7F30F950846339D5FCE5C18491326EDEC9A8BE5CC509 | |||
| 4008 | vbc.exe | C:\Users\admin\AppData\Local\Temp\vogrqihk.dll | executable | |
MD5:94D33E9281067F72A6E4F1DD967BAB7D | SHA256:2D8743291B8F338633AC2BCD5181C55F287196F6864680D4B23F1083F787D967 | |||
| 1692 | vbc.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 4008 | vbc.exe | C:\Users\admin\AppData\Local\Temp\hd9kkov4myl | binary | |
MD5:AF625B5163049A8553EBE9FC32BF90BE | SHA256:864F03B62E95AD7F7945D3028C714D396C12FE5B4494B6E1C138D6E9F0AEADF8 | |||
| 1692 | vbc.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:D898504A722BFF1524134C6AB6A5EAA5 | SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1692 | vbc.exe | 49.13.77.253:80 | bauxx.xyz | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
bauxx.xyz |
| unknown |
dns.msftncsi.com |
| shared |