File name: | 7518a561-9863-4190-7075-08d8247b0d84345d1b67-7480-e55c-270b-c411be9963a7.eml |
Full analysis: | https://app.any.run/tasks/7c2ed150-cf96-4588-9ccf-80014d75b91b |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | July 13, 2020, 04:28:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with CRLF line terminators |
MD5: | 1537A98D691B1B93303E112B678DADA1 |
SHA1: | C12372D9B0AF1D5DD0B587B6B02CCC811ED346B9 |
SHA256: | 9D16A5F07FF46439CC1E1040A70CC95E3EFD055C1FE8FCDB633F681D2614D364 |
SSDEEP: | 12288:hXFF3iaeDG6UL2EDVSD5RrqksprcnqNz2Fp:hXPvKHULJDwr0rcYo |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1700 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\7518a561-9863-4190-7075-08d8247b0d84345d1b67-7480-e55c-270b-c411be9963a7.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2684 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\324Z65B6\payment.iso" | C:\Program Files\WinRAR\WinRAR.exe | OUTLOOK.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
572 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2684.35810\payment.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2684.35810\payment.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2368 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2684.35810\payment.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2684.35810\payment.exe | payment.exe | |
User: admin Integrity Level: MEDIUM | ||||
2392 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2684.35810\payment.exe" 2 2368 1091812 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2684.35810\payment.exe | — | payment.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1700 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR733E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1700 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp7590.tmp | — | |
MD5:— | SHA256:— | |||
1700 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\324Z65B6\payment (2).iso\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2368 | payment.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
1700 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:4B4F241FEDEB7CC2EAEB4A9E3C2A8853 | SHA256:41811B292C9E11F050891D80C5CF2D43EF39380D99E1B617B7FE4D968A7AA5D0 | |||
1700 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:FD671FB5D7C341FCD324F1E603FB6613 | SHA256:157CCD2810083FE2B832E883335B483D0004D215350804381AC36430228EBDF3 | |||
2368 | payment.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdb | text | |
MD5:5302B1B5EC232D44E2D9507FB847FC49 | SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684 | |||
1700 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\324Z65B6\payment (2).iso | gmc | |
MD5:0162BB7926EBD3AADE15DE5B84963EA5 | SHA256:EB607FDCEF5904620EE55C6B5ECCB0E346A2F21C2F8E58E0C88081ADEF3BC1C5 | |||
2368 | payment.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe | executable | |
MD5:E8D71994C54E4A7538F3BEAF6E2E8C1E | SHA256:CA9F6A11A9200CCDE207BA921AE6A6DFEF747F88934B90404E779A314EF92EA2 | |||
2684 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2684.35810\payment.exe | executable | |
MD5:E8D71994C54E4A7538F3BEAF6E2E8C1E | SHA256:CA9F6A11A9200CCDE207BA921AE6A6DFEF747F88934B90404E779A314EF92EA2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1700 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2368 | payment.exe | POST | 404 | 194.180.224.87:80 | http://mecharnise.ir/ea1/fre.php | unknown | text | 15 b | malicious |
2368 | payment.exe | POST | 404 | 194.180.224.87:80 | http://mecharnise.ir/ea1/fre.php | unknown | text | 15 b | malicious |
2368 | payment.exe | POST | 404 | 194.180.224.87:80 | http://mecharnise.ir/ea1/fre.php | unknown | binary | 23 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1700 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2368 | payment.exe | 194.180.224.87:80 | mecharnise.ir | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
mecharnise.ir |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2368 | payment.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2368 | payment.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2368 | payment.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |