File name:

Devil.exe

Full analysis: https://app.any.run/tasks/a5cccdf1-fd70-4144-aa3c-8a3b8e459acb
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: February 14, 2025, 11:10:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lokibot
stealer
xor-url
generic
trojan
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

EB6BEBA0181A014AC8C0EC040CB1121A

SHA1:

C45FF2A48A03E875BDAC3E8E528A83ECD900C7D7

SHA256:

9DB68864C946490FA9C681ABB57C3FB0EFF56F8C05DA181E0106AE1275D7B990

SSDEEP:

3072:PV1E4A9cWB6xRdPftMwOUnkjE0+uiiUGg:PV1E4YcWB6xRZfLnkjE0miUJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LOKIBOT mutex has been found

      • Devil.exe (PID: 4724)

    • Actions looks like stealing of personal data

      • Devil.exe (PID: 4724)

    • Lokibot is detected

      • Devil.exe (PID: 4724)

    • Scans artifacts that could help determine the target

      • Devil.exe (PID: 4724)

    • Steals credentials from Web Browsers

      • Devil.exe (PID: 4724)

    • XORed URL has been found (YARA)

      • Devil.exe (PID: 4724)

    • LOKIBOT has been detected (YARA)

      • Devil.exe (PID: 4724)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Devil.exe (PID: 4724)

    • Executable content was dropped or overwritten

      • Devil.exe (PID: 4724)

  • INFO

    • Reads the computer name

      • Devil.exe (PID: 4724)

    • Reads Microsoft Office registry keys

      • Devil.exe (PID: 4724)

    • Checks supported languages

      • Devil.exe (PID: 4724)

    • Creates files or folders in the user directory

      • Devil.exe (PID: 4724)

    • Reads the machine GUID from the registry

      • Devil.exe (PID: 4724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(4724) Devil.exe
Decrypted-URLs (1)https://rottot.shop/Devil/PWS/fre.php

LokiBot

(PID) Process(4724) Devil.exe
C2https://rottot.shop/Devil/PWS/fre.php
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:06:23 16:04:21+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 79872
InitializedDataSize: 565760
UninitializedDataSize: -
EntryPoint: 0x139de
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL devil.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4724"C:\Users\admin\Desktop\Devil.exe" C:\Users\admin\Desktop\Devil.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\devil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
xor-url
(PID) Process(4724) Devil.exe
Decrypted-URLs (1)https://rottot.shop/Devil/PWS/fre.php
LokiBot
(PID) Process(4724) Devil.exe
C2https://rottot.shop/Devil/PWS/fre.php
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
Total events
1 518
Read events
1 514
Write events
4
Delete events
0

Modification events

(PID) Process:(4724) Devil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4724) Devil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4724) Devil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4724) Devil.exeKey:HKEY_CURRENT_USER\https://rottot.shop/Devil/PWS/fre.php
Operation:writeName:F3F363
Value:
%APPDATA%\F3F363\3C28B3.exe
Executable files
1
Suspicious files
15
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4724Devil.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.exeexecutable
MD5:EB6BEBA0181A014AC8C0EC040CB1121A
SHA256:9DB68864C946490FA9C681ABB57C3FB0EFF56F8C05DA181E0106AE1275D7B990
4724Devil.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.lckbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
4724Devil.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D898504A722BFF1524134C6AB6A5EAA5
SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.131:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
448
svchost.exe
GET
200
2.16.164.131:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5268
RUXIMICS.exe
GET
200
2.16.164.131:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5268
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
448
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5268
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
448
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.131:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5268
RUXIMICS.exe
2.16.164.131:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
448
svchost.exe
2.16.164.131:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5268
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
rottot.shop
malicious
crl.microsoft.com
  • 2.16.164.131
  • 2.16.164.112
  • 2.16.164.73
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.107
  • 2.16.164.89
  • 2.16.164.26
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
self.events.data.microsoft.com
  • 40.79.173.40
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Devil.exe