File name: | New order#0093200.ace |
Full analysis: | https://app.any.run/tasks/fbba09a6-f7dd-4660-be8c-2ec98c5f70ae |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | January 22, 2019, 21:19:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, solid |
MD5: | 45F84A3212DAA421E66670F88508BCAD |
SHA1: | F4C31BD3C22E1708C316586D940B608A5F6A3913 |
SHA256: | AB49E35BF7B484958EA8104B3F348C160554824136C213539D22DB4DFC400A11 |
SSDEEP: | 6144:H/uGFQnV8x9/Bi9hiLbdkRVFIB3SBISH/euMZ:H/udn4+RQBCBPGjZ |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New order#0093200.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2736 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2976.847\New order#0093200.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2976.847\New order#0093200.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2976.847\New order#0093200.exe | executable | |
MD5:17CC710C4892944BE52CAB3943695324 | SHA256:3FF07CF495A252567F937FF245DAF4DFA1CB82CABE039017430A5B963EDC6242 | |||
2736 | New order#0093200.exe | C:\Users\admin\AppData\Local\Temp\nssA123.tmp\InstallOptions.dll | executable | |
MD5:8D5A5529462A9BA1AC068EE0502578C7 | SHA256:E625DCD0188594B1289891B64DEBDDEB5159ACA182B83A12675427B320BF7790 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | POST | 404 | 193.238.47.115:80 | http://ivytechbulk.com/atoz/encode.php | unknown | text | 15 b | malicious |
— | — | POST | 404 | 193.238.47.115:80 | http://ivytechbulk.com/atoz/encode.php | unknown | binary | 23 b | malicious |
— | — | POST | 404 | 193.238.47.115:80 | http://ivytechbulk.com/atoz/encode.php | unknown | binary | 23 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 193.238.47.115:80 | ivytechbulk.com | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
ivytechbulk.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
— | — | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
— | — | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
— | — | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
— | — | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
— | — | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
— | — | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
— | — | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |