analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OUTSTANDING PAYMENT.ZIP

Full analysis: https://app.any.run/tasks/1edc4ba2-ea5c-4dd3-b586-f181f9471b4a
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: May 15, 2019, 11:48:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CA9F7C59FC9BA68EAE0A196936DA4E06

SHA1:

1DC1F160ACA9BD24C97C7B01AA2E2B385964CCCE

SHA256:

AFFA90EE21FCCE39D771107551403C2536D695510A05A24D7976420B0A9CBB34

SSDEEP:

768:H3e6PgttxCLChI0hJH4ETKZK/jYE3O/xT5MTmoNKlfVA+yNx5nolqgtlE:HUphIOZNKZKblO/3ImuNolq0E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1924)
    • Application was dropped or rewritten from another process

      • scan docs-file018374_pdf.exe (PID: 2844)
      • scan docs-file018374_pdf.exe (PID: 2580)
    • Detected artifacts of LokiBot

      • scan docs-file018374_pdf.exe (PID: 2580)
    • Connects to CnC server

      • scan docs-file018374_pdf.exe (PID: 2580)
    • Actions looks like stealing of personal data

      • scan docs-file018374_pdf.exe (PID: 2580)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1924)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1924)
      • scan docs-file018374_pdf.exe (PID: 2580)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1924)
    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 2408)
    • Executable content was dropped or overwritten

      • msdt.exe (PID: 2108)
      • scan docs-file018374_pdf.exe (PID: 2580)
    • Loads DLL from Mozilla Firefox

      • scan docs-file018374_pdf.exe (PID: 2580)
    • Application launched itself

      • scan docs-file018374_pdf.exe (PID: 2844)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3972)
      • iexplore.exe (PID: 284)
    • Application launched itself

      • iexplore.exe (PID: 2000)
      • iexplore.exe (PID: 2544)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3972)
    • Changes internet zones settings

      • iexplore.exe (PID: 2000)
      • iexplore.exe (PID: 2544)
    • Creates files in the user directory

      • iexplore.exe (PID: 3972)
      • iexplore.exe (PID: 2000)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1924)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 284)
      • iexplore.exe (PID: 2544)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2544)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: OUTSTANDING PAYMENT (CORRECTED BANK DETAILS).msg
ZipUncompressedSize: 73216
ZipCompressedSize: 41068
ZipCRC: 0xf30761b5
ZipModifyDate: 2019:05:15 11:04:25
ZipCompression: Deflated
ZipBitFlag: 0x0003
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
13
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs iexplore.exe iexplore.exe winrar.exe no specs scan docs-file018374_pdf.exe no specs #LOKIBOT scan docs-file018374_pdf.exe

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OUTSTANDING PAYMENT.ZIP"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1924"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\OUTSTANDING PAYMENT (CORRECTED BANK DETAILS).msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2000"C:\Program Files\Internet Explorer\iexplore.exe" https://www.dropbox.com/s/0arxovuydr9xihw/scan%20docs-file018374_pdf.gz?dl=1C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3972"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2000 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2108 -modal 197114 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFC5A5.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2408C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
640"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2820"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2544"C:\Program Files\Internet Explorer\iexplore.exe" https://www.dropbox.com/s/0arxovuydr9xihw/scan%20docs-file018374_pdf.gz?dl=1C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
284"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2544 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
3 482
Read events
2 866
Write events
590
Delete events
26

Modification events

(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2920) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\OUTSTANDING PAYMENT.ZIP
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{0006F045-0000-0000-C000-000000000046} {000214FA-0000-0000-C000-000000000046} 0xFFFF
Value:
0100000000000000C21AE42A140BD501
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{0006F045-0000-0000-C000-000000000046} {000214EB-0000-0000-C000-000000000046} 0xFFFF
Value:
010000000000000076DFE82A140BD501
Executable files
3
Suspicious files
10
Text files
68
Unknown types
11

Dropped files

PID
Process
Filename
Type
2920WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2920.44378\OUTSTANDING PAYMENT (CORRECTED BANK DETAILS).msg
MD5:
SHA256:
1924OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR6579.tmp.cvr
MD5:
SHA256:
2000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
1924OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:89D08AFF8F513D41C11D97214F95316B
SHA256:2A52778D088CB63BCB6F50F318AA0800EB50249C6C8EA667A84AC403F07E4580
1924OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE99FDC7.datimage
MD5:E3E82F591A37BD37D06372EF12AC6C8F
SHA256:18CA98130A3DC028F4A28BC1D71D33933C4DCA629D241523B7E00A9016DF535D
2000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1924OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
1924OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CAE141F2-10BC-4474-BE3E-56CD94F5C488}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:C2C3E9C34800410D364803BE01125546
SHA256:7F623203CE784BF4FB357E65872DCDF508460F8FEBF0206609A47096DD6624EC
1924OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_7AAB734FC04FEA4A929645B444C37F15.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1924
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2580
scan docs-file018374_pdf.exe
POST
47.254.173.224:80
http://flmates.com/wp/Panel/fre.php
US
malicious
2580
scan docs-file018374_pdf.exe
POST
47.254.173.224:80
http://flmates.com/wp/Panel/fre.php
US
malicious
2580
scan docs-file018374_pdf.exe
POST
47.254.173.224:80
http://flmates.com/wp/Panel/fre.php
US
malicious
2000
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2544
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
980
svchost.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared
284
iexplore.exe
162.125.66.6:443
uc9899b65ea17938b465822ea656.dl.dropboxusercontent.com
Dropbox, Inc.
DE
shared
1924
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2544
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3972
iexplore.exe
162.125.66.6:443
uc9899b65ea17938b465822ea656.dl.dropboxusercontent.com
Dropbox, Inc.
DE
shared
2000
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3972
iexplore.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared
284
iexplore.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared
47.254.173.224:80
flmates.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
2580
scan docs-file018374_pdf.exe
47.254.173.224:80
flmates.com
Alibaba (China) Technology Co., Ltd.
US
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.dropbox.com
  • 162.125.66.1
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
uc9899b65ea17938b465822ea656.dl.dropboxusercontent.com
  • 162.125.66.6
malicious
flmates.com
  • 47.254.173.224
malicious

Threats

PID
Process
Class
Message
980
svchost.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request
284
iexplore.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2580
scan docs-file018374_pdf.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3 ETPRO signatures available at the full report
No debug info