analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHLJPG

Full analysis: https://app.any.run/tasks/029a5a0d-8509-48b5-b97d-3917f8ea2602
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 07:08:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

DC015D6A9B77E2D532A12AFD774173F5

SHA1:

CA5A6F658073D377124D90E5EF17DF2C96F480B9

SHA256:

B115AE1D3626C421D33DB71BEA94FF1BE90011518B5C818DBC6886B8DDDDB7B9

SSDEEP:

6144:4mGIhZ/AYRibnVQae6rob6Y1R8sQGCvbccMxbCsxrQzYtFDVtANr9k+ZEhheqMTw:/FrCnVQx9b6IRQGCvYcibCs2zYtFK9k1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • DHLJPG.exe (PID: 1552)

    • Runs app for hidden code execution

      • DHLJPG.exe (PID: 1552)

    • LOKIBOT was detected

      • cmd.exe (PID: 3092)

    • Connects to CnC server

      • cmd.exe (PID: 3092)

    • Detected artifacts of LokiBot

      • cmd.exe (PID: 3092)

    • Application was dropped or rewritten from another process

      • cmd.exe (PID: 3092)

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 3092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DHLJPG.exe (PID: 1552)
      • cmd.exe (PID: 3092)

    • Starts CMD.EXE for commands execution

      • DHLJPG.exe (PID: 1552)

    • Creates files in the user directory

      • DHLJPG.exe (PID: 1552)
      • cmd.exe (PID: 3092)

    • Loads DLL from Mozilla Firefox

      • cmd.exe (PID: 3092)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 23:24:46+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 15-Dec-2018 22:24:46
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 15-Dec-2018 22:24:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006627
0x00006800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45178
.rdata
0x00008000
0x000014A2
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.02518
.data
0x0000A000
0x0002AFF8
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.03532
.ndata
0x00035000
0x00010000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00045000
0x00002168
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.29239

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.2992
830
UNKNOWN
English - United States
RT_MANIFEST
2
3.33849
1384
UNKNOWN
English - United States
RT_ICON
3
3.01447
744
UNKNOWN
English - United States
RT_ICON
4
2.88708
296
UNKNOWN
English - United States
RT_ICON
102
2.74309
184
UNKNOWN
English - United States
RT_DIALOG
103
2.21733
62
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.6935
316
UNKNOWN
English - United States
RT_DIALOG
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
107
2.62276
196
UNKNOWN
English - United States
RT_DIALOG
110
3.22336
872
UNKNOWN
English - United States
RT_BITMAP

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dhljpg.exe #LOKIBOT cmd.exe

Process information

PID
CMD
Path
Indicators
Parent process
1552"C:\Users\admin\AppData\Local\Temp\DHLJPG.exe" C:\Users\admin\AppData\Local\Temp\DHLJPG.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3092"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe
DHLJPG.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
390
Read events
389
Write events
1
Delete events
0

Modification events

(PID) Process:(3092) cmd.exeKey:HKEY_CURRENT_USER\������Б������������ј�Ё������Г����М�Г���я��
Operation:writeName:F63AAA
Value:
%APPDATA%\F63AAA\A71D80.exe
Executable files
8
Suspicious files
1
Text files
12
Unknown types
3

Dropped files

PID
Process
Filename
Type
1552DHLJPG.exeC:\Users\admin\AppData\Roaming\USER\doinstall\strFormId\logo\resgen.exeexecutable
MD5:FE249E495E6AEFC8E5EFB832A69F3F57
SHA256:B8DE815C5403F6E050222D3951E4CE24D2786DB3E659A9BBC5C6B3E79B5127B7
1552DHLJPG.exeC:\Users\admin\AppData\Roaming\u2\mailto\connectt\DbgUrtMui.dllexecutable
MD5:59CEF37C54DEC0166472D7DB7DF56AFC
SHA256:F92E892E0AB61777CCC108D258C546C4CC4CC9034D0E766654A96FD7CBFBAABE
1552DHLJPG.exeC:\Users\admin\AppData\Roaming\credits\Database-Download.pngimage
MD5:841A3CA897ABCFDCE4F4CCA7B18C5147
SHA256:45E7D92CA18EDD736B1707923825348036A911C0D4708A8BD54C86CB1181B5D0
1552DHLJPG.exeC:\Users\admin\AppData\Local\Temp\torturing.dllexecutable
MD5:907EAD87C33CE048B2F9D8BF939920B2
SHA256:4B0B324AFA09F1F1227EDDED9839690895421DA80C6CEA780D5D1AFBF950112A
1552DHLJPG.exeC:\Users\admin\AppData\Local\Temp\namespace\CMAccept.exeexecutable
MD5:CE9EC29C6B19DCED820E0F2EEA7C5237
SHA256:980A535EF48369FA83FE881E232C3F12EA34C93B06178B53EE441A73D54D7F02
1552DHLJPG.exeC:\Users\admin\AppData\Roaming\USER\doinstall\strFormId\logo\formdesign.xmlxml
MD5:7210155DFD8259551A51688B4FA04BAE
SHA256:C5D4878FE9C46B5DAF0346DD8E17CAC5174E0076932038CA00EE6897E6DF3A5A
1552DHLJPG.exeC:\Users\admin\AppData\Local\Temp\namespace\pnm2ppa-ppa-networkingtext
MD5:7A3C1E9207735AD968206EDFDAE7961C
SHA256:2F13EC35F8F33BEEC9C6C80BDBB3E37BF4289FE2F13FECE44F74447C2DA38979
1552DHLJPG.exeC:\Users\admin\AppData\Roaming\USER\doinstall\strFormId\logo\x-google-video-pointer.xmlxml
MD5:8943A7F0D67FE70DA13AA31D8C5B32F8
SHA256:51CEF55D16D263466E4977204E30EF7C84C672F1C209D79906A8B1CE7E988E5E
1552DHLJPG.exeC:\Users\admin\AppData\Roaming\USER\doinstall\strFormId\logo\stlmaps.rgstext
MD5:E14A03DE0615DD3A31F13232FEF4F51F
SHA256:643CB1917524F69E8B55225667554F5A0AD22A762FDB873AEA0CCC10EB2D44D9
3092cmd.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3092
cmd.exe
POST
404
150.109.58.135:80
http://nucsquaremall.ga/~zadmin/lmark/ch/link.php
US
text
15 b
malicious
3092
cmd.exe
POST
404
150.109.58.135:80
http://nucsquaremall.ga/~zadmin/lmark/ch/link.php
US
text
15 b
malicious
3092
cmd.exe
POST
404
150.109.58.135:80
http://nucsquaremall.ga/~zadmin/lmark/ch/link.php
US
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3092
cmd.exe
150.109.58.135:80
nucsquaremall.ga
US
malicious

DNS requests

Domain
IP
Reputation
nucsquaremall.ga
  • 150.109.58.135
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
3092
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3092
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3092
cmd.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ga Domain
3092
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3092
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3092
cmd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3092
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3092
cmd.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3092
cmd.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ga Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DHLJPG