analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe

Full analysis: https://app.any.run/tasks/6e698a5c-f1a6-45f9-8ade-9e9ceb4b9d88
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: August 12, 2022, 23:08:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
lokibot
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7A68642F2CEBA1013D722BE884B8ED78

SHA1:

ABBDA006EE7F4767269DFA1E265EDF0D3E8FACAB

SHA256:

B25B3F389CD46E53173C783E7B69372B5DCD967218F2B2EEABCFE5B7B4355FAD

SSDEEP:

6144:RkWcBHLErkDMmUdIoK6mnyVOSIN2nWPSkGwKVT6zEN6:+ZEreMduoK6mnyVvnHVT6zE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Steals credentials from Web Browsers

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • LOKIBOT detected by memory dumps

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • Connects to CnC server

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • LOKIBOT was detected

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • Drops executable file immediately after starts

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • Actions looks like stealing of personal data

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
  • SUSPICIOUS

    • Checks supported languages

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • Reads the computer name

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • Loads DLL from Mozilla Firefox

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • Executable content was dropped or overwritten

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
    • Drops a file with a compile date too recent

      • b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe (PID: 1420)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

LokiBot

(PID) Process(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://198.187.30.47/p.php?id=17414649419491256
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://198.187.30.47/p.php?id=17414649419491256
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://198.187.30.47/p.php?id=17414649419491256
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: Special build
FileFlagsMask: 0x003f
ProductVersionNumber: 71.0.0.0
FileVersionNumber: 79.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0xd420
UninitializedDataSize: -
InitializedDataSize: 6197248
CodeSize: 236032
LinkerVersion: 9
PEType: PE32
TimeStamp: 2021:02:16 20:37:26+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Feb-2021 19:37:26
Detected languages:
  • Korean - Korea
Debug artifacts:
  • C:\huxilevuhigo-r.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 16-Feb-2021 19:37:26
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000398FA
0x00039A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.9473
.data
0x0003B000
0x005DBC54
0x00011C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.63997
.hes
0x00617000
0x00000005
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00618000
0x00005468
0x00005600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.97876

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.69421
1736
UNKNOWN
Korean - Korea
RT_ICON
2
5.97423
1384
UNKNOWN
Korean - Korea
RT_ICON
3
5.64986
4264
UNKNOWN
Korean - Korea
RT_ICON
4
5.77993
2440
UNKNOWN
Korean - Korea
RT_ICON
5
6.19519
1128
UNKNOWN
Korean - Korea
RT_ICON
6
4.09164
304
UNKNOWN
Korean - Korea
RT_CURSOR
7
2.5416
304
UNKNOWN
Korean - Korea
RT_CURSOR
8
2.50404
240
UNKNOWN
Korean - Korea
RT_CURSOR
9
1.59806
4264
UNKNOWN
Korean - Korea
RT_CURSOR
10
2.97359
2216
UNKNOWN
Korean - Korea
RT_CURSOR

Imports

KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LOKIBOT b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe

Process information

PID
CMD
Path
Indicators
Parent process
1420"C:\Users\admin\Downloads\b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe" C:\Users\admin\Downloads\b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
LokiBot
(PID) Process(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://198.187.30.47/p.php?id=17414649419491256
(PID) Process(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://198.187.30.47/p.php?id=17414649419491256
(PID) Process(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
Decoys (4)kbfvzoboss.bid/alien/fre.php
alphastand.trade/alien/fre.php
alphastand.win/alien/fre.php
alphastand.top/alien/fre.php
C2http://198.187.30.47/p.php?id=17414649419491256
Total events
678
Read events
674
Write events
4
Delete events
0

Modification events

(PID) Process:(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1420) b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeKey:HKEY_CURRENT_USER\��������������������Џя�����������������������
Operation:writeName:F63AAA
Value:
%APPDATA%\F63AAA\A71D80.exe
Executable files
1
Suspicious files
1
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1420b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:7A68642F2CEBA1013D722BE884B8ED78
SHA256:B25B3F389CD46E53173C783E7B69372B5DCD967218F2B2EEABCFE5B7B4355FAD
1420b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lckbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1420b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fabr
MD5:D898504A722BFF1524134C6AB6A5EAA5
SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
1420b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdbtext
MD5:F93EEDDC7806D631C5E35AD6C33EB8AB
SHA256:32BA3839E8045109C78A62AE312130ADE9C8DE6EBD98FDA5BF394327D7A6AB43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
POST
198.187.30.47:80
http://198.187.30.47/p.php?id=17414649419491256
US
malicious
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
POST
198.187.30.47:80
http://198.187.30.47/p.php?id=17414649419491256
US
malicious
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
POST
198.187.30.47:80
http://198.187.30.47/p.php?id=17414649419491256
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
198.187.30.47:80
Namecheap, Inc.
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot Request for C2 Commands Detected M1
1420
b25b3f389cd46e53173c783e7b69372b5dcd967218f2b2eeabcfe5b7b4355fad.exe
A Network Trojan was detected
ET TROJAN LokiBot Request for C2 Commands Detected M2
No debug info