analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

URGENT_PURCHASE_ORDER.iso

Full analysis: https://app.any.run/tasks/b8cffbde-4f3b-474e-8d34-168663ab0dc2
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 11:36:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'URGENT_PURCHASE_ORDER'
MD5:

509021604D8C9648046ACBDF6D55F4F6

SHA1:

7B1CF38DCEA541A805A08CC585F7FE93A126662F

SHA256:

B81BF76207DABD51F4C70158B606B6853986C4BF6D47E75F11F3D4D2C43B7B52

SSDEEP:

6144:gIZmbSIK23Yqw9cA1cGj92z3LgKL4xRjSSYIinroX9oB5wp+lgg6/31Z:gBbHbYqw67Gpy3LghxJ+IwGM5wpMKH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • objectAfgrsninger4.exe (PID: 2572)
      • URGENT_PURCHASE_ORDER.exe (PID: 2792)
      • URGENT_PURCHASE_ORDER.exe (PID: 2840)
      • objectAfgrsninger4.exe (PID: 1436)
      • objectAfgrsninger4.exe (PID: 3000)

    • LokiBot was detected

      • objectAfgrsninger4.exe (PID: 3000)

    • Connects to CnC server

      • objectAfgrsninger4.exe (PID: 3000)

    • LOKIBOT was detected

      • objectAfgrsninger4.exe (PID: 3000)

    • Changes the autorun value in the registry

      • objectAfgrsninger4.exe (PID: 1436)

    • Actions looks like stealing of personal data

      • objectAfgrsninger4.exe (PID: 3000)

  • SUSPICIOUS

    • Application launched itself

      • objectAfgrsninger4.exe (PID: 2572)
      • URGENT_PURCHASE_ORDER.exe (PID: 2840)
      • objectAfgrsninger4.exe (PID: 1436)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2856)
      • objectAfgrsninger4.exe (PID: 3000)
      • URGENT_PURCHASE_ORDER.exe (PID: 2792)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2856)

    • Creates files in the user directory

      • objectAfgrsninger4.exe (PID: 3000)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 640 kB

ISO

VolumeModifyDate: 2019:04:15 10:17:20.00+01:00
VolumeCreateDate: 2019:04:15 10:17:20.00+01:00
Software: PowerISO
RootDirectoryCreateDate: 2019:04:15 10:17:20+01:00
VolumeBlockSize: 2048
VolumeBlockCount: 320
VolumeName: URGENT_PURCHASE_ORDER
System: Win32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe urgent_purchase_order.exe no specs urgent_purchase_order.exe objectafgrsninger4.exe objectafgrsninger4.exe no specs #LOKIBOT objectafgrsninger4.exe

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.iso"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2840"C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe" C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exeexplorer.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2792"C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe" C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe
URGENT_PURCHASE_ORDER.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
1436"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe
URGENT_PURCHASE_ORDER.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2572"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exeobjectAfgrsninger4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
3000"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe
objectAfgrsninger4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Version:
1.00
Total events
459
Read events
427
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
4
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3000objectAfgrsninger4.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2792URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.vbstext
MD5:E1508AF85DEB6540B2EA0B8D8A497E89
SHA256:3955025C00811CFE6EEAD2A4C8D8A17607EB033B0E3CED080D5BEDECAD04C16E
2856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2856.21000\URGENT_PURCHASE_ORDER.exeexecutable
MD5:1FFBE3BBF231B230D602FBCD91963B13
SHA256:6F38E2682C93AA775DA8EC2BA1E947358F89781E7FFE362BC2D1AB8060ED2AF4
2572objectAfgrsninger4.exeC:\Users\admin\AppData\Local\Temp\~DF984F7CA2BE5DC59C.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
2792URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\~DFFD4299A0482DB5C4.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
1436objectAfgrsninger4.exeC:\Users\admin\AppData\Local\Temp\~DF748C214B97A61B8B.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
2840URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\~DF34628A174ABAA20A.TMPbinary
MD5:E5AD6D9DBD53172DCCA03C592C039616
SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE
2792URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exeexecutable
MD5:AC2D5C6A6E95A6D37DBC76383DC1C29E
SHA256:1F71C7A2A7C038DF2431C5800FA56904D184F892E8D923D6625540AF44F4C30F
3000objectAfgrsninger4.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.exeexecutable
MD5:AC2D5C6A6E95A6D37DBC76383DC1C29E
SHA256:1F71C7A2A7C038DF2431C5800FA56904D184F892E8D923D6625540AF44F4C30F
2572objectAfgrsninger4.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.14.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
objectAfgrsninger4.exe
104.28.15.65:80
tiwasavage.tk
Cloudflare Inc
US
shared
104.28.15.65:80
tiwasavage.tk
Cloudflare Inc
US
shared
3000
objectAfgrsninger4.exe
104.28.14.65:80
tiwasavage.tk
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
tiwasavage.tk
  • 104.28.15.65
  • 104.28.14.65
malicious

Threats

PID
Process
Class
Message
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3000
objectAfgrsninger4.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3000
objectAfgrsninger4.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3000
objectAfgrsninger4.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
URGENT_PURCHASE_ORDER.iso