File name: | URGENT_PURCHASE_ORDER.iso |
Full analysis: | https://app.any.run/tasks/b8cffbde-4f3b-474e-8d34-168663ab0dc2 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | April 15, 2019, 11:36:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'URGENT_PURCHASE_ORDER' |
MD5: | 509021604D8C9648046ACBDF6D55F4F6 |
SHA1: | 7B1CF38DCEA541A805A08CC585F7FE93A126662F |
SHA256: | B81BF76207DABD51F4C70158B606B6853986C4BF6D47E75F11F3D4D2C43B7B52 |
SSDEEP: | 6144:gIZmbSIK23Yqw9cA1cGj92z3LgKL4xRjSSYIinroX9oB5wp+lgg6/31Z:gBbHbYqw67Gpy3LghxJ+IwGM5wpMKH |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 640 kB |
---|
VolumeModifyDate: | 2019:04:15 10:17:20.00+01:00 |
---|---|
VolumeCreateDate: | 2019:04:15 10:17:20.00+01:00 |
Software: | PowerISO |
RootDirectoryCreateDate: | 2019:04:15 10:17:20+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 320 |
VolumeName: | URGENT_PURCHASE_ORDER |
System: | Win32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.iso" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2840 | "C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe" | C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe | — | explorer.exe |
User: admin Company: alcATEl Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
2792 | "C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe" | C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe | URGENT_PURCHASE_ORDER.exe | |
User: admin Company: alcATEl Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
1436 | "C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" | C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe | URGENT_PURCHASE_ORDER.exe | |
User: admin Company: alcATEl Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
2572 | "C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" | C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe | — | objectAfgrsninger4.exe |
User: admin Company: alcATEl Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
3000 | "C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" | C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe | objectAfgrsninger4.exe | |
User: admin Company: alcATEl Integrity Level: MEDIUM Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | objectAfgrsninger4.exe | C:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck | — | |
MD5:— | SHA256:— | |||
2792 | URGENT_PURCHASE_ORDER.exe | C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.vbs | text | |
MD5:E1508AF85DEB6540B2EA0B8D8A497E89 | SHA256:3955025C00811CFE6EEAD2A4C8D8A17607EB033B0E3CED080D5BEDECAD04C16E | |||
2856 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2856.21000\URGENT_PURCHASE_ORDER.exe | executable | |
MD5:1FFBE3BBF231B230D602FBCD91963B13 | SHA256:6F38E2682C93AA775DA8EC2BA1E947358F89781E7FFE362BC2D1AB8060ED2AF4 | |||
2572 | objectAfgrsninger4.exe | C:\Users\admin\AppData\Local\Temp\~DF984F7CA2BE5DC59C.TMP | binary | |
MD5:E5AD6D9DBD53172DCCA03C592C039616 | SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE | |||
2792 | URGENT_PURCHASE_ORDER.exe | C:\Users\admin\AppData\Local\Temp\~DFFD4299A0482DB5C4.TMP | binary | |
MD5:E5AD6D9DBD53172DCCA03C592C039616 | SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE | |||
1436 | objectAfgrsninger4.exe | C:\Users\admin\AppData\Local\Temp\~DF748C214B97A61B8B.TMP | binary | |
MD5:E5AD6D9DBD53172DCCA03C592C039616 | SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE | |||
2840 | URGENT_PURCHASE_ORDER.exe | C:\Users\admin\AppData\Local\Temp\~DF34628A174ABAA20A.TMP | binary | |
MD5:E5AD6D9DBD53172DCCA03C592C039616 | SHA256:CC6F6E26F807E9ED9BA07A6D5FEEAB30C3A2EA36424304DB9148A9D1C78AB5DE | |||
2792 | URGENT_PURCHASE_ORDER.exe | C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe | executable | |
MD5:AC2D5C6A6E95A6D37DBC76383DC1C29E | SHA256:1F71C7A2A7C038DF2431C5800FA56904D184F892E8D923D6625540AF44F4C30F | |||
3000 | objectAfgrsninger4.exe | C:\Users\admin\AppData\Roaming\03B51E\EE03AE.exe | executable | |
MD5:AC2D5C6A6E95A6D37DBC76383DC1C29E | SHA256:1F71C7A2A7C038DF2431C5800FA56904D184F892E8D923D6625540AF44F4C30F | |||
2572 | objectAfgrsninger4.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini | text | |
MD5:D2A2412BDDBA16D60EC63BD9550D933F | SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | objectAfgrsninger4.exe | POST | — | 104.28.15.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
3000 | objectAfgrsninger4.exe | POST | — | 104.28.15.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
3000 | objectAfgrsninger4.exe | POST | — | 104.28.15.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
3000 | objectAfgrsninger4.exe | POST | — | 104.28.15.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
3000 | objectAfgrsninger4.exe | POST | — | 104.28.15.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
3000 | objectAfgrsninger4.exe | POST | — | 104.28.15.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
3000 | objectAfgrsninger4.exe | POST | — | 104.28.14.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
3000 | objectAfgrsninger4.exe | POST | — | 104.28.15.65:80 | http://tiwasavage.tk/anyi/fre.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3000 | objectAfgrsninger4.exe | 104.28.15.65:80 | tiwasavage.tk | Cloudflare Inc | US | shared |
— | — | 104.28.15.65:80 | tiwasavage.tk | Cloudflare Inc | US | shared |
3000 | objectAfgrsninger4.exe | 104.28.14.65:80 | tiwasavage.tk | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
tiwasavage.tk |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3000 | objectAfgrsninger4.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3000 | objectAfgrsninger4.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
3000 | objectAfgrsninger4.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |