File name: | Purchase_Order0001505019.ace |
Full analysis: | https://app.any.run/tasks/e682dd78-4a8a-4124-ba74-e1fbc9277bd2 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | May 20, 2019, 12:18:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, solid |
MD5: | 7AD273DC268D85F1B85E5494A807FDD5 |
SHA1: | FE9B8216314291AF4F7E1DDD0B8FB389278A1304 |
SHA256: | C3B65AEA57660CE05A100002500DC09DE71835F23A01FB588D537687D8CE4FF3 |
SSDEEP: | 6144:HIrrmDUFeN67HixjKROXoJF+LnMis9Qf5dA4jaTOap5YY:ofmgeN67HiEx2LzIeAYUOaPl |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2820 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Purchase_Order0001505019.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2580 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.24752\Purchase_Order0001505019.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.24752\Purchase_Order0001505019.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3900 | "C:\Windows\system32\nslookup.exe" | C:\Windows\system32\nslookup.exe | Purchase_Order0001505019.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3312 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\laterconditions.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2580 | Purchase_Order0001505019.exe | C:\Users\admin\AppData\Local\Temp\nso421.tmp | — | |
MD5:— | SHA256:— | |||
3312 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9BAD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3900 | nslookup.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
2580 | Purchase_Order0001505019.exe | C:\Users\admin\AppData\Local\Temp\GetStartedAppList.targetsize-96.png | image | |
MD5:5867D059510B9734AD85AC456D606B05 | SHA256:92E19DA3DDF09C4EEB41F75BA6C4D5A471E2B75C354ED50A70F8B3C582440920 | |||
2820 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.24752\Purchase_Order0001505019.exe | executable | |
MD5:F858AC21B64A631E6FCC90565ED58AA3 | SHA256:81D48E7E19943F38F2FE0D4FF5E54C32BA2849E614FF92F03AE488E490A37127 | |||
2820 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2820.25110\Purchase_Order0001505019.exe | executable | |
MD5:F858AC21B64A631E6FCC90565ED58AA3 | SHA256:81D48E7E19943F38F2FE0D4FF5E54C32BA2849E614FF92F03AE488E490A37127 | |||
2580 | Purchase_Order0001505019.exe | C:\Users\admin\AppData\Local\Temp\idpehlog.cfg | text | |
MD5:74917F75F93D48BB05B48B5CFA185E88 | SHA256:365D34865AA4426970398053EC5776B5A28E5C6243B2CBB90EBCCBB6369696E0 | |||
3312 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8971643E1C3E4868891839A34E713DD5 | SHA256:004AC9030B27B8C8DB0027ED10F50094A156E7C8C3BD7C4CE514960A2D21FE69 | |||
3312 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\laterconditions.rtf.LNK | lnk | |
MD5:A4117DC59F57BA3F360460FBB797BC07 | SHA256:2BC23E1FFE389A84D55D6EC89EA7491145A4A18C5571D11876E60DF999661274 | |||
2580 | Purchase_Order0001505019.exe | C:\Users\admin\AppData\Local\Temp\AppPackageBadgeLogo.scale-200_contrast-black.png | image | |
MD5:3E0604D1E8A71923A7C1712F4E4D641F | SHA256:FB211CA16725F640FC2E7454304F2C4DA34EDB3483D3065EA8C08758828BA9E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3900 | nslookup.exe | POST | 404 | 198.54.114.168:80 | http://kamatecpark.com/~zadmin/lmark/os2/link.php | US | html | 343 b | malicious |
3900 | nslookup.exe | POST | 404 | 198.54.114.168:80 | http://kamatecpark.com/~zadmin/lmark/os2/link.php | US | html | 343 b | malicious |
3900 | nslookup.exe | POST | 404 | 198.54.114.168:80 | http://kamatecpark.com/~zadmin/lmark/os2/link.php | US | html | 343 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3900 | nslookup.exe | 198.54.114.168:80 | kamatecpark.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
kamatecpark.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3900 | nslookup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3900 | nslookup.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3900 | nslookup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |