General Info

File name

unpacked evil.exe

Full analysis
https://app.any.run/tasks/07d971b4-91fe-46a0-8db2-938ec63b3c22
Verdict
Malicious activity
Analysis date
4/15/2019, 16:27:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

trojan

lokibot

opendir

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

82f88bab3f028448c8f4015093f5823e

SHA1

2d1c39ddd7bc6ff4be6ef7f145d59aa2cdc409e2

SHA256

c9ce69d2877ea4e225767d26f1d48132288ae1f233c919ba894a00236a005141

SSDEEP

24576:PgIewjZeYBaJ9iuhfyWhaq1mEsxr55iAZAQQZNCk5eb2KG1/UZBev:PRqkTWR10ViAyfZVYev

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • unpacked evil.exe (PID: 3260)
Connects to CnC server
  • unpacked evil.exe (PID: 2896)
Detected artifacts of LokiBot
  • unpacked evil.exe (PID: 2896)
LOKIBOT was detected
  • unpacked evil.exe (PID: 2896)
Actions looks like stealing of personal data
  • unpacked evil.exe (PID: 2896)
Executable content was dropped or overwritten
  • unpacked evil.exe (PID: 2896)
  • unpacked evil.exe (PID: 3260)
Loads DLL from Mozilla Firefox
  • unpacked evil.exe (PID: 2896)
Creates files in the user directory
  • unpacked evil.exe (PID: 2896)
Application launched itself
  • unpacked evil.exe (PID: 3260)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   InstallShield setup (35.1%)
.exe
|   Win32 EXE PECompact compressed (generic) (33.9%)
.exe
|   Win32 Executable Delphi generic (11.5%)
.scr
|   Windows screen saver (10.6%)
.exe
|   Win32 Executable (generic) (3.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
1992:06:20 00:22:17+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
742912
InitializedDataSize:
1003520
UninitializedDataSize:
null
EntryPoint:
0xb6af4
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.99.0.1200
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
CompanyName:
Heaventools Software
FileDescription:
PE Explorer
FileVersion:
1.99.0.1200
InternalName:
PE Explorer
LegalCopyright:
Copyright © 2000-2007 Heaventools Software
LegalTrademarks:
PE Explorer is a trademark of Heaventools Software
OriginalFileName:
pexplorer.exe
ProductName:
PE Explorer
ProductVersion:
1.0.0.0
Comments:
null
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
19-Jun-1992 22:22:17
Detected languages
English - United States
CompanyName:
Heaventools Software
FileDescription:
PE Explorer
FileVersion:
1.99.0.1200
InternalName:
PE Explorer
LegalCopyright:
Copyright © 2000-2007 Heaventools Software
LegalTrademarks:
PE Explorer is a trademark of Heaventools Software
OriginalFilename:
pexplorer.exe
ProductName:
PE Explorer
ProductVersion:
1.0.0.0
Comments:
null
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
9
Time date stamp:
19-Jun-1992 22:22:17
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000B48B0 0x000B4A00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.59773
.itext 0x000B6000 0x00000B48 0x00000C00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.16804
.data 0x000B7000 0x00003B1C 0x00003C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.82844
.bss 0x000BB000 0x00003704 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x000BF000 0x00002E2C 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.41313
.tls 0x000C2000 0x00000034 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x000C3000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.210826
.reloc 0x000C4000 0x0000C7D8 0x0000C800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0
.rsrc 0x000D1000 0x000E1980 0x000E1A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.50136
Resources
1

2

3

4

5

6

7

50

51

52

53

54

55

56

57

58

4075

4076

4077

4078

4079

4080

4081

4082

4083

4084

4085

4086

4087

4088

4089

4090

4091

4092

4093

4094

4095

4096

32761

32762

32763

32764

32765

32766

32767

BBABORT

BBALL

BBCANCEL

BBCLOSE

BBHELP

BBIGNORE

BBNO

BBOK

BBRETRY

BBYES

CDROM

CLOSEDFOLDER

CL_MPBACK

CL_MPEJECT

CL_MPNEXT

CL_MPPAUSE

CL_MPPLAY

CL_MPPREV

CL_MPRECORD

CL_MPSTEP

CL_MPSTOP

CURRENTFOLDER

DBEDIT

DBGARROW

DBINSERT

DBMULTIARROW

DBMULTIDOT

DBN_CANCEL

DBN_DELETE

DBN_EDIT

DBN_FIRST

DBN_INSERT

DBN_LAST

DBN_NEXT

DBN_POST

DBN_PRIOR

DBN_REFRESH

DI_MPBACK

DI_MPEJECT

DI_MPNEXT

DI_MPPAUSE

DI_MPPLAY

DI_MPPREV

DI_MPRECORD

DI_MPSTEP

DI_MPSTOP

EN_MPBACK

EN_MPEJECT

EN_MPNEXT

EN_MPPAUSE

EN_MPPLAY

EN_MPPREV

EN_MPRECORD

EN_MPSTEP

EN_MPSTOP

EXECUTABLE

FLOPPY

HARD

KNOWNFILE

NETWORK

OPENFOLDER

PREVIEWGLYPH

RAM

UNKNOWNFILE

DLGTEMPLATE

TEXTFILEDLG

DVCLAL

PACKAGEINFO

TLOGINDIALOG

TPASSWORDDIALOG

T__1353517389

T__1383855406

T__1384104787

T__1384110391

T__1385035948

T__1385115511

T__1385186323

T__1387408976

T__1387661527

T__2316136455

T__2316241824

T__2317169815

T__2317431140

T__2317501929

T__2318427509

T__2318503879

T__2321922211

T__2322026821

T__2322058208

T__2323176712

T__2324357254

T__2325515942

T__2325765323

T__2326841255

T__2355193370

T__2355264159

T__2355334948

T__2355451502

T__2356380252

T__2358935042

T__2360121165

T__2361053085

T__2361157695

T__2362417800

T__2365901317

T__2394264617

T__2394406977

T__2394477766

T__2395485320

T__2395593100

T__2395697710

T__2396773642

T__2397849574

T__2397920386

T__2397966128

MAINICON

Imports
    KERNEL32.DLL

    advapi32.dll

    comctl32.dll

    gdi32.dll

    ole32.dll

    oleaut32.dll

    SHFolder.dll

    user32.dll

    version.dll

Exports

    No exports.

Screenshots

Processes

Total processes
32
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

+
drop and start start unpacked evil.exe #LOKIBOT unpacked evil.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3260
CMD
"C:\Users\admin\Downloads\unpacked evil.exe"
Path
C:\Users\admin\Downloads\unpacked evil.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Heaventools Software
Description
PE Explorer
Version
1.99.0.1200
Modules
Image
c:\users\admin\downloads\unpacked evil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll

PID
2896
CMD
"C:\Users\admin\Downloads\unpacked evil.exe"
Path
C:\Users\admin\Downloads\unpacked evil.exe
Indicators
Parent process
unpacked evil.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Heaventools Software
Description
PE Explorer
Version
1.99.0.1200
Modules
Image
c:\users\admin\downloads\unpacked evil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\userenv.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll

Registry activity

Total events
33
Read events
31
Write events
2
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3260
unpacked evil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Mozilla
C:\Users\admin\AppData\Local\Mozilla\MiniCalc.exe
2896
unpacked evil.exe
write
HKEY_CURRENT_USER\������В������і��Џ����Й��я��
F63AAA
%APPDATA%\F63AAA\A71D80.exe

Files activity

Executable files
2
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2896
unpacked evil.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe
executable
MD5: 82f88bab3f028448c8f4015093f5823e
SHA256: c9ce69d2877ea4e225767d26f1d48132288ae1f233c919ba894a00236a005141
3260
unpacked evil.exe
C:\Users\admin\AppData\Local\Mozilla\MiniCalc.exe
executable
MD5: 82f88bab3f028448c8f4015093f5823e
SHA256: c9ce69d2877ea4e225767d26f1d48132288ae1f233c919ba894a00236a005141
2896
unpacked evil.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdb
text
MD5: 5302b1b5ec232d44e2d9507fb847fc49
SHA256: 20b58a25872b1e3f7d47dae0c090acf229c49b6e33939934513499cc37bb2684
2896
unpacked evil.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
––
MD5:  ––
SHA256:  ––
2896
unpacked evil.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: 18b8cfc0185c50383aac0a4f30a9dac8
SHA256: 913e8ced6a447fe791954d382aba52d490513c5d2f689b391866c7e561f89a03
3260
unpacked evil.exe
C:\Users\admin\AppData\Local\Tek.png
text
MD5: f349e8f23a66f70dda8de80263cf4618
SHA256: 9edb39726a37c91aa0e351c92720d4c71eb05a454204f5d96391888fdbb8f384

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
1
Threats
29

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2896 unpacked evil.exe POST –– 104.168.194.179:80 http://megajot.icu/panel/fre.php US
binary
––
––
malicious
2896 unpacked evil.exe POST –– 104.168.194.179:80 http://megajot.icu/panel/fre.php US
binary
––
––
malicious
2896 unpacked evil.exe POST –– 104.168.194.179:80 http://megajot.icu/panel/fre.php US
binary
––
––
malicious
2896 unpacked evil.exe POST –– 104.168.194.179:80 http://megajot.icu/panel/fre.php US
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2896 unpacked evil.exe 104.168.194.179:80 Hostwinds LLC. US malicious

DNS requests

Domain IP Reputation
megajot.icu 104.168.194.179
malicious

Threats

PID Process Class Message
–– –– Potentially Bad Traffic ET INFO DNS Query for Suspicious .icu Domain
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
2896 unpacked evil.exe Potentially Bad Traffic ET INFO HTTP POST Request to Suspicious *.icu domain
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2896 unpacked evil.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
2896 unpacked evil.exe Potentially Bad Traffic ET INFO HTTP POST Request to Suspicious *.icu domain
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2896 unpacked evil.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
2896 unpacked evil.exe Potentially Bad Traffic ET INFO HTTP POST Request to Suspicious *.icu domain
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M1
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M2
2896 unpacked evil.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
2896 unpacked evil.exe Potentially Bad Traffic ET INFO HTTP POST Request to Suspicious *.icu domain
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M1
2896 unpacked evil.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M2
2896 unpacked evil.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2

4 ETPRO signatures available at the full report

Debug output strings

No debug info.