analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Order A0185.iso

Full analysis: https://app.any.run/tasks/21c5f6aa-d129-430f-b0e5-c0236effc67c
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: March 22, 2019, 04:07:29
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'Order A0185'
MD5:

3D04EBC2BABB09037B5327F2D8F2FC8F

SHA1:

7F389F17F7BFD7B9349AD4D0846ED4414DC21333

SHA256:

E2FEDB9D60CB4E34430200545788C65CB68EC2907448EC67F916A3493E460771

SSDEEP:

3072:J4WK3NFEzmy0vYFvZt1i116Gzm0qt9jGMJnloC6BVZobcTHcTNXOUfl76ci:JfK3NFUvz1a16ooLfA6YT8TNpHi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Order A0185.com (PID: 3164)
      • Order A0185.com (PID: 1840)
    • LOKIBOT was detected

      • Order A0185.com (PID: 1840)
    • Detected artifacts of LokiBot

      • Order A0185.com (PID: 1840)
    • Connects to CnC server

      • Order A0185.com (PID: 1840)
    • Actions looks like stealing of personal data

      • Order A0185.com (PID: 1840)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • explorer.exe (PID: 3884)
      • Order A0185.com (PID: 3164)
    • Executable content was dropped or overwritten

      • 7zFM.exe (PID: 3736)
      • Order A0185.com (PID: 1840)
    • Reads the machine GUID from the registry

      • explorer.exe (PID: 3884)
      • Order A0185.com (PID: 1840)
    • Application launched itself

      • Order A0185.com (PID: 3164)
    • Checks supported languages

      • explorer.exe (PID: 3884)
    • Connects to server without host name

      • Order A0185.com (PID: 1840)
    • Creates files in the user directory

      • Order A0185.com (PID: 1840)
  • INFO

    • Reads the software policy settings

      • explorer.exe (PID: 3884)
    • Reads settings of System Certificates

      • explorer.exe (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 1342 kB

ISO

VolumeModifyDate: 2019:03:21 20:51:59.00+01:00
VolumeCreateDate: 2019:03:21 20:51:59.00+01:00
Software: PowerISO
RootDirectoryCreateDate: 2019:03:21 20:51:59+01:00
VolumeBlockSize: 2048
VolumeBlockCount: 671
VolumeName: Order A0185
System: Win32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7zfm.exe order a0185.com no specs #LOKIBOT order a0185.com explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3736"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\Desktop\Order A0185.iso"C:\Program Files\7-Zip\7zFM.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip File Manager
Version:
18.01
3164"C:\Users\admin\Desktop\Order A0185.com" C:\Users\admin\Desktop\Order A0185.comexplorer.exe
User:
admin
Company:
imakua
Integrity Level:
MEDIUM
Description:
SHITTEN4
Version:
2.06.0001
1840C:\Users\admin\Desktop\Order A0185.com" C:\Users\admin\Desktop\Order A0185.com
Order A0185.com
User:
admin
Company:
imakua
Integrity Level:
MEDIUM
Description:
SHITTEN4
Version:
2.06.0001
3884C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
1 335
Read events
1 232
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1840Order A0185.comC:\Users\admin\AppData\Roaming\F3F363\3C28B3.lck
MD5:
SHA256:
3884explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msbinary
MD5:9CE1C0F731FB472C2B4C56DEEF8A520F
SHA256:0340A45E23A9A9B6FBBA2742285748E590EC9964199FBD45CDBB2491A06BACA7
3884explorer.exeC:\Users\admin\Desktop\Order A0185.comexecutable
MD5:F3C0F91804E09689C0C5364E05259097
SHA256:05554B36EA3C0B76D55D2EE542EDFB08C8C1E5BC47E72D7E2558FCB33A4EA8CB
1840Order A0185.comC:\Users\admin\AppData\Roaming\F3F363\3C28B3.hdbtext
MD5:7A50F16FCDA1470AF98097A91CF6679D
SHA256:3CE14CD8F500D97795F0EF9E9E51224CFFF86F871C876CB9B3143288716BE9EE
1840Order A0185.comC:\Users\admin\AppData\Roaming\F3F363\3C28B3.exeexecutable
MD5:F3C0F91804E09689C0C5364E05259097
SHA256:05554B36EA3C0B76D55D2EE542EDFB08C8C1E5BC47E72D7E2558FCB33A4EA8CB
37367zFM.exeC:\Users\admin\AppData\Local\Temp\7zE89E74E78\Order A0185.comexecutable
MD5:F3C0F91804E09689C0C5364E05259097
SHA256:05554B36EA3C0B76D55D2EE542EDFB08C8C1E5BC47E72D7E2558FCB33A4EA8CB
1840Order A0185.comC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792dbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1840
Order A0185.com
POST
404
37.49.225.244:80
http://37.49.225.244/hook/logs/fre.php
NL
text
15 b
malicious
1840
Order A0185.com
POST
404
37.49.225.244:80
http://37.49.225.244/hook/logs/fre.php
NL
text
15 b
malicious
1840
Order A0185.com
POST
404
37.49.225.244:80
http://37.49.225.244/hook/logs/fre.php
NL
binary
23 b
malicious
1840
Order A0185.com
POST
404
37.49.225.244:80
http://37.49.225.244/hook/logs/fre.php
NL
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1840
Order A0185.com
37.49.225.244:80
Serverius Holding B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted

Threats

PID
Process
Class
Message
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1840
Order A0185.com
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1840
Order A0185.com
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1840
Order A0185.com
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
4 ETPRO signatures available at the full report
No debug info