File name: | Order A0185.iso |
Full analysis: | https://app.any.run/tasks/21c5f6aa-d129-430f-b0e5-c0236effc67c |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | March 22, 2019, 04:07:29 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'Order A0185' |
MD5: | 3D04EBC2BABB09037B5327F2D8F2FC8F |
SHA1: | 7F389F17F7BFD7B9349AD4D0846ED4414DC21333 |
SHA256: | E2FEDB9D60CB4E34430200545788C65CB68EC2907448EC67F916A3493E460771 |
SSDEEP: | 3072:J4WK3NFEzmy0vYFvZt1i116Gzm0qt9jGMJnloC6BVZobcTHcTNXOUfl76ci:JfK3NFUvz1a16ooLfA6YT8TNpHi |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 1342 kB |
---|
VolumeModifyDate: | 2019:03:21 20:51:59.00+01:00 |
---|---|
VolumeCreateDate: | 2019:03:21 20:51:59.00+01:00 |
Software: | PowerISO |
RootDirectoryCreateDate: | 2019:03:21 20:51:59+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 671 |
VolumeName: | Order A0185 |
System: | Win32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3736 | "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\Desktop\Order A0185.iso" | C:\Program Files\7-Zip\7zFM.exe | explorer.exe | |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip File Manager Version: 18.01 | ||||
3164 | "C:\Users\admin\Desktop\Order A0185.com" | C:\Users\admin\Desktop\Order A0185.com | — | explorer.exe |
User: admin Company: imakua Integrity Level: MEDIUM Description: SHITTEN4 Version: 2.06.0001 | ||||
1840 | C:\Users\admin\Desktop\Order A0185.com" | C:\Users\admin\Desktop\Order A0185.com | Order A0185.com | |
User: admin Company: imakua Integrity Level: MEDIUM Description: SHITTEN4 Version: 2.06.0001 | ||||
3884 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1840 | Order A0185.com | C:\Users\admin\AppData\Roaming\F3F363\3C28B3.lck | — | |
MD5:— | SHA256:— | |||
3884 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms | binary | |
MD5:9CE1C0F731FB472C2B4C56DEEF8A520F | SHA256:0340A45E23A9A9B6FBBA2742285748E590EC9964199FBD45CDBB2491A06BACA7 | |||
3884 | explorer.exe | C:\Users\admin\Desktop\Order A0185.com | executable | |
MD5:F3C0F91804E09689C0C5364E05259097 | SHA256:05554B36EA3C0B76D55D2EE542EDFB08C8C1E5BC47E72D7E2558FCB33A4EA8CB | |||
1840 | Order A0185.com | C:\Users\admin\AppData\Roaming\F3F363\3C28B3.hdb | text | |
MD5:7A50F16FCDA1470AF98097A91CF6679D | SHA256:3CE14CD8F500D97795F0EF9E9E51224CFFF86F871C876CB9B3143288716BE9EE | |||
1840 | Order A0185.com | C:\Users\admin\AppData\Roaming\F3F363\3C28B3.exe | executable | |
MD5:F3C0F91804E09689C0C5364E05259097 | SHA256:05554B36EA3C0B76D55D2EE542EDFB08C8C1E5BC47E72D7E2558FCB33A4EA8CB | |||
3736 | 7zFM.exe | C:\Users\admin\AppData\Local\Temp\7zE89E74E78\Order A0185.com | executable | |
MD5:F3C0F91804E09689C0C5364E05259097 | SHA256:05554B36EA3C0B76D55D2EE542EDFB08C8C1E5BC47E72D7E2558FCB33A4EA8CB | |||
1840 | Order A0185.com | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792 | dbf | |
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8 | SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1840 | Order A0185.com | POST | 404 | 37.49.225.244:80 | http://37.49.225.244/hook/logs/fre.php | NL | text | 15 b | malicious |
1840 | Order A0185.com | POST | 404 | 37.49.225.244:80 | http://37.49.225.244/hook/logs/fre.php | NL | text | 15 b | malicious |
1840 | Order A0185.com | POST | 404 | 37.49.225.244:80 | http://37.49.225.244/hook/logs/fre.php | NL | binary | 23 b | malicious |
1840 | Order A0185.com | POST | 404 | 37.49.225.244:80 | http://37.49.225.244/hook/logs/fre.php | NL | binary | 23 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1840 | Order A0185.com | 37.49.225.244:80 | — | Serverius Holding B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
1840 | Order A0185.com | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
1840 | Order A0185.com | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
1840 | Order A0185.com | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |