File name: | New Order.zip |
Full analysis: | https://app.any.run/tasks/d459f684-9384-4899-b3bd-52586c0b64b8 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | May 24, 2019, 11:37:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | F31D5CFA469D2E3430BDA426AF735722 |
SHA1: | 1272B29A801147E623A5D6A9421731F9125F2766 |
SHA256: | ECCFD067F770FBE44134080FFCD9C74AC98CCF13D7E5AA4F77CCB71A848B07EC |
SSDEEP: | 3072:CpQpyvXN9rCUpgpmSXL84I1/abrtDjGWcE1lq9u5RN2YcLumcblNk8pEOu:C2iDCUupm0840CnhGWvlq9uPN2Yc6mQ4 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | New Order.iso |
---|---|
ZipUncompressedSize: | 1146880 |
ZipCompressedSize: | 150172 |
ZipCRC: | 0xeec54a71 |
ZipModifyDate: | 2019:05:24 12:50:06 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2160 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New Order.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3176 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2160.39759\New Order.iso" | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
664 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.40772\New Order.com" | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.40772\New Order.com | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Version: 5.03.0007 | ||||
3100 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.41047\New Order.com" | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.41047\New Order.com | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 5.03.0007 | ||||
2036 | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.40772\New Order.com" | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.40772\New Order.com | New Order.com | |
User: admin Integrity Level: MEDIUM Version: 5.03.0007 | ||||
2556 | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.41047\New Order.com" | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.41047\New Order.com | — | New Order.com |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 5.03.0007 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.40772\New Order.com | executable | |
MD5:2CFAB7212D078D36085E98106E8ED537 | SHA256:F23D8AD36F00F9389206137D97C163D3CE85D13B39E4B3059ABD050AB4A84D7A | |||
3100 | New Order.com | C:\Users\admin\AppData\Local\Temp\~DFCFF3868C80BC938D.TMP | binary | |
MD5:CD09349248D5C1D888517B754C81D0D5 | SHA256:DC98289788C891626B615A27D9101DDA4CDD1D7703860E9ACAB5A37CEDD25C6D | |||
3176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3176.41047\New Order.com | executable | |
MD5:2CFAB7212D078D36085E98106E8ED537 | SHA256:F23D8AD36F00F9389206137D97C163D3CE85D13B39E4B3059ABD050AB4A84D7A | |||
2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2160.39759\New Order.iso | compressed | |
MD5:C0D131F1E46D8561807DF32AF3B733EE | SHA256:ADB49C76D2969CAC0CC3277C8EB9CE3C6B4749505AD0998AAE8608FCEA81E5A1 | |||
2036 | New Order.com | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8 | SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2036 | New Order.com | POST | — | 37.49.230.148:80 | http://37.49.230.148/185243/logs/fre.php | NL | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 37.49.230.148:80 | — | — | NL | malicious |
PID | Process | Class | Message |
---|---|---|---|
2036 | New Order.com | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2036 | New Order.com | A Network Trojan was detected | ET TROJAN LokiBot Checkin |