analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment swift copy.iso

Full analysis: https://app.any.run/tasks/9a66f96b-c745-479a-8d33-0b7afc04d10e
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: March 22, 2019, 10:52:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'Payment swift copy'
MD5:

04FF95A8D404F2921139B362D913D4B8

SHA1:

E4571CBD723A717E788BCC1D63B22D540341D7C4

SHA256:

ED3839C3CB67F75D0D135C26A0143384A776F2C170549E9B37D7E3AFEB5ADA9C

SSDEEP:

12288:oksIDekIxfCH54HYeFzxbXKicOOOOOOOOOOO:oXIakIxqH5HeFV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Payment swift copy.exe (PID: 2628)
      • Payment swift copy.exe (PID: 2880)
      • Payment swift copy.exe (PID: 2240)

    • Detected artifacts of LokiBot

      • Payment swift copy.exe (PID: 2240)

    • LOKIBOT was detected

      • Payment swift copy.exe (PID: 2240)

    • Connects to CnC server

      • Payment swift copy.exe (PID: 2240)

    • Actions looks like stealing of personal data

      • Payment swift copy.exe (PID: 2240)

  • SUSPICIOUS

    • Application launched itself

      • Payment swift copy.exe (PID: 2628)
      • Payment swift copy.exe (PID: 2880)

    • Executable content was dropped or overwritten

      • Payment swift copy.exe (PID: 2240)
      • WinRAR.exe (PID: 2580)

    • Creates files in the user directory

      • Payment swift copy.exe (PID: 2240)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 480 kB

ISO

VolumeModifyDate: 2019:03:22 11:16:08.00+01:00
VolumeCreateDate: 2019:03:22 11:16:08.00+01:00
Software: PowerISO
RootDirectoryCreateDate: 2019:03:22 11:16:08+01:00
VolumeBlockSize: 2048
VolumeBlockCount: 240
VolumeName: Payment swift copy
System: Win32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe payment swift copy.exe no specs payment swift copy.exe no specs #LOKIBOT payment swift copy.exe

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Payment swift copy.iso"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2628"C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.49593\Payment swift copy.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.49593\Payment swift copy.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2880"C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.49593\Payment swift copy.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.49593\Payment swift copy.exePayment swift copy.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2240"C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.49593\Payment swift copy.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.49593\Payment swift copy.exe
Payment swift copy.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.00
Total events
515
Read events
495
Write events
20
Delete events
0

Modification events

(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2580) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Payment swift copy.iso
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
3
Suspicious files
0
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2240Payment swift copy.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2580WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2580.49866\Payment swift copy.exeexecutable
MD5:D5AED8190AC0AF5E5D24439F6B69A205
SHA256:2F4F7B548A3F94A3F633173328DF172C4F4BFFA22B691F1130CD59007F3EC755
2580WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2580.49593\Payment swift copy.exeexecutable
MD5:D5AED8190AC0AF5E5D24439F6B69A205
SHA256:2F4F7B548A3F94A3F633173328DF172C4F4BFFA22B691F1130CD59007F3EC755
2240Payment swift copy.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.exeexecutable
MD5:D5AED8190AC0AF5E5D24439F6B69A205
SHA256:2F4F7B548A3F94A3F633173328DF172C4F4BFFA22B691F1130CD59007F3EC755
2240Payment swift copy.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4bdbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
2880Payment swift copy.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
2628Payment swift copy.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\win.initext
MD5:D2A2412BDDBA16D60EC63BD9550D933F
SHA256:79FF2254E38192BE1626D05BEC6C82E10C85E1CF91DF7440C4C443380A1E877A
2240Payment swift copy.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.hdbtext
MD5:220587F98330ADC8265A38DEF5AE6698
SHA256:06EADF590BA1AC74617FA0D4F21733155826DD72D0F0EFFD068F308182B78E8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2240
Payment swift copy.exe
POST
104.31.69.89:80
http://zentacher3.ga/anyi/fre.php
US
malicious
2240
Payment swift copy.exe
POST
104.31.69.89:80
http://zentacher3.ga/anyi/fre.php
US
malicious
2240
Payment swift copy.exe
POST
104.31.69.89:80
http://zentacher3.ga/anyi/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2240
Payment swift copy.exe
104.31.69.89:80
zentacher3.ga
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
zentacher3.ga
  • 104.31.69.89
  • 104.31.68.89
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
2240
Payment swift copy.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2240
Payment swift copy.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2240
Payment swift copy.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ga Domain
2240
Payment swift copy.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2240
Payment swift copy.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2240
Payment swift copy.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2240
Payment swift copy.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2240
Payment swift copy.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2240
Payment swift copy.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ga Domain
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Payment swift copy.iso