Windows Analysis Report
XZoxEqlRUw.exe

Overview

General Information

Sample name: XZoxEqlRUw.exe
renamed because original name is a hash value
Original sample name: 06E4CE3AA8AE08067B686BA000255529.exe
Analysis ID: 1417280
MD5: 06e4ce3aa8ae08067b686ba000255529
SHA1: 21369f523a74aedde8612c9dbf6d5b9df6557a51
SHA256: c84552f0ddf17223045ee2c4e5aa5a4b59eea802f9d1548b0ff7e5cee3d14186
Tags: exeLoki
Infos:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Generic Dropper
Yara detected Lokibot
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Loki Password Stealer (PWS), LokiBot "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: XZoxEqlRUw.exe Avira: detected
Antivirus detection for URL or domain
Source: http://kbfvzoboss.bid/alien/fre.php URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php URL Reputation: Label: malware
Found malware configuration
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u0097\u008b\u008b\u008f\u00c5\u00d0\u00d0\u00cc\u00ce\u00d1\u00cd\u00cd\u00cf\u00d1\u00ce\u00d1\u00ce\u00c6\u00cb\u00d0\u0081\u0085\u009e\u009b\u0092\u0096\u0091\u00d0\u008f\u008b\u008d\u00ca\u00d0\u0092\u0090\u0091\u0090\u00d1\u008f\u0097\u008f"]}
Multi AV Scanner detection for submitted file
Source: XZoxEqlRUw.exe ReversingLabs: Detection: 95%
Machine Learning detection for sample
Source: XZoxEqlRUw.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Unpacked PE file: 1.2.XZoxEqlRUw.exe.400000.0.unpack
Uses 32bit PE files
Source: XZoxEqlRUw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 1_2_00403D74

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49733 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49733 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49733 -> 31.220.1.194:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49733 -> 31.220.1.194:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor URLs:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMARUTU-TECHNOLOGYNL AMARUTU-TECHNOLOGYNL
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 149Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_00404ED4 recv, 1_2_00404ED4
Source: unknown HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:52 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:53 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:55 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:57 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d
Source: XZoxEqlRUw.exe, 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683820658.00000000006B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.220.1.194/~zadmin/ptr5/mono.php
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gmpg.org/xfn/11
Source: XZoxEqlRUw.exe, XZoxEqlRUw.exe, 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.w.org/
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ogp.me/ns#
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rankmath.com/
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://schema.org
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-5F1HBKQ0XE
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net/#logo
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net/#organization
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net/#website
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net/comments/feeP
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net/feed/
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net/wp-content/uploads/2023/11/android-chrome-512x512-1.png
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.yaworld.net/wp-json/

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00401188 0_2_00401188
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_0040549C 1_2_0040549C
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_004029D4 1_2_004029D4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: String function: 00405B6F appears 42 times
Sample file is different than original file name gathered from version info
Source: XZoxEqlRUw.exe, 00000000.00000002.1615411943.0000000000437000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUnemptied.exe vs XZoxEqlRUw.exe
Source: XZoxEqlRUw.exe, 00000001.00000000.1615195207.0000000000437000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUnemptied.exe vs XZoxEqlRUw.exe
Source: XZoxEqlRUw.exe Binary or memory string: OriginalFilenameUnemptied.exe vs XZoxEqlRUw.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Section loaded: rasadhlp.dll Jump to behavior
Uses 32bit PE files
Source: XZoxEqlRUw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: XZoxEqlRUw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@0/1
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 1_2_0040650A
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 1_2_0040434D
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06 Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Mutant created: NULL
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: XZoxEqlRUw.exe, 00000001.00000003.1615993357.0000000000665000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: XZoxEqlRUw.exe ReversingLabs: Detection: 95%
Source: unknown Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe"
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe"
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe" Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Unpacked PE file: 1.2.XZoxEqlRUw.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.htext:EW; vs .text:ER;.rdata:R;.data:W;.x:W;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Unpacked PE file: 1.2.XZoxEqlRUw.exe.400000.0.unpack
Yara detected aPLib compressed binary
Source: Yara match File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR
PE file contains an invalid checksum
Source: XZoxEqlRUw.exe Static PE information: real checksum: 0x3f40f should be: 0x42673
PE file contains sections with non-standard names
Source: XZoxEqlRUw.exe Static PE information: section name: .htext
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00406C6A push edx; rep ret 0_2_00406C6C
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00405808 push ebx; iretd 0_2_004057DB
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_0040660A pushfd ; retf 0_2_0040660B
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_004036C9 push esi; ret 0_2_004036CC
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_004068FF push F53B5A61h; ret 0_2_004068A5
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_0040688E push F53B5A61h; ret 0_2_004068A5
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00405D46 push ss; ret 0_2_00405D51
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00402D63 push esp; ret 0_2_00402D79
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00405F00 pushfd ; ret 0_2_00405F04
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00404119 push edi; iretd 0_2_00404124
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00404FD7 push ecx; retf 0_2_00404FD9
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_0040579F push ebx; iretd 0_2_004057DB
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 0_2_00403BB0 push ds; ret 0_2_00403BC3
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_00402AC0 push eax; ret 1_2_00402AD4
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_00402AC0 push eax; ret 1_2_00402AFC
Source: XZoxEqlRUw.exe Static PE information: section name: .text entropy: 7.45421010060428
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe TID: 7608 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe TID: 7632 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 1_2_00403D74
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Thread delayed: delay time: 60000 Jump to behavior
Source: XZoxEqlRUw.exe, 00000001.00000002.1683820658.00000000006B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_0040317B mov eax, dword ptr fs:[00000030h] 1_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_00402B7C GetProcessHeap,RtlAllocateHeap, 1_2_00402B7C
Enables debug privileges
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe" Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: 1_2_00406069 GetUserNameW, 1_2_00406069
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR
Yara detected Lokibot
Source: Yara match File source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: PopPassword 1_2_0040D069
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe Code function: SmtpPassword 1_2_0040D069
Yara detected Credential Stealer
Source: Yara match File source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.220.1.194
 unknown Germany
206264 AMARUTU-TECHNOLOGYNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kbfvzoboss.bid/alien/fre.php true
  • URL Reputation: malware
 unknown
true
  • Avira URL Cloud: safe
 low
http://31.220.1.194/~zadmin/ptr5/mono.php true
  • Avira URL Cloud: safe
 unknown
http://alphastand.top/alien/fre.php true
  • URL Reputation: malware
 unknown
http://alphastand.win/alien/fre.php true
  • URL Reputation: malware
 unknown
http://alphastand.trade/alien/fre.php true
  • URL Reputation: malware
 unknown