Edit tour

Windows Analysis Report
_.scr.exe

Overview

General Information

Sample name:	__ ___.scr.exe
Analysis ID:	1417353
MD5:	49e8704aa83c8a6445260ca25f68e99a
SHA1:	f2da7dab38056c8225320d10b8b5ab3f4882cc18
SHA256:	d47d5c7948096ffd22bd3d3fb6d714a5a6bd6f4b265dd3408ec149b73167bf08
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

__ ___.scr.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\__ ___.scr.exe" MD5: 49E8704AA83C8A6445260CA25F68E99A)

__ ___.scr.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\__ ___.scr.exe" MD5: 49E8704AA83C8A6445260CA25F68E99A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "spencerstuartllc.top/document/five/fre.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17450:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x481b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1305f:$des3: 68 03 66 00 00 0x17450:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1751c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x177f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12bff:$des3: 68 03 66 00 00 0x177f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x178bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x60420:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4d7eb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x5c02f:$des3: 68 03 66 00 00 0x60420:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x604ec:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xf42fc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xe16af:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0xefef3:$des3: 68 03 66 00 00 0xf42fc:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0xf43c8:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: __ ___.scr.exe PID: 7444	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: __ ___.scr.exe PID: 7444	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: __ ___.scr.exe PID: 7444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: __ ___.scr.exe PID: 7444	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1105d:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x24b4a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x4fa7a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: __ ___.scr.exe PID: 7472	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: __ ___.scr.exe PID: 7472	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: __ ___.scr.exe PID: 7472	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3471:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.__ ___.scr.exe.3965030.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.__ ___.scr.exe.3965030.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.__ ___.scr.exe.3965030.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.__ ___.scr.exe.3965030.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.__ ___.scr.exe.3965030.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.__ ___.scr.exe.3965030.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.__ ___.scr.exe.3965030.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.__ ___.scr.exe.3965030.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.__ ___.scr.exe.3965030.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.__ ___.scr.exe.3965030.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.__ ___.scr.exe.3965030.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.__ ___.scr.exe.3965030.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.__ ___.scr.exe.3965030.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.__ ___.scr.exe.700000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.__ ___.scr.exe.700000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.__ ___.scr.exe.700000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.__ ___.scr.exe.700000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.__ ___.scr.exe.700000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.__ ___.scr.exe.700000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.__ ___.scr.exe.700000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.__ ___.scr.exe.700000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.__ ___.scr.exe.4e90000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4246b:$x1: In$J$ct0r
0.2.__ ___.scr.exe.38e91b0.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4246b:$x1: In$J$ct0r
0.2.__ ___.scr.exe.38a1380.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4246b:$x1: In$J$ct0r
0.2.__ ___.scr.exe.38a1380.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4426b:$x1: In$J$ct0r
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xe17ac:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xceb5f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0xde170:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0xde3b8:$a2: last_compatible_version
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0xdd3a3:$des3: 68 03 66 00 00 0xe17ac:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0xe1878:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0xe08f2:$f1: FileZilla\recentservers.xml 0xe0932:$f2: FileZilla\sitemanager.xml 0xdeba2:$b2: Mozilla\Firefox\Profiles 0xde90c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0xdeab6:$s4: logins.json 0xdf960:$s6: wand.dat 0xde3e0:$a1: username_value 0xde3d0:$a2: password_value 0xdea1b:$a3: encryptedUsername 0xdea88:$a3: encryptedUsername 0xdea2e:$a4: encryptedPassword 0xdea9c:$a4: encryptedPassword
0.2.__ ___.scr.exe.2863b50.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc7e24:$x1: In$J$ct0r 0xc9ad8:$a1: WriteProcessMemory 0xc9b64:$a1: WriteProcessMemory 0xc9c38:$a4: VirtualAllocEx 0xc9e5c:$a4: VirtualAllocEx 0xc9edc:$a4: VirtualAllocEx 0xca2c:$s3: net.pipe 0xc80cc:$s3: net.pipe 0xc80ec:$s4: vsmacros
0.2.__ ___.scr.exe.2861328.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.__ ___.scr.exe.2861328.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.__ ___.scr.exe.2861328.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.__ ___.scr.exe.2861328.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xe3fd4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.__ ___.scr.exe.2861328.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xd1387:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.__ ___.scr.exe.2861328.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0xe0998:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0xe0be0:$a2: last_compatible_version
0.2.__ ___.scr.exe.2861328.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0xdfbcb:$des3: 68 03 66 00 00 0xe3fd4:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0xe40a0:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.__ ___.scr.exe.2861328.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0xe311a:$f1: FileZilla\recentservers.xml 0xe315a:$f2: FileZilla\sitemanager.xml 0xe13ca:$b2: Mozilla\Firefox\Profiles 0xe1134:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0xe12de:$s4: logins.json 0xe2188:$s6: wand.dat 0xe0c08:$a1: username_value 0xe0bf8:$a2: password_value 0xe1243:$a3: encryptedUsername 0xe12b0:$a3: encryptedUsername 0xe1256:$a4: encryptedPassword 0xe12c4:$a4: encryptedPassword
0.2.__ ___.scr.exe.2861328.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xca64c:$x1: In$J$ct0r 0xcc300:$a1: WriteProcessMemory 0xcc38c:$a1: WriteProcessMemory 0xcc460:$a4: VirtualAllocEx 0xcc684:$a4: VirtualAllocEx 0xcc704:$a4: VirtualAllocEx 0xf254:$s3: net.pipe 0xca8f4:$s3: net.pipe 0xca914:$s4: vsmacros
Click to see the 38 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware
Source: spencerstuartllc.top/document/five/fre.php	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "spencerstuartllc.top/document/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: __ ___.scr.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Source: __ ___.scr.exe

Joe Sandbox ML: detected

Source: __ ___.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: __ ___.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: __ ___.scr.exe, 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, __ ___.scr.exe, 00000000.00000002.1614064248.0000000004F10000.00000004.08000000.00040000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: spencerstuartllc.top/document/five/fre.php

Source: __ ___.scr.exe, 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, __ ___.scr.exe, 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, __ ___.scr.exe, 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, __ ___.scr.exe, 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.__ ___.scr.exe.4e90000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.__ ___.scr.exe.38e91b0.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.__ ___.scr.exe.38a1380.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.__ ___.scr.exe.38a1380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: __ ___.scr.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: __ ___.scr.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\__ ___.scr.exe	Code function: 0_2_00B5ABB8		0_2_00B5ABB8
Source: C:\Users\user\Desktop\__ ___.scr.exe	Code function: 0_2_00B592E0		0_2_00B592E0

Source: __ ___.scr.exe, 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs __ ___.scr.exe
Source: __ ___.scr.exe, 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs __ ___.scr.exe
Source: __ ___.scr.exe, 00000000.00000002.1612874697.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs __ ___.scr.exe
Source: __ ___.scr.exe, 00000000.00000002.1613376458.0000000003859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs __ ___.scr.exe
Source: __ ___.scr.exe, 00000000.00000002.1613912571.0000000004EC3000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs __ ___.scr.exe
Source: __ ___.scr.exe, 00000000.00000002.1614064248.0000000004F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs __ ___.scr.exe
Source: __ ___.scr.exe, 00000000.00000000.1610070773.00000000004EC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemstsc.exel% vs __ ___.scr.exe
Source: __ ___.scr.exe	Binary or memory string: OriginalFilenamemstsc.exel% vs __ ___.scr.exe

Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Section loaded: windows.storage.dll	Jump to behavior

Source: __ ___.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.__ ___.scr.exe.4e90000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.__ ___.scr.exe.38e91b0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.__ ___.scr.exe.38a1380.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.__ ___.scr.exe.38a1380.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: __ ___.scr.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: __ ___.scr.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: __ ___.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: __ ___.scr.exe, -J.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.__ ___.scr.exe.38a1380.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.__ ___.scr.exe.38a1380.3.raw.unpack, DarkComboBox.cs

Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: __ ___.scr.exe	Binary or memory string: MSB2013: The project-to-project reference with GUID {0} could not be converted because a valid .SLN file containing all projects could not be found.
Source: __ ___.scr.exe	Binary or memory string: .vbproj
Source: __ ___.scr.exe	Binary or memory string: .csproj
Source: __ ___.scr.exe	Binary or memory string: .csprojM{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}
Source: __ ___.scr.exe	Binary or memory string: .vbprojM{F184B08F-C81C-45F6-A57F-5ABD9991F28F}
Source: __ ___.scr.exe	Binary or memory string: *.sln.sln

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\__ ___.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\__ ___.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

Mutant created: NULL

Source: __ ___.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: __ ___.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\__ ___.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: __ ___.scr.exe

Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\__ ___.scr.exe "C:\Users\user\Desktop\__ ___.scr.exe"
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process created: C:\Users\user\Desktop\__ ___.scr.exe "C:\Users\user\Desktop\__ ___.scr.exe"
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process created: C:\Users\user\Desktop\__ ___.scr.exe "C:\Users\user\Desktop\__ ___.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: __ ___.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: __ ___.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: __ ___.scr.exe, -t.cs

.Net Code: Hitter System.AppDomain.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.__ ___.scr.exe.3965030.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: __ ___.scr.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: __ ___.scr.exe PID: 7472, type: MEMORYSTR

Source: __ ___.scr.exe

Static PE information: 0xCFE67F87 [Fri Jul 12 06:00:39 2080 UTC]

Source: C:\Users\user\Desktop\__ ___.scr.exe	Code function: 0_2_00B545DF push ebx; retf 0004h	0_2_00B545E2
Source: C:\Users\user\Desktop\__ ___.scr.exe	Code function: 0_2_00B54549 push ebx; retf 0004h	0_2_00B5454A
Source: C:\Users\user\Desktop\__ ___.scr.exe	Code function: 0_2_00B54661 push esp; retf 0004h	0_2_00B54662
Source: C:\Users\user\Desktop\__ ___.scr.exe	Code function: 0_2_00B54891 pushad ; retf 0004h	0_2_00B54892
Source: C:\Users\user\Desktop\__ ___.scr.exe	Code function: 0_2_00B50FE8 push 20A0B802h; retf	0_2_00B51037

Source: __ ___.scr.exe

Static PE information: section name: .text entropy: 7.616817306003862

Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: __ ___.scr.exe PID: 7444, type: MEMORYSTR

Source: C:\Users\user\Desktop\__ ___.scr.exe	Memory allocated: B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe TID: 7464

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\__ ___.scr.exe

Memory written: C:\Users\user\Desktop\__ ___.scr.exe base: 700000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

Process created: C:\Users\user\Desktop\__ ___.scr.exe "C:\Users\user\Desktop\__ ___.scr.exe"

Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe	Queries volume information: C:\Users\user\Desktop\__ ___.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\__ ___.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\__ ___.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: __ ___.scr.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: __ ___.scr.exe PID: 7472, type: MEMORYSTR

Source: Yara match	File source: 0.2.__ ___.scr.exe.3965030.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.__ ___.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.__ ___.scr.exe.2863b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.__ ___.scr.exe.2861328.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	31 Virtualization/Sandbox Evasion	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
__ ___.scr.exe	40%	Virustotal		Browse
__ ___.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
spencerstuartllc.top/document/five/fre.php	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
spencerstuartllc.top/document/five/fre.php	true	Avira URL Cloud: phishing	low
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	__ ___.scr.exe, 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, __ ___.scr.exe, 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, __ ___.scr.exe, 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, __ ___.scr.exe, 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417353
Start date and time:	2024-03-29 03:11:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	__ ___.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\__ ___.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
MD5:	9BA266AD16952A9A57C3693E0BCFED48
SHA1:	5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
SHA-256:	A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
SHA-512:	678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.59711658149237
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	__ ___.scr.exe
File size:	431'104 bytes
MD5:	49e8704aa83c8a6445260ca25f68e99a
SHA1:	f2da7dab38056c8225320d10b8b5ab3f4882cc18
SHA256:	d47d5c7948096ffd22bd3d3fb6d714a5a6bd6f4b265dd3408ec149b73167bf08
SHA512:	441a1da896435da70a1e79dbdfb40e235eefd14fd526f5cfb062b98273ecef50425b3113170e92502b1a9986798cb6a8113fcd08ea12e29ee64ca84b6ab0e66d
SSDEEP:	12288:zFFAiIlk45xaDDhUsXT5Eo4eCK6e8vV4d0:sl7O9lXlEQ7H8vV1
TLSH:	A2949C01A7FC178DF5F65BF668B1140A07B376262D36DA5E6CC122CE05AEB818C71B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46a6ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCFE67F87 [Fri Jul 12 06:00:39 2080 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a65c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x62a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x686b4	0x68800	51b57cec7b7288e911edcfcfd62d77bb	False	0.7807009756279905	data	7.616817306003862	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6c000	0x62a	0x800	b9159c8aa0f5f07e02147def1e22e0cd	False	0.3466796875	data	3.4797650638778452	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6e000	0xc	0x200	4e47afa5f200ff0f32be75c22f82975b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6c0a0	0x3a0	data			0.43426724137931033
RT_MANIFEST	0x6c440	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	03:11:49
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\__ ___.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\__ ___.scr.exe"
Imagebase:	0x480000
File size:	431'104 bytes
MD5 hash:	49E8704AA83C8A6445260CA25F68E99A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1613376458.000000000397F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1613376458.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1613270465.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:11:49
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\__ ___.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\__ ___.scr.exe"
Imagebase:	0x2d0000
File size:	431'104 bytes
MD5 hash:	49E8704AA83C8A6445260CA25F68E99A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.2874007006.0000000000701000.00000004.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	77.8%
Total number of Nodes:	27
Total number of Limit Nodes:	1

Executed Functions

Function 00B592E0 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 00B5930F
$^q, xrefs: 00B592F6

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 53850b2c87dcaa8bc5dd206e5fbc55b379e9b88b0b111d3d4d6f107898e046ba
Instruction ID: c2cee26090a83a351534499e3d72b7d406d86073386ab84fe5b5ca7196880223
Opcode Fuzzy Hash: 53850b2c87dcaa8bc5dd206e5fbc55b379e9b88b0b111d3d4d6f107898e046ba
Instruction Fuzzy Hash: E181A570B00218DBDB19EF79985477E7BB7BFC8701B148499D80BEB298DE34C8169B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B5ABB8 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00B5B368

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 24ac7ba1cb85d8b88ef52d4ae093e24190b6de22c33b3d7f0fd5c7f957419b16
Instruction ID: 4cb0834f0cfb353f7236c07b42340779fb874a2011635cf49e4a8cafdcff8f25
Opcode Fuzzy Hash: 24ac7ba1cb85d8b88ef52d4ae093e24190b6de22c33b3d7f0fd5c7f957419b16
Instruction Fuzzy Hash: 6C52C171D012288FDB68DF65C994BDDBBF2BF89301F1081EA9409AB295DB345E89CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00B59C5C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B5B8B9

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 32e8b78412b7ae317ca97511b0972a657c4f9f5539f33b5095592a7ed42badb1
Instruction ID: 3d90f9e9eb75f1e29a8899e5bc763f9fabad5fb1e65e09b708d9b12563b46f4e
Opcode Fuzzy Hash: 32e8b78412b7ae317ca97511b0972a657c4f9f5539f33b5095592a7ed42badb1
Instruction Fuzzy Hash: F081C074C00269DFDB20CFA9C940BEDBBF5AB49304F1491EAE548B7260DB749A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A790 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B5A863

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e1db8a45c86345d5154ecab71fd9aa831bc8e00adf7e6cc9319961d8c399cb47
Instruction ID: 364eb26213bbb45173a58472e5314963ac249054cc66aab1b2c8f78c642475a2
Opcode Fuzzy Hash: e1db8a45c86345d5154ecab71fd9aa831bc8e00adf7e6cc9319961d8c399cb47
Instruction Fuzzy Hash: C84199B5D012589FCF00CFA9D984ADEFBF1BB49310F20906AE818B7250D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B59C80 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B5BBC5

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8dc575727385aecdb1fd2df9422c8ef98c22ec2241b44c7089bb222d155dba35
Instruction ID: 312454ee102069a29001900db2ddabf71c8d3a89c0787b45ead7e9580bf22600
Opcode Fuzzy Hash: 8dc575727385aecdb1fd2df9422c8ef98c22ec2241b44c7089bb222d155dba35
Instruction Fuzzy Hash: 1F4158B9D04258DFCF10CFAAD984ADEFBB5BB19310F14906AE814B7210D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A8E8 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B5A992

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9e438f8268e5f56ef33ad2562ea02d5f7383baddb9e41f8baaa10efb61768fd
Instruction ID: aea73e11abb83eb1f118d230be1982432c5213a9b036f96e1cf860baad08782c
Opcode Fuzzy Hash: a9e438f8268e5f56ef33ad2562ea02d5f7383baddb9e41f8baaa10efb61768fd
Instruction Fuzzy Hash: E331A6B9D00258DFCF10CFA9D980ADEFBB1BB49310F20A42AE814B7210D735A945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A668 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00B5A717

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c5adad2fd2a218ecbaa15f5d0f06db24e1a4610e729b16b1d7610e7d8938726c
Instruction ID: 5088a8b8a3ea3ccb6749d3556903dda5db54adfdda7e50c4ca88089ba578c84d
Opcode Fuzzy Hash: c5adad2fd2a218ecbaa15f5d0f06db24e1a4610e729b16b1d7610e7d8938726c
Instruction Fuzzy Hash: DC31CBB4D002589FCB10DFAAD984AEEFFF0BB49314F24806AE414B7210C738A989CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B59C68 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 00B5BAB2

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7829058b34222fa2937b5f2d9e120cffa7d7d0ad628dff28bdef3235b69e69e5
Instruction ID: 9f906329112a402ddf009418f076d7467a9bf42b7a6a7935bf5e1fe52d6a953d
Opcode Fuzzy Hash: 7829058b34222fa2937b5f2d9e120cffa7d7d0ad628dff28bdef3235b69e69e5
Instruction Fuzzy Hash: 0E31ABB5D01258DFCB10CFAAD584ADEFBF1BB09314F24806AE814B7210D779A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA08 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00B5AA86

Memory Dump Source

Source File: 00000000.00000002.1612860524.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000___ ___.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 589cc354ab347c41a88f67f91addd57c2e120348c6a2b1a57d86d7400e135ec8
Instruction ID: 8a7f3970da4a483c9b44864e4dd58b05b4bf35f0ce7414c4ce56d607672ae915
Opcode Fuzzy Hash: 589cc354ab347c41a88f67f91addd57c2e120348c6a2b1a57d86d7400e135ec8
Instruction Fuzzy Hash: D831CAB4D012189FCB14CFAAD984ADEFBF4BB49310F10946AE818B7310C735A845CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD5B8 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1612724927.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000___ ___.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc091d823a0b173f8624bc8aa723db7d4759cf20755f9f886acb3b7c82c1938
Instruction ID: 3a787750aa8c64362b81f98dbefebe60775117482fdc836d41f11ea8e2b52b09
Opcode Fuzzy Hash: 5cc091d823a0b173f8624bc8aa723db7d4759cf20755f9f886acb3b7c82c1938
Instruction Fuzzy Hash: 052134B1504200EFCB05DF14DAC4B2ABFA5FB99318F24C56DE84A0B696C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612724927.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000___ ___.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 2066af595c62a0673f58cbfbb2eca9fb40586b154781ec458f324c175584405a
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0311D376504240CFCF16CF14D5C4B16BF72FB95314F24C6A9D84A0B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report __ ___.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\__ ___.scr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: __ ___.scr.exePID: 7444, Parent PID: 2580

Windows Analysis Report
_.scr.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ _.scr.exe.log

Analysis Process: _.scr.exePID: 7444, Parent PID: 2580

Analysis Process: _.scr.exePID: 7472, Parent PID: 7444

Analysis Process: _.scr.exePID: 7444, Parent PID: 2580COMMON

Function 00B592E0 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Function 00B5ABB8 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 00B59C5C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Function 00B5A790 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 00B59C80 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 00B5A8E8 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 00B5A668 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 00B59C68 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Function 00B5AA08 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 00AAD5B8 Relevance: .1, Instructions: 75
COMMON