Loading ...

Play interactive tourEdit tour

Analysis Report vaCurr

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219783
Start date:02.04.2020
Start time:15:46:19
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:vaCurr (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@3/2@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 11.7% (good quality ratio 11.2%)
  • Quality average: 77.3%
  • Quality standard deviation: 28.5%
HCA Information:
  • Successful, ratio: 64%
  • Number of executed functions: 95
  • Number of non-executed functions: 220
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WMIADAP.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2Execution through API1Valid Accounts2Exploitation for Privilege Escalation1Disabling Security Tools1Credential Dumping2System Time Discovery2Remote File Copy1Man in the Browser1Data Encrypted1Remote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface2Application Shimming1Valid Accounts2Deobfuscate/Decode Files or Information1Input Capture21Account Discovery1Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesAccess Token Manipulation21Obfuscated Files or Information2Credentials in Registry2Security Software Discovery3Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareProcess Injection112Masquerading1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput Capture21Data EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationApplication Shimming1Valid Accounts2Account ManipulationSystem Information Discovery27Shared WebrootClipboard Data2Scheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion1Brute ForceVirtualization/Sandbox Evasion1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation21Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: vaCurr.exe.1340.0.memstrMalware Configuration Extractor: Lokibot {"c2:": "http://108.170.31.41/dozlogs/logs/fre.php"}
Multi AV Scanner detection for submitted fileShow sources
Source: vaCurr.exeVirustotal: Detection: 64%Perma Link
Source: vaCurr.exeMetadefender: Detection: 25%Perma Link
Source: vaCurr.exeReversingLabs: Detection: 63%

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E3449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E3449B
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3449B GetFileAttributesW,FindFirstFileW,FindClose,1_2_00E3449B
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00E3C7E8
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3C75D FindFirstFileW,FindClose,1_2_00E3C75D
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00E3F021
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00E3F17E
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00E3F47F
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E33833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00E33833

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49742 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49742 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49742 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49742 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49743 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49743 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49743 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49743 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49744 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49744 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49744 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49744 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49744
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49745 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49745 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49745 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49745 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49745
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49746 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49746
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49747 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49747
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49748 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49748
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49749
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49750
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49751
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49752
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49753
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49754 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49754
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49755
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49756 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49756
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49757 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49757
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49758 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49758
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49759
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49760 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49760
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49761
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49762 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49762
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49763 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49763
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49764 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49764
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49765
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49766
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49767
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49768
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49769
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49770
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49771
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49772
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49773
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49774
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49775
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49776 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49776
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49777 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49777
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49778 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49778
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49779 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49779
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49780 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49780
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49781 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49781
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49782 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49782
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49783 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49783
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49784 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49784
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49785 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49785
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49786 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49786
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49787 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49787
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49788 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49788
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49789 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49789
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49790 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49790
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49791 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49791
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49792 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49792 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49792 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49792 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49792
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49793 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49793 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49793 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49793 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49793
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49794 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49794 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49794 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49794 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49794
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49795 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49795 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49795 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49795 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49795
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49796 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49796 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49796 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49796 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49796
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49797 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49797 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49797 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49797 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49797
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49798 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49798 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49798 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49798 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49798
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49799 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49799 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49799 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49799 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49799
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49800 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49800 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49800 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49800 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49800
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49801 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49801 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49801 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49801 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49801
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49802 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49802 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49802 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49802 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49802
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49803 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49803 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49803 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49803 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49803
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49804 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49804 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49804 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49804 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49804
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49805 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49805 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49805 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49805 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49805
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49806 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49806 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49806 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49806 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49806
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49807 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49807 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49807 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49807 -> 108.170.31.41:80
Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 108.170.31.41:80 -> 192.168.2.5:49807
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 149Connection: close
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Source: unknownTCP traffic detected without corresponding DNS query: 108.170.31.41
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00404ED4 recv,1_2_00404ED4
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /dozlogs/logs/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 108.170.31.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 77A6CCB6Content-Length: 176Connection: close
Urls found in memory or binary dataShow sources
Source: vaCurr.exe, 00000000.00000002.873233041.00000000069EF000.00000040.00000001.sdmp, vaCurr.exe, 00000001.00000002.1408839298.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://108.170.31.41/dozlogs/logs/fre.php
Source: vaCurr.exe, vaCurr.exe, 00000001.00000002.1408789195.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E4407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00E4407C
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E4407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00E4407C
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00DD2344
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E5CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E5CB26
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E5CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00E5CB26

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000003.831101904.000000000613A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.837072332.0000000006141000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.840931750.0000000006141000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.825292910.000000000617A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.857805999.0000000006147000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.837168366.00000000061CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.824642413.000000000625E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.824938043.000000000611C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.824867378.00000000060E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.798162535.0000000006147000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1408789195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1408789195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000003.798005373.00000000060E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.824732884.0000000006291000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.841067338.0000000005CC8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.873150240.0000000006950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.873150240.0000000006950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000003.837925682.00000000061E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.827889005.00000000061BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.836756480.00000000061CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.839394547.00000000061ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.798055354.0000000006145000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.833942256.0000000006141000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vaCurr.exe.6950000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vaCurr.exe.6950000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.vaCurr.exe.6950000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vaCurr.exe.6950000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 1.2.vaCurr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.vaCurr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 1.2.vaCurr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.vaCurr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: This is a third-party compiled AutoIt script.0_2_00DD3B4C
Source: vaCurr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: vaCurr.exe, 00000000.00000000.780590926.0000000000E5F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: vaCurr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: vaCurr.exe, 00000001.00000000.824121981.0000000000E5F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: vaCurr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: vaCurr.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_026100AD NtOpenSection,NtMapViewOfSection,0_2_026100AD
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_02611C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_02611C09
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,1_2_00E3A279
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E28638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00E28638
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E35264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_00E35264
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DDE8000_2_00DDE800
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DDFE400_2_00DDFE40
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DE58C00_2_00DE58C0
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DE70FE0_2_00DE70FE
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DE68410_2_00DE6841
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DDE0600_2_00DDE060
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DF78130_2_00DF7813
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DE31900_2_00DE3190
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DE41400_2_00DE4140
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DE89680_2_00DE8968
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DFDAF50_2_00DFDAF5
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD12870_2_00DD1287
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DFCCA10_2_00DFCCA1
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E064520_2_00E06452
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DE56800_2_00DE5680
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DF16040_2_00DF1604
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E57E0D0_2_00E57E0D
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E06F360_2_00E06F36
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DFBF260_2_00DFBF26
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_0040549C1_2_0040549C
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_004029D41_2_004029D4
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DDE0601_2_00DDE060
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF23451_2_00DF2345
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E504651_2_00E50465
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE445F1_2_00DE445F
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E064521_2_00E06452
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E025AE1_2_00E025AE
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF277A1_2_00DF277A
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E508E21_2_00E508E2
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE68411_2_00DE6841
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DDE8001_2_00DDE800
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E069C41_2_00E069C4
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE89681_2_00DE8968
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E2E9281_2_00E2E928
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E389321_2_00E38932
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E0890F1_2_00E0890F
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DFCCA11_2_00DFCCA1
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E06F361_2_00E06F36
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE70FE1_2_00DE70FE
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE31901_2_00DE3190
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DD12871_2_00DD1287
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DFF3591_2_00DFF359
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF33071_2_00DF3307
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE56801_2_00DE5680
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF16041_2_00DF1604
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE58C01_2_00DE58C0
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF78131_2_00DF7813
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: String function: 00DF8A80 appears 60 times
Source: C:\Users\user\Desktop\vaCurr.exeCode function: String function: 00E01AC0 appears 38 times
Source: C:\Users\user\Desktop\vaCurr.exeCode function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\vaCurr.exeCode function: String function: 00DF0C63 appears 56 times
Source: C:\Users\user\Desktop\vaCurr.exeCode function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\vaCurr.exeCode function: String function: 00DD7F41 appears 43 times
Source: C:\Users\user\Desktop\vaCurr.exeCode function: String function: 00DF394B appears 35 times
PE file contains strange resourcesShow sources
Source: vaCurr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vaCurr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vaCurr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: vaCurr.exe, 00000000.00000003.863547858.0000000004E46000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME{ vs vaCurr.exe
Source: vaCurr.exe, 00000000.00000003.861538875.0000000004A95000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME vs vaCurr.exe
Source: vaCurr.exe, 00000000.00000003.861538875.0000000004A95000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZ vs vaCurr.exe
Source: vaCurr.exe, 00000000.00000003.850168827.0000000004488000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs vaCurr.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\Desktop\vaCurr.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000000.00000003.831101904.000000000613A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.837072332.0000000006141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.840931750.0000000006141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.825292910.000000000617A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.857805999.0000000006147000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.837168366.00000000061CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.824642413.000000000625E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.824938043.000000000611C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.824867378.00000000060E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.798162535.0000000006147000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1408789195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1408789195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000003.798005373.00000000060E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.824732884.0000000006291000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.841067338.0000000005CC8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.873150240.0000000006950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.873150240.0000000006950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000003.837925682.00000000061E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.827889005.00000000061BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.836756480.00000000061CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.839394547.00000000061ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.798055354.0000000006145000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.833942256.0000000006141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vaCurr.exe.6950000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vaCurr.exe.6950000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.vaCurr.exe.6950000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vaCurr.exe.6950000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.vaCurr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.vaCurr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.vaCurr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.vaCurr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@3/2@0/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E3A0F4 GetLastError,FormatMessageW,0_2_00E3A0F4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_0040650A
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E284F3 AdjustTokenPrivileges,CloseHandle,1_2_00E284F3
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E28AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00E28AA3
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_00E3B3BF
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E33C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E33C99
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,1_2_0040434D
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DD4FE9
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\vaCurr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\4216a73197943a17d1161a6bdc4512b0_59407d34-c8c5-44df-a766-ba8a11cb1cb0Jump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
PE file has an executable .text section and no other executable sectionShow sources
Source: vaCurr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: vaCurr.exeVirustotal: Detection: 64%
Source: vaCurr.exeMetadefender: Detection: 25%
Source: vaCurr.exeReversingLabs: Detection: 63%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\vaCurr.exe 'C:\Users\user\Desktop\vaCurr.exe'
Source: unknownProcess created: C:\Users\user\Desktop\vaCurr.exe C:\Users\user\Desktop\vaCurr.exe
Source: C:\Users\user\Desktop\vaCurr.exeProcess created: C:\Users\user\Desktop\vaCurr.exe C:\Users\user\Desktop\vaCurr.exeJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\vaCurr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: vaCurr.exeStatic file information: File size 1560576 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: vaCurr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vaCurr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vaCurr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vaCurr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vaCurr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vaCurr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: vaCurr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: vaCurr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vaCurr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vaCurr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vaCurr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vaCurr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000000.00000003.831101904.000000000613A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.837072332.0000000006141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.840931750.0000000006141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.825292910.000000000617A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.857805999.0000000006147000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.837168366.00000000061CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824642413.000000000625E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824938043.000000000611C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824867378.00000000060E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.798162535.0000000006147000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1408789195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.798005373.00000000060E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824732884.0000000006291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.841067338.0000000005CC8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.873150240.0000000006950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.837925682.00000000061E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.827889005.00000000061BF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.836756480.00000000061CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.839394547.00000000061ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.798055354.0000000006145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.833942256.0000000006141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vaCurr.exe PID: 1340, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vaCurr.exe PID: 5060, type: MEMORY
Source: Yara matchFile source: 0.2.vaCurr.exe.6950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.vaCurr.exe.6950000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.vaCurr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.vaCurr.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD4C95 LoadLibraryA,GetProcAddress,0_2_00DD4C95
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DF8AC5 push ecx; ret 0_2_00DF8AD8
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AD4
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AFC
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE43CB push edi; ret 1_2_00DE43CD
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DE43B7 push edi; ret 1_2_00DE43B9
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF8AC5 push ecx; ret 1_2_00DF8AD8

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DD4A35
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00DD4A35
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E553DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00E553DF
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF3307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00DF3307
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeAPI coverage: 2.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\vaCurr.exe TID: 68Thread sleep time: -840000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E3449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E3449B
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3449B GetFileAttributesW,FindFirstFileW,FindClose,1_2_00E3449B
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00E3C7E8
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3C75D FindFirstFileW,FindClose,1_2_00E3C75D
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00E3F021
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00E3F17E
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E3F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00E3F47F
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E33833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00E33833
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DD4AFE

Anti Debugging:

barindex
Contains functionality to block mouse and keyboard input (often used to hinder debugging)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E4401F BlockInput,1_2_00E4401F
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DD3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E05BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00E05BFC
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD4C95 LoadLibraryA,GetProcAddress,0_2_00DD4C95
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_026100AD mov ecx, dword ptr fs:[00000030h]0_2_026100AD
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_026100AD mov eax, dword ptr fs:[00000030h]0_2_026100AD
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_026101CB mov eax, dword ptr fs:[00000030h]0_2_026101CB
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]1_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E09922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00E09922
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DFA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DFA2D5
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DFA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00DFA2D5
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DFA2A4 SetUnhandledExceptionFilter,1_2_00DFA2A4

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\vaCurr.exeSection loaded: unknown target: C:\Users\user\Desktop\vaCurr.exe protection: execute and read and writeJump to behavior
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E28A73 LogonUserW,1_2_00E28A73
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DD3B4C
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DD4A35
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E34CFA mouse_event,1_2_00E34CFA
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeProcess created: C:\Users\user\Desktop\vaCurr.exe C:\Users\user\Desktop\vaCurr.exeJump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00E281D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00E281D4
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E34A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E34A08
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: vaCurr.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: vaCurr.exeBinary or memory string: Shell_TrayWnd
Source: vaCurr.exe, 00000001.00000002.1409846181.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: vaCurr.exe, 00000001.00000002.1409846181.00000000016D0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: vaCurr.exe, 00000001.00000002.1409846181.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00DF87AB cpuid 1_2_00DF87AB
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\vaCurr.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E05007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E05007
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 1_2_00406069 GetUserNameW,1_2_00406069
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00E040BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E040BA
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\vaCurr.exeCode function: 0_2_00DD4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DD4AFE
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\vaCurr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000000.00000003.831101904.000000000613A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.837072332.0000000006141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.840931750.0000000006141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.825292910.000000000617A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.857805999.0000000006147000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.837168366.00000000061CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824642413.000000000625E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824938043.000000000611C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824867378.00000000060E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.798162535.0000000006147000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.1408789195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.798005373.00000000060E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.824732884.0000000006291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.841067338.0000000005CC8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.873150240.0000000006950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.837925682.00000000061E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.827889005.00000000061BF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.836756480.00000000061CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.839394547.00000000061ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.798055354.0000000006145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.833942256.0000000006141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vaCurr.exe PID: 1340, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vaCurr.exe PID: 5060, type: MEMORY
Source: Yara matchFile source: 0.2.vaCurr.exe.6950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.vaCurr.exe.6950000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.vaCurr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.vaCurr.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Source: C:\Users\user\Desktop\vaCurr.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\vaCurr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to beha