Windows Analysis Report rfxJzZjiWv.exe

Overview

General Information

Sample Name: rfxJzZjiWv.exe
Analysis ID: 534005
MD5: 8ed7e6b478cf0c00934bb42e3bdf5e20
SHA1: ceb70c6dc5a85a64cc7a47e0ec12936f2d5e57db
SHA256: 4395224e257fe5659011fb90649c89d295e80123d7622d6cdb5b09371573e1aa
Tags: exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Lokibot
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
Multi AV Scanner detection for submitted file
Source: rfxJzZjiWv.exe Virustotal: Detection: 88% Perma Link
Source: rfxJzZjiWv.exe Metadefender: Detection: 88% Perma Link
Source: rfxJzZjiWv.exe ReversingLabs: Detection: 96%
Antivirus / Scanner detection for submitted sample
Source: rfxJzZjiWv.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: naourl.com Virustotal: Detection: 6% Perma Link
Source: http://naourl.com/data/five/fre.php Virustotal: Detection: 11% Perma Link
Source: http://survey-smiles.com Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: rfxJzZjiWv.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: rfxJzZjiWv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 0_2_00403D74

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49768 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49768 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49768 -> 212.32.237.90:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49768 -> 212.32.237.90:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 212.32.237.90 212.32.237.90
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
Source: rfxJzZjiWv.exe String found in binary or memory: http://naourl.com/data/five/fre.php
Source: rfxJzZjiWv.exe, 00000000.00000002.662546536.0000000000751000.00000004.00000020.sdmp String found in binary or memory: http://survey-smiles.com
Source: rfxJzZjiWv.exe String found in binary or memory: http://www.ibsensoftware.com/
Source: unknown HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
Source: unknown DNS traffic detected: queries for: naourl.com
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_0040648B URLDownloadToFileW, 0_2_0040648B

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: rfxJzZjiWv.exe, type: SAMPLE Matched rule: Loki Payload Author: kevoreilly
Source: rfxJzZjiWv.exe, type: SAMPLE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: rfxJzZjiWv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Yara signature match
Source: rfxJzZjiWv.exe, type: SAMPLE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: rfxJzZjiWv.exe, type: SAMPLE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_0040549C 0_2_0040549C
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_004029D4 0_2_004029D4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: String function: 00405B6F appears 41 times
Source: rfxJzZjiWv.exe Virustotal: Detection: 88%
Source: rfxJzZjiWv.exe Metadefender: Detection: 88%
Source: rfxJzZjiWv.exe ReversingLabs: Detection: 96%
Source: rfxJzZjiWv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 0_2_0040650A
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/2@5/2
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 0_2_0040434D
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior

Data Obfuscation:

barindex
Yara detected aPLib compressed binary
Source: Yara match File source: rfxJzZjiWv.exe, type: SAMPLE
Source: Yara match File source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rfxJzZjiWv.exe PID: 6644, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_00402AC0 push eax; ret 0_2_00402AD4
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_00402AC0 push eax; ret 0_2_00402AFC
PE file contains sections with non-standard names
Source: rfxJzZjiWv.exe Static PE information: section name: .x
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe TID: 6672 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 0_2_00403D74
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Thread delayed: delay time: 60000 Jump to behavior

Anti Debugging:

barindex
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_00402B7C GetProcessHeap,RtlAllocateHeap, 0_2_00402B7C
Enables debug privileges
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_0040317B mov eax, dword ptr fs:[00000030h] 0_2_0040317B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: 0_2_00406069 GetUserNameW, 0_2_00406069

Stealing of Sensitive Information:

barindex
Yara detected Lokibot
Source: Yara match File source: rfxJzZjiWv.exe, type: SAMPLE
Source: Yara match File source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rfxJzZjiWv.exe PID: 6644, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: PopPassword 0_2_0040D069
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe Code function: SmtpPassword 0_2_0040D069
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: rfxJzZjiWv.exe, type: SAMPLE
Source: Yara match File source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534005 Sample: rfxJzZjiWv.exe Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 13 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->13 15 Multi AV Scanner detection for domain / URL 2->15 17 Found malware configuration 2->17 19 7 other signatures 2->19 5 rfxJzZjiWv.exe 57 2->5         started        process3 dnsIp4 9 naourl.com 212.32.237.90, 49752, 49765, 49766 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 5->9 11 192.168.2.1 unknown unknown 5->11 21 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 5->21 23 Tries to steal Mail credentials (via file registry) 5->23 25 Tries to steal Mail credentials (via file / registry access) 5->25 27 2 other signatures 5->27 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.32.237.90
 naourl.com Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
naourl.com 212.32.237.90 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kbfvzoboss.bid/alien/fre.php true
  • URL Reputation: safe
 unknown
http://alphastand.win/alien/fre.php true
  • URL Reputation: safe
 unknown
http://naourl.com/data/five/fre.php true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://alphastand.trade/alien/fre.php true
  • URL Reputation: safe
 unknown
http://alphastand.top/alien/fre.php true
  • URL Reputation: safe
 unknown