Play interactive tour

Edit tour

Windows Analysis Report rfxJzZjiWv.exe

Overview

General Information

Sample Name:	rfxJzZjiWv.exe
Analysis ID:	534005
MD5:	8ed7e6b478cf0c00934bb42e3bdf5e20
SHA1:	ceb70c6dc5a85a64cc7a47e0ec12936f2d5e57db
SHA256:	4395224e257fe5659011fb90649c89d295e80123d7622d6cdb5b09371573e1aa
Tags:	exeLoki
Infos:
Most interesting Screenshot:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Lokibot

Multi AV Scanner detection for domain / URL

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Classification

Process Tree

System is w10x64

rfxJzZjiWv.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\rfxJzZjiWv.exe" MD5: 8ED7E6B478CF0C00934BB42E3BDF5E20)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
rfxJzZjiWv.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
rfxJzZjiWv.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
rfxJzZjiWv.exe	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
rfxJzZjiWv.exe	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
rfxJzZjiWv.exe	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: rfxJzZjiWv.exe PID: 6644	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: rfxJzZjiWv.exe PID: 6644	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.rfxJzZjiWv.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.rfxJzZjiWv.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.rfxJzZjiWv.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.0.rfxJzZjiWv.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.0.rfxJzZjiWv.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.rfxJzZjiWv.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.rfxJzZjiWv.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rfxJzZjiWv.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.rfxJzZjiWv.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.rfxJzZjiWv.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.rfxJzZjiWv.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Show sources

Source: rfxJzZjiWv.exe	Virustotal: Detection: 88%	Perma Link
Source: rfxJzZjiWv.exe	Metadefender: Detection: 88%	Perma Link
Source: rfxJzZjiWv.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Show sources

Source: rfxJzZjiWv.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: naourl.com	Virustotal: Detection: 6%	Perma Link
Source: http://naourl.com/data/five/fre.php	Virustotal: Detection: 11%	Perma Link
Source: http://survey-smiles.com	Virustotal: Detection: 5%	Perma Link

Machine Learning detection for sample

Show sources

Source: rfxJzZjiWv.exe

Joe Sandbox ML: detected

Source: rfxJzZjiWv.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49752 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49765 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49766 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49767 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49768 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49768 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49768 -> 212.32.237.90:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49768 -> 212.32.237.90:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View

ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL

Source: Joe Sandbox View

IP Address: 212.32.237.90 212.32.237.90

Source: global traffic	HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close

Source: rfxJzZjiWv.exe	String found in binary or memory: http://naourl.com/data/five/fre.php
Source: rfxJzZjiWv.exe, 00000000.00000002.662546536.0000000000751000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.com
Source: rfxJzZjiWv.exe	String found in binary or memory: http://www.ibsensoftware.com/

Source: unknown

HTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close

Source: unknown

DNS traffic detected: queries for: naourl.com

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_0040648B URLDownloadToFileW,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: rfxJzZjiWv.exe, type: SAMPLE	Matched rule: Loki Payload Author: kevoreilly
Source: rfxJzZjiWv.exe, type: SAMPLE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Source: rfxJzZjiWv.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: rfxJzZjiWv.exe, type: SAMPLE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: rfxJzZjiWv.exe, type: SAMPLE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: 0_2_0040549C
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: 0_2_004029D4

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: String function: 00405B6F appears 41 times

Source: rfxJzZjiWv.exe	Virustotal: Detection: 88%
Source: rfxJzZjiWv.exe	Metadefender: Detection: 88%
Source: rfxJzZjiWv.exe	ReversingLabs: Detection: 96%

Source: rfxJzZjiWv.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/2@5/2

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Data Obfuscation:

Yara detected aPLib compressed binary

Show sources

Source: Yara match	File source: rfxJzZjiWv.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rfxJzZjiWv.exe PID: 6644, type: MEMORYSTR

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: 0_2_00402AC0 push eax; ret
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: 0_2_00402AC0 push eax; ret

Source: rfxJzZjiWv.exe

Static PE information: section name: .x

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Process information set: NOGPFAULTERRORBOX

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe TID: 6672

Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Thread delayed: delay time: 60000

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_00402B7C GetProcessHeap,RtlAllocateHeap,

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_0040317B mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

Code function: 0_2_00406069 GetUserNameW,

Stealing of Sensitive Information:

Yara detected Lokibot

Show sources

Source: Yara match	File source: rfxJzZjiWv.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rfxJzZjiWv.exe PID: 6644, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: PopPassword
Source: C:\Users\user\Desktop\rfxJzZjiWv.exe	Code function: SmtpPassword

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\rfxJzZjiWv.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: rfxJzZjiWv.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping2	Security Software Discovery2	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	Credentials in Registry2	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol112	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rfxJzZjiWv.exe	88%	Virustotal		Browse
rfxJzZjiWv.exe	88%	Metadefender		Browse
rfxJzZjiWv.exe	96%	ReversingLabs	Win32.Trojan.LokiBot
rfxJzZjiWv.exe	100%	Avira	TR/Crypt.XPACK.Gen
rfxJzZjiWv.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.rfxJzZjiWv.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.2.rfxJzZjiWv.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
naourl.com	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://naourl.com/data/five/fre.php	11%	Virustotal		Browse
http://naourl.com/data/five/fre.php	0%	Avira URL Cloud	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://survey-smiles.com	5%	Virustotal		Browse
http://survey-smiles.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
naourl.com	212.32.237.90	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://naourl.com/data/five/fre.php	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	rfxJzZjiWv.exe	false	URL Reputation: safe	unknown
http://survey-smiles.com	rfxJzZjiWv.exe, 00000000.00000002.662546536.0000000000751000.00000004.00000020.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.32.237.90	naourl.com	Netherlands		60781	LEASEWEB-NL-AMS-01NetherlandsNL	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	534005
Start date:	04.12.2021
Start time:	23:39:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	rfxJzZjiWv.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/2@5/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 95.9%) Quality average: 77% Quality standard deviation: 28.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com, arc.trafficmanager.net, arc.msn.com Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:40:27	API Interceptor	3x Sleep call for process: rfxJzZjiWv.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.32.237.90	PVCbiDUqly50DqS.exe	Get hash	malicious	Browse	www.lendisty.com/n3kw/?XBZ4Xz=3e7Yc+NXVXGadH5y5BNj3Y3Se2h8oiNm35D3uKayWhE9KadvN5yxkmKGsLBu645DSWG9&5jJtSj=uXStFZp8ar
	Fatura - Ex#35175382.pdf.exe	Get hash	malicious	Browse	www.mwal.art/mabs/?jX8=3fQLnD&s0=y5mht5ETURUFzQSCIUXjodTlI+2TrsvqVBKlsua0zkPwCIYtRvvnPuF29Yxp6gBGwBsBQjQVNQ==
	1lHMXoDyPa.exe	Get hash	malicious	Browse	www.thetravellingwitch.com/wufn/?jrDHJt=SkZZDimXYK2GAldHwXdupEC24fazy/RNnOtrI6tDOvPCvzBdUVr3zvvTsRlAE2ql+mXxxlQZWg==&fR-=_JE8XJdXJfIL8n7
	UJ8y5QToVc.exe	Get hash	malicious	Browse	www.stearmanestates.com/ixwn/?W6AlL=PkY2LXPJp6HaPUrgGBEF3fMC5B3U3PtoZvpjUGm/uozF9Gfrzlf5sS41ov77FP8zbsbQ&-ZS8=9rJ0dRNxBdO0ALQp
	OoBepaLH3W.exe	Get hash	malicious	Browse	www.ololmychartlogin.com/p2io/?brMXBhD=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9Ot1G4m5E5eG&axl4i=0d9HO65X_T8H0F
	bin.exe	Get hash	malicious	Browse	www.futeboplayhd.com/cvrn/?9rSx00op=cI6gjmZKBv9uYsypK0vTgXjIez8bgYte2jg17UPI8uiUbtEGnMVqV/X2US4uhWYMbwpwMQFc9A==&StT=FR-8dxEhSB
	F63V4i8eZU.exe	Get hash	malicious	Browse	www.tearor.com/nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o
	invoice.exe	Get hash	malicious	Browse	www.bradforrexchange.com/3edq/?l6L0N=jO6sWaazfWUScqk/UMZ2V9vSXHj7s0GXSNY0VsmNmZeYB4f0QdniyMTma+6l76TklIvb&0BIX=M8Fp-rt
	IsIMH5zplo.exe	Get hash	malicious	Browse	www.ololmychartlogin.com/p2io/?n2MLF0Ux=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9Ot1G4m5E5eG&Dj6t=CpStsPY
	USU(1).exe	Get hash	malicious	Browse	www.bravefctv.com/zrmt/?P0G=EjUHInR&9r7T-=qIu/umqcIRyioTP+pvG+OWyvgre6YRhQlm6oiia3xqVFZWqPiKKv9qZBiAyUvYT1LHAt
	bin.exe	Get hash	malicious	Browse	www.ololmychartlogin.com/p2io/?qFQl7Pf8=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9NNPWpGBee/B&uN9hQ=ejlP_vuP4dl4N6
	Yd7WOb1ksAj378N.exe	Get hash	malicious	Browse	www.logittechg.com/sdh/?1b8Hsf=77GdCQf+cwNQcKtc4oP1L/izBQDHSDhpXIme07zuD8PhYeFl9nbDWdZJRwCLRhIFBccKSxqqHg==&j2MHoV=aDKhQD6PL
	SWIFT MT103_Pdf.exe	Get hash	malicious	Browse	www.laytikes.com/dll/?IR-4gF=rElkgYOcKLyb2ER2+Vlm0C8Ey2iKs9RZbxxxg2Tq9pxKpXGj+SPpWyY1djYg2iNp+BFv&Cj=lN9DoTMPZhdP
	NWvnpLrdx4.exe	Get hash	malicious	Browse	www.tishomingoinn.net/da0a/?D6Ap=ZfoTzbtx3ht&0pn=Rkrz4t3Ha8KNN1GxvDSxFj/JaPfAsCp6BjG/Fo7u/30cJxHSnd0meOFBOn5zZDOPw9ZFI5pbIw==
	Statement for T10495.jar	Get hash	malicious	Browse	www.mitbss.com/bnuw/?BZ=G4og8SmNJcmToC/1vURkjn6Fi/ymhkVmkW/Vhx9xfHxVp69hNmL93pjEBnq/aUUp6pz0&I48=4hOt163

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	GenoSec.arm	Get hash	malicious	Browse	31.186.168.35
	jKira.x86	Get hash	malicious	Browse	85.17.204.186
	sys.exe	Get hash	malicious	Browse	93.190.222.52
	Linux_x86	Get hash	malicious	Browse	213.227.132.36
	rIiLBFxqPW	Get hash	malicious	Browse	46.182.122.55
	YBni6CEBNM	Get hash	malicious	Browse	31.186.168.29
	2018_11Informationen_betreffend_Transaktion.doc	Get hash	malicious	Browse	95.211.144.68
	Z4joY8Uhri.exe	Get hash	malicious	Browse	5.79.68.108
	Se adjunta la factura proforma..exe	Get hash	malicious	Browse	212.32.237.91
	MBFlKf1tsn	Get hash	malicious	Browse	83.149.87.180
	YwZpT3p5Rh.msi	Get hash	malicious	Browse	95.211.136.23
	uSY5H9rWjc	Get hash	malicious	Browse	83.149.87.180
	DkTfOvsiCR	Get hash	malicious	Browse	45.130.62.155
	Gs4CPvVFeh	Get hash	malicious	Browse	83.149.87.180
	Zp8WueaaAz	Get hash	malicious	Browse	83.149.87.180
	XEhV64HdYT	Get hash	malicious	Browse	83.149.87.180
	O86VH1rksj	Get hash	malicious	Browse	83.149.87.180
	h6FAN1b2EW	Get hash	malicious	Browse	83.149.87.180
	U6Qlvhqbs0	Get hash	malicious	Browse	83.149.87.180
	bLn8EPVC21	Get hash	malicious	Browse	83.149.87.180

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck Download File
Process:	C:\Users\user\Desktop\rfxJzZjiWv.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Users\user\Desktop\rfxJzZjiWv.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.05714066527445
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rfxJzZjiWv.exe
File size:	106496
MD5:	8ed7e6b478cf0c00934bb42e3bdf5e20
SHA1:	ceb70c6dc5a85a64cc7a47e0ec12936f2d5e57db
SHA256:	4395224e257fe5659011fb90649c89d295e80123d7622d6cdb5b09371573e1aa
SHA512:	db4f78f56df60bcc906588546d0bb55b7ff9ec483484a6d70f891bb33fc84339cf1ee77973f785f1f71d6b1eb8090449078bdc8ededb70a41c094cfa0b5affee
SSDEEP:	1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqdIzmd:nSHIG6mQwGmfOQd8YhY0/EgUG
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.....................K.K.............=2......................................=2......=2......Rich............PE..L.....lW...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4139de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x576C0885 [Thu Jun 23 16:04:21 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0239fd611af3d0e9b0c46c5837c80e09

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
and dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-04h]
push esi
push edi
push eax
call 00007F8788837F79h
push eax
call 00007F8788837F56h
xor esi, esi
mov edi, eax
pop ecx
pop ecx
cmp dword ptr [ebp-04h], esi
jle 00007F8788838136h
push 004188BCh
push dword ptr [edi+esi*4]
call 00007F878882A605h
pop ecx
pop ecx
test eax, eax
je 00007F878883811Dh
push 00002710h
call 00007F878882AEBAh
pop ecx
inc esi
cmp esi, dword ptr [ebp-04h]
jl 00007F87888380EEh
push 00000000h
call 00007F8788837F4Eh
push 00000000h
call 00007F8788838262h
pop ecx
pop edi
xor eax, eax
pop esi
mov esp, ebp
pop ebp
retn 0010h
push ebp
mov ebp, esp
xor eax, eax
push eax
push eax
push E567384Dh
push eax
call 00007F87888278A9h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi
je 00007F8788838174h
push esi
call 00007F878882A3D0h
pop ecx
test eax, eax
je 00007F8788838169h
push esi
call 00007F878882840Ch
pop ecx
test eax, eax
je 00007F878883815Eh
mov eax, dword ptr [0049FDECh]
cmp dword ptr [ebp+10h], 00000000h
cmovne eax, dword ptr [ebp+10h]
push eax
push dword ptr [0049FDE8h]
call 00007F8788829E04h
push dword ptr [ebp+0Ch]
push dword ptr [0049FDE8h]
call 00007F8788829DF6h
push 00000000h
push 00000000h
push esi

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ASM] VS2003 (.NET) build 3077
[ C ] VS2008 SP1 build 30729
[LNK] VS2013 UPD5 build 40629
[C++] VS2013 UPD5 build 40629
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ed0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x136f5	0x13800	False	0.568509615385	data	6.49204829439	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x4060	0x4200	False	0.370087594697	data	4.26890991196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x85e24	0x200	False	0.12890625	data	0.946496689201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.x	0xa0000	0x2000	0x2000	False	0.0181884765625	data	0.198253121373	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WS2_32.dll	getaddrinfo, freeaddrinfo, closesocket, WSAStartup, socket, send, recv, connect
KERNEL32.dll	GetProcessHeap, HeapFree, HeapAlloc, SetLastError, GetLastError
ole32.dll	CoCreateInstance, CoInitialize, CoUninitialize
OLEAUT32.dll	VariantInit, SysFreeString, SysAllocString

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/04/21-23:40:25.169299	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49752	80	192.168.2.4	212.32.237.90
12/04/21-23:40:25.169299	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49752	80	192.168.2.4	212.32.237.90
12/04/21-23:40:25.169299	TCP	2025381	ET TROJAN LokiBot Checkin	49752	80	192.168.2.4	212.32.237.90
12/04/21-23:40:25.169299	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49752	80	192.168.2.4	212.32.237.90
12/04/21-23:40:26.584318	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49765	80	192.168.2.4	212.32.237.90
12/04/21-23:40:26.584318	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49765	80	192.168.2.4	212.32.237.90
12/04/21-23:40:26.584318	TCP	2025381	ET TROJAN LokiBot Checkin	49765	80	192.168.2.4	212.32.237.90
12/04/21-23:40:26.584318	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49765	80	192.168.2.4	212.32.237.90
12/04/21-23:40:27.790426	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49766	80	192.168.2.4	212.32.237.90
12/04/21-23:40:27.790426	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49766	80	192.168.2.4	212.32.237.90
12/04/21-23:40:27.790426	TCP	2025381	ET TROJAN LokiBot Checkin	49766	80	192.168.2.4	212.32.237.90
12/04/21-23:40:27.790426	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49766	80	192.168.2.4	212.32.237.90
12/04/21-23:40:28.827279	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49767	80	192.168.2.4	212.32.237.90
12/04/21-23:40:28.827279	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49767	80	192.168.2.4	212.32.237.90
12/04/21-23:40:28.827279	TCP	2025381	ET TROJAN LokiBot Checkin	49767	80	192.168.2.4	212.32.237.90
12/04/21-23:40:28.827279	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49767	80	192.168.2.4	212.32.237.90
12/04/21-23:40:29.848169	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49768	80	192.168.2.4	212.32.237.90
12/04/21-23:40:29.848169	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49768	80	192.168.2.4	212.32.237.90
12/04/21-23:40:29.848169	TCP	2025381	ET TROJAN LokiBot Checkin	49768	80	192.168.2.4	212.32.237.90
12/04/21-23:40:29.848169	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49768	80	192.168.2.4	212.32.237.90

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 23:40:25.141088009 CET	49752	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:25.166338921 CET	80	49752	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:25.166424036 CET	49752	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:25.169298887 CET	49752	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:25.195113897 CET	80	49752	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:25.195162058 CET	49752	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:25.220299959 CET	80	49752	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:25.426904917 CET	80	49752	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:25.427032948 CET	49752	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:25.427285910 CET	80	49752	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:25.427331924 CET	49752	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:25.452235937 CET	80	49752	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:26.553580999 CET	49765	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:26.579066038 CET	80	49765	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:26.579268932 CET	49765	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:26.584317923 CET	49765	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:26.609769106 CET	80	49765	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:26.609910011 CET	49765	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:26.635215998 CET	80	49765	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:26.847377062 CET	80	49765	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:26.847559929 CET	80	49765	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:26.847645998 CET	49765	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:26.873150110 CET	80	49765	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:27.761544943 CET	49766	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:27.787653923 CET	80	49766	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:27.787765980 CET	49766	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:27.790426016 CET	49766	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:27.815903902 CET	80	49766	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:27.816095114 CET	49766	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:27.827552080 CET	80	49766	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:27.827702045 CET	49766	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:27.827722073 CET	80	49766	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:27.827779055 CET	49766	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:27.853832006 CET	80	49766	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:28.797764063 CET	49767	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:28.823947906 CET	80	49767	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:28.824559927 CET	49767	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:28.827279091 CET	49767	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:28.853244066 CET	80	49767	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:28.856611013 CET	49767	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:28.868113041 CET	80	49767	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:28.868171930 CET	80	49767	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:28.868345022 CET	49767	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:28.868428946 CET	49767	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:28.894344091 CET	80	49767	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:29.819633961 CET	49768	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:29.845372915 CET	80	49768	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:29.845504045 CET	49768	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:29.848169088 CET	49768	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:29.873876095 CET	80	49768	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:29.874062061 CET	49768	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:29.886748075 CET	80	49768	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:29.886892080 CET	49768	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:29.887314081 CET	80	49768	212.32.237.90	192.168.2.4
Dec 4, 2021 23:40:29.887382030 CET	49768	80	192.168.2.4	212.32.237.90
Dec 4, 2021 23:40:29.912643909 CET	80	49768	212.32.237.90	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 23:40:25.106108904 CET	64549	53	192.168.2.4	8.8.8.8
Dec 4, 2021 23:40:25.134881973 CET	53	64549	8.8.8.8	192.168.2.4
Dec 4, 2021 23:40:26.530941963 CET	63153	53	192.168.2.4	8.8.8.8
Dec 4, 2021 23:40:26.550316095 CET	53	63153	8.8.8.8	192.168.2.4
Dec 4, 2021 23:40:27.739684105 CET	52991	53	192.168.2.4	8.8.8.8
Dec 4, 2021 23:40:27.760241985 CET	53	52991	8.8.8.8	192.168.2.4
Dec 4, 2021 23:40:28.773323059 CET	53700	53	192.168.2.4	8.8.8.8
Dec 4, 2021 23:40:28.793174028 CET	53	53700	8.8.8.8	192.168.2.4
Dec 4, 2021 23:40:29.799994946 CET	51726	53	192.168.2.4	8.8.8.8
Dec 4, 2021 23:40:29.817958117 CET	53	51726	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 4, 2021 23:40:25.106108904 CET	192.168.2.4	8.8.8.8	0x905a	Standard query (0)	naourl.com	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:26.530941963 CET	192.168.2.4	8.8.8.8	0x60da	Standard query (0)	naourl.com	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:27.739684105 CET	192.168.2.4	8.8.8.8	0xd8e0	Standard query (0)	naourl.com	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:28.773323059 CET	192.168.2.4	8.8.8.8	0x48fa	Standard query (0)	naourl.com	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:29.799994946 CET	192.168.2.4	8.8.8.8	0x402a	Standard query (0)	naourl.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 4, 2021 23:40:25.134881973 CET	8.8.8.8	192.168.2.4	0x905a	No error (0)	naourl.com	212.32.237.90	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:26.550316095 CET	8.8.8.8	192.168.2.4	0x60da	No error (0)	naourl.com	212.32.237.90	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:27.760241985 CET	8.8.8.8	192.168.2.4	0xd8e0	No error (0)	naourl.com	212.32.237.90	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:28.793174028 CET	8.8.8.8	192.168.2.4	0x48fa	No error (0)	naourl.com	212.32.237.90	A (IP address)	IN (0x0001)
Dec 4, 2021 23:40:29.817958117 CET	8.8.8.8	192.168.2.4	0x402a	No error (0)	naourl.com	212.32.237.90	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

naourl.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49752	212.32.237.90	80	C:\Users\user\Desktop\rfxJzZjiWv.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:40:25.169298887 CET	540	OUT	POST /data/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: naourl.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7B0651A2 Content-Length: 190 Connection: close
Dec 4, 2021 23:40:25.426904917 CET	667	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Sat, 04 Dec 2021 22:40:25 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=2c169730-5553-11ec-a6f5-1bd523c5916e; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:32 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49765	212.32.237.90	80	C:\Users\user\Desktop\rfxJzZjiWv.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:40:26.584317923 CET	1166	OUT	POST /data/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: naourl.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7B0651A2 Content-Length: 190 Connection: close
Dec 4, 2021 23:40:26.847377062 CET	1167	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Sat, 04 Dec 2021 22:40:26 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=2cf1b194-5553-11ec-a729-1bd5acd08a42; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:33 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49766	212.32.237.90	80	C:\Users\user\Desktop\rfxJzZjiWv.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:40:27.790426016 CET	1168	OUT	POST /data/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: naourl.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7B0651A2 Content-Length: 163 Connection: close
Dec 4, 2021 23:40:27.827552080 CET	1168	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Sat, 04 Dec 2021 22:40:27 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=2da4e8c2-5553-11ec-baa8-1bd5fde30033; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:34 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49767	212.32.237.90	80	C:\Users\user\Desktop\rfxJzZjiWv.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:40:28.827279091 CET	1169	OUT	POST /data/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: naourl.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7B0651A2 Content-Length: 163 Connection: close
Dec 4, 2021 23:40:28.868113041 CET	1170	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Sat, 04 Dec 2021 22:40:28 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=2e4366f0-5553-11ec-96cd-1bd532dae4ba; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:35 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49768	212.32.237.90	80	C:\Users\user\Desktop\rfxJzZjiWv.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:40:29.848169088 CET	1171	OUT	POST /data/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: naourl.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7B0651A2 Content-Length: 163 Connection: close
Dec 4, 2021 23:40:29.886748075 CET	1171	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Sat, 04 Dec 2021 22:40:29 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=2edefc6e-5553-11ec-a477-1bd561088fd5; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:36 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Code Manipulations

Statistics

System Behavior

Analysis Process: rfxJzZjiWv.exe PID: 6644 Parent PID: 6124

General

Start time:	23:40:22
Start date:	04/12/2021
Path:	C:\Users\user\Desktop\rfxJzZjiWv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rfxJzZjiWv.exe"
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	8ED7E6B478CF0C00934BB42E3BDF5E20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report rfxJzZjiWv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations