Windows Analysis Report
dhGoVvfmul

Overview

General Information

Sample Name: dhGoVvfmul (renamed file extension from none to exe)
Analysis ID: 620372
MD5: 5c5d4e3e0dadff03da7b9878acf3e706
SHA1: 38a387d18c147245078db39a82f8531816c9d726
SHA256: bb36f0ab95d6422a20e81221adeb4033ebdbd7b20337a2557f3f5c3de0a77596
Tags: 32exetrojan
Infos:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
Multi AV Scanner detection for submitted file
Source: dhGoVvfmul.exe Virustotal: Detection: 44% Perma Link
Source: dhGoVvfmul.exe ReversingLabs: Detection: 57%
Antivirus detection for URL or domain
Source: http://sempersim.su/gf3/fre.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: sempersim.su Virustotal: Detection: 20% Perma Link
Source: http://sempersim.su/gf3/fre.php Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Virustotal: Detection: 46% Perma Link
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) ReversingLabs: Detection: 24%
Machine Learning detection for sample
Source: dhGoVvfmul.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: dhGoVvfmul.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: dhGoVvfmul.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: dehbibhar.exe, 00000001.00000003.258978615.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, dehbibhar.exe, 00000001.00000003.270247242.00000000022F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dehbibhar.exe, 00000001.00000003.258978615.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, dehbibhar.exe, 00000001.00000003.270247242.00000000022F0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 2_2_00403D74

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:54800 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49758 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49758 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49758 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49758 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49758 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:64454 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49759 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49759 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49759 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49759 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49759 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:64277 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49761 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49761 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49761 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49761 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49761 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49761
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:56076 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49762 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49762 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49762 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49762 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49762 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49762
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:60758 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49764 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49764 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49764 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49764 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49764 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49764
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:60647 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49765 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49765 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49765 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49765 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49765 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49765
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:64909 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49767 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49767 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49767 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49767 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49767 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49767
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:56509 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49769 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49769 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49769 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49769 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49769 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49769
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:54069 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49771 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49771 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49771 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49771 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49771 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49771
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:57594 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49777 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49777 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49777 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49777 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49777 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49777
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:60512 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49778 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49778 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49778 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49778 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49778 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49778
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:61361 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49779 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49779 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49779 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49779 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49779 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49779
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:50445 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49780 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49780 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49780 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49780 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49780 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49780
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:51679 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49781 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49781 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49781 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49781 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49781 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49781
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:52472 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49782 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49782 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49782 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49782 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49782 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49782
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:62354 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49783 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49783 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49783 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49783 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49783 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49783
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:50061 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49784 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49784 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49784 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49784 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49784 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49784
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:60612 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49785 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49785 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49785 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49785 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49785 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49785
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:58816 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49786 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49786 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49786 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49786 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49786 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49786
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:56437 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49787 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49787 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49787 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49787 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49787 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49787
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:64825 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49788 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49788 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49788 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49788 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49788 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49788
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:53989 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49789 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49789 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49789 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49789 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49789 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49789
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:63431 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49790 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49790 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49790 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49790 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49790 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49790
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:56901 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49791 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49791 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49791 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49791 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49791 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49791
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:50800 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49792 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49792 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49792 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49792 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49792 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49792
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:52256 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49793 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49793 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49793 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49793 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49793 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49793
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:61081 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49794 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49794 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49794 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49794 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49794 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49794
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:63712 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49797 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49797 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49797 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49797 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49797 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49797
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:50778 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49798 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49798 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49798 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49798 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49798 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49798
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:61486 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49799 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49799 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49799 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49799 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49799 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49799
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:61497 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49800 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49800 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49800 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49800 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49800 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49800
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:57890 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49801 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49801 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49801 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49801 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49801 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49801
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:55142 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49802 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49802 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49802 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49802 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49802 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49802
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:64948 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49808 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49808 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49808 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49808 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49808 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49808
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:60418 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49809 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49809 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49809 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49809 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49809 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49809
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:64259 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49810 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49810 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49810 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49810 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49810 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49810
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:61068 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49812 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49812 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49812 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49812 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49812 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49812
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:58715 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49813 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49813 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49813 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49813 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49813 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49813
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:57816 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49814 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49814 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49814 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49814 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49814 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49814
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:51787 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49815 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49815 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49815 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49815 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49815 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49815
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:53916 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49816 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49816 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49816 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49816 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49816 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49816
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:60790 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49818 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49818 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49818 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49818 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49818 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49818
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:62708 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49819 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49819 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49819 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49819 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49819 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49819
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.4:60946 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49820 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49820 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49820 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49820 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49820 -> 88.218.168.92:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 88.218.168.92:80 -> 192.168.2.4:49820
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKTECHRU RACKTECHRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 163Connection: close
Source: dhGoVvfmul.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: dehbibhar.exe, 00000002.00000002.519843236.00000000004A0000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://sempersim.su/gf3/fre.php
Source: dehbibhar.exe, dehbibhar.exe, 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dehbibhar.exe, 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: unknown HTTP traffic detected: POST /gf3/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1234DF8CContent-Length: 190Connection: close
Source: unknown DNS traffic detected: queries for: sempersim.su
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_00404ED4 recv, 2_2_00404ED4
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.dehbibhar.exe.9e0000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.dehbibhar.exe.9e0000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: dhGoVvfmul.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.dehbibhar.exe.9e0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.2.dehbibhar.exe.9e0000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.dehbibhar.exe.9e0000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Detected potential crypto function
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_0040549C 2_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_004029D4 2_2_004029D4
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: String function: 00405B6F appears 42 times
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\dehbibhar.exe A2FC8B5DDF220B7D9DF0E7FCC88F2EBA533698F3D178AF97A93788B614C64014
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) A2FC8B5DDF220B7D9DF0E7FCC88F2EBA533698F3D178AF97A93788B614C64014
Source: dhGoVvfmul.exe Virustotal: Detection: 44%
Source: dhGoVvfmul.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\dhGoVvfmul.exe File read: C:\Users\user\Desktop\dhGoVvfmul.exe Jump to behavior
Source: dhGoVvfmul.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dhGoVvfmul.exe "C:\Users\user\Desktop\dhGoVvfmul.exe"
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Process created: C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\efnvpl
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process created: C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\efnvpl
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Process created: C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\efnvpl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process created: C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\efnvpl Jump to behavior
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 2_2_0040650A
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\dhGoVvfmul.exe File created: C:\Users\user\AppData\Local\Temp\nsg1FBC.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/6@45/1
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\dhGoVvfmul.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404954
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: dhGoVvfmul.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: dehbibhar.exe, 00000001.00000003.258978615.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, dehbibhar.exe, 00000001.00000003.270247242.00000000022F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dehbibhar.exe, 00000001.00000003.258978615.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, dehbibhar.exe, 00000001.00000003.270247242.00000000022F0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected aPLib compressed binary
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dehbibhar.exe.9e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dehbibhar.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dehbibhar.exe PID: 5828, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_00402AC0 push eax; ret 2_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_00402AC0 push eax; ret 2_2_00402AFC
Drops PE files
Source: C:\Users\user\Desktop\dhGoVvfmul.exe File created: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe TID: 5528 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 2_2_00403D74
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\dhGoVvfmul.exe API call chain: ExitProcess graph end node
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap, 2_2_00402B7C
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h] 2_2_0040317B
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Process created: C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\dehbibhar.exe C:\Users\user\AppData\Local\Temp\efnvpl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\dhGoVvfmul.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: 2_2_00406069 GetUserNameW, 2_2_00406069

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: 00000002.00000002.519895999.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dehbibhar.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dehbibhar.exe PID: 5828, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: PopPassword 2_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe Code function: SmtpPassword 2_2_0040D069
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\dehbibhar.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Lokibot
Source: Yara match File source: 00000002.00000002.519895999.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dehbibhar.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.dehbibhar.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.dehbibhar.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.519808447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.266214035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270121307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.268856991.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.272536894.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.264898403.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dehbibhar.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dehbibhar.exe PID: 5828, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 620372 Sample: dhGoVvfmul Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 25 sempersim.su 2->25 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 8 other signatures 2->43 8 dhGoVvfmul.exe 18 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Local\...\dehbibhar.exe, PE32 8->19 dropped 21 C:\Users\user\AppData\Local\Temp\efnvpl, DOS 8->21 dropped 11 dehbibhar.exe 8->11         started        process6 signatures7 45 Multi AV Scanner detection for dropped file 11->45 47 Tries to steal Mail credentials (via file registry) 11->47 14 dehbibhar.exe 54 11->14         started        process8 dnsIp9 27 sempersim.su 88.218.168.92, 49758, 49759, 49761 RACKTECHRU Russian Federation 14->27 23 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 14->23 dropped 29 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->29 31 Tries to steal Mail credentials (via file / registry access) 14->31 33 Tries to harvest and steal ftp login credentials 14->33 35 Tries to harvest and steal browser information (history, passwords, etc) 14->35 file10 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
88.218.168.92
 sempersim.su Russian Federation
208861 RACKTECHRU true

Contacted Domains

Name IP Active
sempersim.su 88.218.168.92 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kbfvzoboss.bid/alien/fre.php true
  • URL Reputation: safe
 unknown
http://alphastand.win/alien/fre.php true
  • URL Reputation: safe
 unknown
http://alphastand.trade/alien/fre.php true
  • URL Reputation: safe
 unknown
http://alphastand.top/alien/fre.php true
  • URL Reputation: safe
 unknown
http://sempersim.su/gf3/fre.php true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown