Windows Analysis Report
vNcHHC1HKe

Overview

General Information

Sample Name: vNcHHC1HKe (renamed file extension from none to exe)
Analysis ID: 620804
MD5: 8c7e9d4d5f172854a531a86d34af2c8c
SHA1: 43d99c2bf4d5fce1b640b4ee65b234ced6292c35
SHA256: 7eaffbf0e048501f710bef50d95d59870d638c7e64225397f1ae1d03014c8b19
Tags: 32exetrojan
Infos:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
Multi AV Scanner detection for submitted file
Source: vNcHHC1HKe.exe Virustotal: Detection: 32% Perma Link
Source: vNcHHC1HKe.exe ReversingLabs: Detection: 47%
Antivirus detection for URL or domain
Source: http://37.0.11.227/sarag/five/fre.php Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: vNcHHC1HKe.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: vNcHHC1HKe.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: vNcHHC1HKe.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: dtlrkp.exe, 00000001.00000003.371082188.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, dtlrkp.exe, 00000001.00000003.378532429.0000000002230000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dtlrkp.exe, 00000001.00000003.371082188.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, dtlrkp.exe, 00000001.00000003.378532429.0000000002230000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 3_2_00403D74

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49767 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49767 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49767 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49767 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49767 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49768 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49768 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49768 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49768 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49768 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49769 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49769 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49769 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49769 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49769 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49769
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49770 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49770 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49770 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49770 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49770 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49770
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49771 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49771 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49771 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49771 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49771 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49771
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49772 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49772 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49772 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49772 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49772 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49772
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49773 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49773 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49773 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49773 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49773 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49773
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49774 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49774 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49774 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49774 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49774 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49774
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49775 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49775 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49775 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49775 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49775 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49775
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49777 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49777 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49777 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49777 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49777 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49777
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49780 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49780 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49780 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49780 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49780 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49780
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49781 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49781 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49781 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49781 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49781 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49781
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49782 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49782 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49782 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49782 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49782 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49782
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49785 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49785 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49785 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49785 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49785 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49785
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49786 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49786 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49786 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49786 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49786 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49786
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49789 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49789 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49789 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49789 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49789 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49789
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49794 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49794 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49794 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49794 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49794 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49794
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49795 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49795 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49795 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49795 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49795 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49795
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49800 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49800 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49800 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49800 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49800 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49800
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49805 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49805 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49805 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49805 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49805 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49805
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49806 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49806 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49806 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49806 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49806 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49806
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49807 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49807 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49807 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49807 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49807 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49807
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49809 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49809 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49809 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49809 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49809 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49809
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49810 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49810 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49810 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49810 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49810 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49810
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49812 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49812 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49812 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49812 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49812 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49812
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49813 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49813 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49813 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49813 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49813 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49813
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49814 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49814 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49814 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49814 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49814 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49814
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49815 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49815 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49815 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49815 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49815 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49815
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49817 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49817 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49817 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49817 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49817 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49817
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49818 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49818 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49818 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49818 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49818 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49818
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49820 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49820 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49820 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49820 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49820 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49820
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49822 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49822 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49822 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49822 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49822 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49822
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49823 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49823 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49823 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49823 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49823 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49823
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49824 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49824 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49824 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49824 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49824 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49824
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49826 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49826 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49826 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49826 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49826 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49826
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49829 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49829 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49829 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49829 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49829 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49829
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49836 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49836 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49836 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49836 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49836 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49836
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49843 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49843 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49843 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49843 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49843 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49843
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49852 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49852 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49852 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49852 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49852 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49852
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49860 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49860 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49860 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49860 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49860 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49860
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49870 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49870 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49870 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49870 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49870 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49870
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49878 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49878 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49878 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49878 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49878 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49878
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49884 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49884 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49884 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49884 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49884 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49884
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49888 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49888 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49888 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49888 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49888 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49888
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49889 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49889 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49889 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49889 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49889 -> 37.0.11.227:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 37.0.11.227:80 -> 192.168.2.6:49889
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WKD-ASIE WKD-ASIE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 196Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 196Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 169Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.11.227
Source: vNcHHC1HKe.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: dtlrkp.exe, dtlrkp.exe, 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dtlrkp.exe, 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: unknown HTTP traffic detected: POST /sarag/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 37.0.11.227Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 4E024674Content-Length: 196Connection: close
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_00404ED4 recv, 3_2_00404ED4
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.dtlrkp.exe.8b0000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.dtlrkp.exe.8b0000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: vNcHHC1HKe.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.dtlrkp.exe.8b0000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.dtlrkp.exe.8b0000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Detected potential crypto function
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 1_2_008A0A33 1_2_008A0A33
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_0040549C 3_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_004029D4 3_2_004029D4
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: String function: 00405B6F appears 42 times
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\dtlrkp.exe 57616ECF2F2355F4BCBA77C0A01B6081F7C24CBED9658BB79CC42BA19BD13EF0
Source: vNcHHC1HKe.exe Virustotal: Detection: 32%
Source: vNcHHC1HKe.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe File read: C:\Users\user\Desktop\vNcHHC1HKe.exe Jump to behavior
Source: vNcHHC1HKe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vNcHHC1HKe.exe "C:\Users\user\Desktop\vNcHHC1HKe.exe"
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Process created: C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\hzuplybmb
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process created: C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\hzuplybmb
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Process created: C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\hzuplybmb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process created: C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\hzuplybmb Jump to behavior
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 3_2_0040650A
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe File created: C:\Users\user\AppData\Local\Temp\nsxB1C1.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/6@0/1
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404954
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: vNcHHC1HKe.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: dtlrkp.exe, 00000001.00000003.371082188.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, dtlrkp.exe, 00000001.00000003.378532429.0000000002230000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dtlrkp.exe, 00000001.00000003.371082188.00000000020A0000.00000004.00001000.00020000.00000000.sdmp, dtlrkp.exe, 00000001.00000003.378532429.0000000002230000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected aPLib compressed binary
Source: Yara match File source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dtlrkp.exe.8b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dtlrkp.exe PID: 7032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dtlrkp.exe PID: 7056, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_00402AC0 push eax; ret 3_2_00402AFC
Drops PE files
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe File created: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe TID: 7060 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 3_2_00403D74
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe API call chain: ExitProcess graph end node
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap, 3_2_00402B7C
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 1_2_008A03F8 mov eax, dword ptr fs:[00000030h] 1_2_008A03F8
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 1_2_008A061D mov eax, dword ptr fs:[00000030h] 1_2_008A061D
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 1_2_008A0772 mov eax, dword ptr fs:[00000030h] 1_2_008A0772
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 1_2_008A0736 mov eax, dword ptr fs:[00000030h] 1_2_008A0736
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 1_2_008A06F7 mov eax, dword ptr fs:[00000030h] 1_2_008A06F7
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_0040317B mov eax, dword ptr fs:[00000030h] 3_2_0040317B

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Memory written: C:\Users\user\AppData\Local\Temp\dtlrkp.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Process created: C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\dtlrkp.exe C:\Users\user\AppData\Local\Temp\hzuplybmb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\vNcHHC1HKe.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: 3_2_00406069 GetUserNameW, 3_2_00406069

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dtlrkp.exe PID: 7032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dtlrkp.exe PID: 7056, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: PopPassword 3_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe Code function: SmtpPassword 3_2_0040D069
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\dtlrkp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.0.dtlrkp.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dtlrkp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dtlrkp.exe.8b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.dtlrkp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.dtlrkp.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.370974259.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.626023064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.374794623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.376619815.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.379285097.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.378317915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620804 Sample: vNcHHC1HKe Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 24 Snort IDS alert for network traffic 2->24 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 6 other signatures 2->30 7 vNcHHC1HKe.exe 18 2->7         started        process3 file4 18 C:\Users\user\AppData\Local\Temp\dtlrkp.exe, PE32 7->18 dropped 10 dtlrkp.exe 7->10         started        process5 signatures6 32 Tries to steal Mail credentials (via file registry) 10->32 34 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->34 36 Injects a PE file into a foreign processes 10->36 13 dtlrkp.exe 54 10->13         started        process7 dnsIp8 22 37.0.11.227, 49767, 49768, 49769 WKD-ASIE Netherlands 13->22 20 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 13->20 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->38 40 Tries to steal Mail credentials (via file / registry access) 13->40 42 Tries to harvest and steal ftp login credentials 13->42 44 Tries to harvest and steal browser information (history, passwords, etc) 13->44 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.0.11.227
 unknown Netherlands
198301 WKD-ASIE true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kbfvzoboss.bid/alien/fre.php true
  • URL Reputation: safe
 unknown
http://alphastand.win/alien/fre.php true
  • URL Reputation: safe
 unknown
http://alphastand.trade/alien/fre.php true
  • URL Reputation: safe
 unknown
http://37.0.11.227/sarag/five/fre.php true
  • Avira URL Cloud: malware
 unknown
http://alphastand.top/alien/fre.php true
  • URL Reputation: safe
 unknown