Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Informe bancario.pdf.exe

Overview

General Information

Sample Name:Informe bancario.pdf.exe
Analysis ID:651256
MD5:603fe9a434da79407213db7d4b907789
SHA1:812797eae86b27f54e5caadb021a4c00c31e4a7e
SHA256:07776cc1a0981b4143d63533a5e30f2deb4f545f4d27544cda60f5d07b602593
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Yara detected Generic Downloader
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • Informe bancario.pdf.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\Informe bancario.pdf.exe" MD5: 603FE9A434DA79407213DB7D4B907789)
    • Informe bancario.pdf.exe (PID: 6800 cmdline: C:\Users\user\Desktop\Informe bancario.pdf.exe MD5: 603FE9A434DA79407213DB7D4B907789)
    • Informe bancario.pdf.exe (PID: 6824 cmdline: C:\Users\user\Desktop\Informe bancario.pdf.exe MD5: 603FE9A434DA79407213DB7D4B907789)
  • cleanup
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://kossa.xyz/esi/pp/play.php"]}
SourceRuleDescriptionAuthorStrings
00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
        • 0x17936:$f1: FileZilla\recentservers.xml
        • 0x17976:$f2: FileZilla\sitemanager.xml
        • 0x15be6:$b2: Mozilla\Firefox\Profiles
        • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
        • 0x15afa:$s4: logins.json
        • 0x169a4:$s6: wand.dat
        • 0x15424:$a1: username_value
        • 0x15414:$a2: password_value
        • 0x15a5f:$a3: encryptedUsername
        • 0x15acc:$a3: encryptedUsername
        • 0x15a72:$a4: encryptedPassword
        • 0x15ae0:$a4: encryptedPassword
        00000005.00000000.289365771.0000000000400000.00000040.00000400.00020000.00000000.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        Click to see the 43 entries
        SourceRuleDescriptionAuthorStrings
        0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x2fc98:$s1: http://
        • 0x33453:$s1: http://
        • 0x33e94:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x2fca0:$s2: https://
        • 0x2fc98:$f1: http://
        • 0x33453:$f1: http://
        • 0x2fca0:$f2: https://
        0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              0.2.Informe bancario.pdf.exe.39c40c0.8.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
              • 0x32356:$f1: FileZilla\recentservers.xml
              • 0x32396:$f2: FileZilla\sitemanager.xml
              • 0x30606:$b2: Mozilla\Firefox\Profiles
              • 0x30370:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
              • 0x3051a:$s4: logins.json
              • 0x313c4:$s6: wand.dat
              • 0x2fe44:$a1: username_value
              • 0x2fe34:$a2: password_value
              • 0x3047f:$a3: encryptedUsername
              • 0x304ec:$a3: encryptedUsername
              • 0x30492:$a4: encryptedPassword
              • 0x30500:$a4: encryptedPassword