Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hfyhigXccT.exe

Overview

General Information

Sample Name:hfyhigXccT.exe
Analysis ID:651263
MD5:f0ddd6f32e65868acc9d38b35af0e2c5
SHA1:c0b1cb63866b3b2351a8f68d38e61284c0ed2874
SHA256:748eaf926943f0130b633506282d02f29da4d42d2172b3afce65246633994326
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • hfyhigXccT.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\hfyhigXccT.exe" MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
    • hfyhigXccT.exe (PID: 6752 cmdline: C:\Users\user\Desktop\hfyhigXccT.exe MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
    • hfyhigXccT.exe (PID: 6764 cmdline: C:\Users\user\Desktop\hfyhigXccT.exe MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
  • cleanup
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gh20/fre.php"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x2f3ef:$des3: 68 03 66 00 00
        • 0x337e0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x338ac:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 43 entries
          SourceRuleDescriptionAuthorStrings
          0.2.hfyhigXccT.exe.4395410.11.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13278:$s1: http://
          • 0x16233:$s1: http://
          • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13280:$s2: https://
          • 0x13278:$f1: http://
          • 0x16233:$f1: http://
          • 0x13280:$f2: https://
          0.2.hfyhigXccT.exe.4395410.11.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            0.2.hfyhigXccT.exe.4395410.11.unpackLoki_1Loki Payloadkevoreilly
            • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
            • 0x133fc:$a2: last_compatible_version
            0.2.hfyhigXccT.exe.4395410.11.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
            • 0x123ff:$des3: 68 03 66 00 00
            • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
            • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
            5.0.hfyhigXccT.exe.400000.14.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security