Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:hfyhigXccT.exe
Analysis ID:651263


Range:0 - 100


Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)


  • System is w10x64
  • hfyhigXccT.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\hfyhigXccT.exe" MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
    • hfyhigXccT.exe (PID: 6752 cmdline: C:\Users\user\Desktop\hfyhigXccT.exe MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
    • hfyhigXccT.exe (PID: 6764 cmdline: C:\Users\user\Desktop\hfyhigXccT.exe MD5: F0DDD6F32E65868ACC9D38B35AF0E2C5)
  • cleanup
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gh20/fre.php"]}
00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000000.00000002.281633954.000000000435F000.00000004.00000800.00020000.00000000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x2f3ef:$des3: 68 03 66 00 00
        • 0x337e0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x338ac:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        00000000.00000002.281705492.0000000004395000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 43 entries
          0.2.hfyhigXccT.exe.4395410.11.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13278:$s1: http://
          • 0x16233:$s1: http://
          • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13280:$s2: https://
          • 0x13278:$f1: http://
          • 0x16233:$f1: http://
          • 0x13280:$f2: https://
          0.2.hfyhigXccT.exe.4395410.11.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            0.2.hfyhigXccT.exe.4395410.11.unpackLoki_1Loki Payloadkevoreilly
            • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
            • 0x133fc:$a2: last_compatible_version
            0.2.hfyhigXccT.exe.4395410.11.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
            • 0x123ff:$des3: 68 03 66 00 00
            • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
            • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
            5.0.hfyhigXccT.exe.400000.14.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security