Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI#53034601506400.exe

Overview

General Information

Sample Name:PI#53034601506400.exe
Analysis ID:708241
MD5:05d1649e1b980b3d59b189a2fe07fc3c
SHA1:9227eb122ce621fa3f7375c4a0ac4becd45b82c0
SHA256:66f1a748e30aaa66b2053848270d68f5dc3ec9ccd4b9a5dbaa6a6dfd3139490c
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • PI#53034601506400.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\PI#53034601506400.exe" MD5: 05D1649E1B980B3D59B189A2FE07FC3C)
    • PI#53034601506400.exe (PID: 2312 cmdline: C:\Users\user\Desktop\PI#53034601506400.exe MD5: 05D1649E1B980B3D59B189A2FE07FC3C)
  • cleanup
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i"]}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
            00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
            • 0x7f8d4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
            Click to see the 26 entries
            SourceRuleDescriptionAuthorStrings
            0.2.PI#53034601506400.exe.2575394.3.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
            • 0x2d563:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
            0.2.PI#53034601506400.exe.38976c0.9.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x13278:$s1: http://
            • 0x16233:$s1: http://
            • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
            • 0x13280:$s2: https://
            • 0x13278:$f1: http://
            • 0x16233:$f1: http://
            • 0x13280:$f2: https://
            0.2.PI#53034601506400.exe.38976c0.9.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              0.2.PI#53034601506400.exe.38976c0.9.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
              • 0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
              0.2.PI#53034601506400.exe.38976c0.9.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
              • 0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
              Click to see the 73 entries
              No Sigma rule has matched
              Timestamp:192.168.2.5162.0.223.1349699802024317 09/23/22-07:58:29.454711
              SID:2024317
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802024313 09/23/22-07:58:37.371596
              SID:2024313
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802021641 09/23/22-07:58:37.371596
              SID:2021641
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349699802021641 09/23/22-07:58:29.454711
              SID:2021641
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349699802024312 09/23/22-07:58:29.454711
              SID:2024312
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802024318 09/23/22-07:58:37.371596
              SID:2024318
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802024312 09/23/22-07:58:35.112918
              SID:2024312
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802021641 09/23/22-07:58:35.112918
              SID:2021641
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802024317 09/23/22-07:58:35.112918
              SID:2024317
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected