Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
transferencia bancaria.pdf.exe

Overview

General Information

Sample Name:transferencia bancaria.pdf.exe
Analysis ID:736955
MD5:355efb2e1f7dd361f8e7cda449a45eac
SHA1:864f8d367c72d37347e2dc8fa799cc9a2550d66c
SHA256:cb90ea9b90ccb675d555891bcbfb224edf1bbfe7a650e9600508c93660ec09eb
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gl21/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.275125166.0000000000401000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Lokibot_0f421617unknownunknown
    • 0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
    00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000000.00000002.277908890.0000000003356000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.transferencia bancaria.pdf.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x13e78:$s1: http://
            • 0x17633:$s1: http://
            • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
            • 0x13e80:$s2: https://
            • 0x13e78:$f1: http://
            • 0x17633:$f1: http://
            • 0x13e80:$f2: https://
            1.0.transferencia bancaria.pdf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.0.transferencia bancaria.pdf.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                1.0.transferencia bancaria.pdf.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                  1.0.transferencia bancaria.pdf.exe.400000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                  • 0x16536:$f1: FileZilla\recentservers.xml
                  • 0x16576:$f2: FileZilla\sitemanager.xml
                  • 0x147e6:$b2: Mozilla\Firefox\Profiles
                  • 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x146fa:$s4: logins.json
                  • 0x155a4:$s6: wand.dat
                  • 0x14024:$a1: username_value
                  • 0x14014:$a2: password_value
                  • 0x1465f:$a3: encryptedUsername
                  • 0x146cc:$a3: encryptedUsername
                  • 0x14672:$a4: encryptedPassword
                  • 0x146e0:$a4: encryptedPassword
                  Click to see the 45 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.691.142.77.4549712802024318 11/03/22-12:30:22.162497
                  SID:2024318
                  Source Port:49712
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549727802024313 11/03/22-12:31:01.987085
                  SID:2024313
                  Source Port:49727
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549723802825766 11/03/22-12:30:53.367985
                  SID:2825766
                  Source Port:49723
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549724802021641 11/03/22-12:30:54.913991
                  SID:2021641
                  Source Port:49724
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.68.8.8.859881532014169 11/03/22-12:31:01.170102
                  SID:2014169
                  Source Port:59881
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.68.8.8.856122532014169 11/03/22-12:30:45.704907
                  SID:2014169
                  Source Port:56122
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.691.142.77.4549741802825766 11/03/22-12:31:39.946873
                  SID:2825766
                  Source Port:49741
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549745802024313 11/03/22-12:31:50.569101
                  SID:2024313
                  Source Port:49745
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549728802025381 11/03/22-12:31:03.903902
                  SID:2025381
                  Source Port:49728
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549739802021641 11/03/22-12:31:35.606377
                  SID:2021641
                  Source Port:49739
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549738802825766 11/03/22-12:31:33.019427
                  SID:2825766
                  Source Port:49738
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549713802025381 11/03/22-12:30:25.414440
                  SID:2025381
                  Source Port:49713
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549731802025381 11/03/22-12:31:09.511791
                  SID:2025381
                  Source Port:49731
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549737802024318 11/03/22-12:31:31.046497
                  SID:2024318
                  Source Port:49737
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549713802825766 11/03/22-12:30:25.414440
                  SID:2825766
                  Source Port:49713
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:91.142.77.45192.168.2.680497182025483 11/03/22-12:30:41.067853
                  SID:2025483
                  Source Port:80
                  Destination Port:49718
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:91.142.77.45192.168.2.680497092025483 11/03/22-12:30:17.656419
                  SID:2025483
                  Source Port:80
                  Destination Port:49709
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.68.8.8.850343532014169 11/03/22-12:31:05.602892
                  SID:2014169
                  Source Port:50343
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.691.142.77.4549717802024318 11/03/22-12:30:35.019960
                  SID:2024318
                  Source Port:49717
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549717802024313 11/03/22-12:30:35.019960
                  SID:2024313
                  Source Port:49717
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.68.8.8.856569532014169 11/03/22-12:31:22.519121
                  SID:2014169
                  Source Port:56569
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:91.142.77.45192.168.2.680497122025483 11/03/22-12:30:23.556931
                  SID:2025483
                  Source Port:80
                  Destination Port:49712
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549729802021641 11/03/22-12:31:05.707382
                  SID:2021641
                  Source Port:49729
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549742802021641 11/03/22-12:31:41.893270
                  SID:2021641
                  Source Port:49742
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.68.8.8.853943532014169 11/03/22-12:30:54.819244
                  SID:2014169
                  Source Port:53943
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.691.142.77.4549730802024318 11/03/22-12:31:07.626823
                  SID:2024318
                  Source Port:49730
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:91.142.77.45192.168.2.680497102025483 11/03/22-12:30:19.791139
                  SID:2025483
                  Source Port:80
                  Destination Port:49710
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549735802024313 11/03/22-12:31:27.516452
                  SID:2024313
                  Source Port:49735
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549721802025381 11/03/22-12:30:48.032802
                  SID:2025381
                  Source Port:49721
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.68.8.8.855629532014169 11/03/22-12:31:09.419344
                  SID:2014169
                  Source Port:55629
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.691.142.77.4549731802825766 11/03/22-12:31:09.511791
                  SID:2825766
                  Source Port:49731
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549738802025381 11/03/22-12:31:33.019427
                  SID:2025381
                  Source Port:49738
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549712802024313 11/03/22-12:30:22.162497
                  SID:2024313
                  Source Port:49712
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:91.142.77.45192.168.2.680497142025483 11/03/22-12:30:29.899760
                  SID:2025483
                  Source Port:80
                  Destination Port:49714
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:91.142.77.45192.168.2.680497162025483 11/03/22-12:30:34.572782
                  SID:2025483
                  Source Port:80
                  Destination Port:49716
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549706802021641 11/03/22-12:30:09.785093
                  SID:2021641
                  Source Port:49706
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.691.142.77.4549730802024313 11/03/22-12:31:07.626823
                  SID:2024313
                  Source Port:49730<