Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment_copy28476450.exe

Overview

General Information

Sample Name:Payment_copy28476450.exe
Analysis ID:753423
MD5:70e90926399154c2708801a73cf53d99
SHA1:0eaff8f1cde17a392d9e7935bae96f21c91acc3c
SHA256:c36de6d07a8ce4407cb59a275dbf8c04d05844903bb6d566f295ccd13a2d4ce6
Tags:exeloki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Payment_copy28476450.exe (PID: 160 cmdline: C:\Users\user\Desktop\Payment_copy28476450.exe MD5: 70E90926399154C2708801A73CF53D99)
    • wcycejenv.exe (PID: 588 cmdline: "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d MD5: 3182BEF520A1E9F52BE3755C25E4C3B0)
      • conhost.exe (PID: 584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • wcycejenv.exe (PID: 5332 cmdline: "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d MD5: 3182BEF520A1E9F52BE3755C25E4C3B0)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x17936:$f1: FileZilla\recentservers.xml
          • 0x17976:$f2: FileZilla\sitemanager.xml
          • 0x15be6:$b2: Mozilla\Firefox\Profiles
          • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x15afa:$s4: logins.json
          • 0x169a4:$s6: wand.dat
          • 0x15424:$a1: username_value
          • 0x15414:$a2: password_value
          • 0x15a5f:$a3: encryptedUsername
          • 0x15acc:$a3: encryptedUsername
          • 0x15a72:$a4: encryptedPassword
          • 0x15ae0:$a4: encryptedPassword
          00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
          • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.wcycejenv.exe.400000.4.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          3.2.wcycejenv.exe.400000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            3.2.wcycejenv.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              3.2.wcycejenv.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                3.2.wcycejenv.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x17936:$f1: FileZilla\recentservers.xml
                • 0x17976:$f2: FileZilla\sitemanager.xml
                • 0x15be6:$b2: Mozilla\Firefox\Profiles
                • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x15afa:$s4: logins.json
                • 0x169a4:$s6: wand.dat
                • 0x15424:$a1: username_value
                • 0x15414:$a2: password_value
                • 0x15a5f:$a3: encryptedUsername
                • 0x15acc:$a3: encryptedUsername
                • 0x15a72:$a4: encryptedPassword
                • 0x15ae0:$a4: encryptedPassword
                Click to see the 35 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.695.213.216.20249737802025381 11/24/22-19:55:31.199874
                SID:2025381
                Source Port:49737
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.695.213.216.20249748802021641 11/24/22-19:55:53.130311
                SID:2021641
                Source Port:49748
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.695.213.216.20249750802825766 11/24/22-19:55:57.329298
                SID:2825766
                Source Port:49750
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.695.213.216.20249751802021641 11/24/22-19:55:59.376338
                SID:2021641
                Source Port:49751
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.68.8.8.859881532014169 11/24/22-19:55:09.708351
                SID:2014169
                Source Port:59881
                Destination Port:53
                Protocol:UDP
                Classtype:Potentially Bad Traffic
                Timestamp:95.213.216.202192.168.2.680497332025483 11/24/22-19:55:24.906100
                SID:2025483
                Source Port:80
                Destination Port:49733
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:95.213.216.202192.168.2.680497352025483 11/24/22-19:55:28.867256
                SID:2025483
                Source Port:80
                Destination Port:49735
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.695.213.216.20249736802024318 11/24/22-19:55:29.163584
                SID:2024318
                Source Port:49736
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:95.213.216.202192.168.2.680497372025483 11/24/22-19:55:32.908191
                SID:2025483
                Source Port:80
                Destination Port:49737
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:95.213.216.202192.168.2.680497392025483 11/24/22-19:55:36.924861
                SID:2025483
                Source Port:80
                Destination Port:49739
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.695.213.216.20249754802024318 11/24/22-19:56:04.818902
                SID:2024318
                Source Port:49754
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.695.213.216.20249736802024313 11/24/22-19:55:29.163584
                SID:2024313
                Source Port:49736
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected