Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV.2022LB0362 FORM CO (2).exe

Overview

General Information

Sample Name:INV.2022LB0362 FORM CO (2).exe
Analysis ID:756310
MD5:baed30aea51e6000571219633aa745b0
SHA1:d7e3b155c00245a7f867dd2fb4c06cb7be6ec3f7
SHA256:57520e51bb0820741b7883926800223886c491a8a5ddd517a49b0e2cc752fb18
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sempersim.su/gm11/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.262961989.0000000003F9B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.262961989.0000000003F9B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000000.00000002.262961989.0000000003F9B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000000.00000002.262961989.0000000003F9B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
          • 0x180c8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
          00000000.00000002.262961989.0000000003F9B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_0f421617unknownunknown
          • 0x5493:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
          Click to see the 27 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.INV.2022LB0362 FORM CO (2).exe.3f81cb8.13.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13278:$s1: http://
          • 0x16233:$s1: http://
          • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13280:$s2: https://
          • 0x13278:$f1: http://
          • 0x16233:$f1: http://
          • 0x13280:$f2: https://
          0.2.INV.2022LB0362 FORM CO (2).exe.3f81cb8.13.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            0.2.INV.2022LB0362 FORM CO (2).exe.3f81cb8.13.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
            • 0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
            0.2.INV.2022LB0362 FORM CO (2).exe.3f81cb8.13.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
            • 0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
            0.2.INV.2022LB0362 FORM CO (2).exe.3f81cb8.13.unpackLoki_1Loki Payloadkevoreilly
            • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
            • 0x133fc:$a2: last_compatible_version
            Click to see the 43 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.395.213.216.20249705802024318 11/30/22-00:54:20.168790
            SID:2024318
            Source Port:49705
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249702802021641 11/30/22-00:54:14.871390
            SID:2021641
            Source Port:49702
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249738802024313 11/30/22-00:55:23.450513
            SID:2024313
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249734802825766 11/30/22-00:55:16.065951
            SID:2825766
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:95.213.216.202192.168.2.380497272025483 11/30/22-00:55:04.982566
            SID:2025483
            Source Port:80
            Destination Port:49727
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249741802024313 11/30/22-00:55:29.247109
            SID:2024313
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249701802825766 11/30/22-00:54:12.581436
            SID:2825766
            Source Port:49701
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249749802025381 11/30/22-00:55:43.976237
            SID:2025381
            Source Port:49749
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249759802825766 11/30/22-00:56:01.042444
            SID:2825766
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249738802024318 11/30/22-00:55:23.450513
            SID:2024318
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249735802021641 11/30/22-00:55:17.863854
            SID:2021641
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249705802024313 11/30/22-00:54:20.168790
            SID:2024313
            Source Port:49705
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249741802024318 11/30/22-00:55:29.247109
            SID:2024318
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:95.213.216.202192.168.2.380497232025483 11/30/22-00:54:57.894669
            SID:2025483
            Source Port:80
            Destination Port:49723
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249752802025381 11/30/22-00:55:49.378987
            SID:2025381
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249716802025381 11/30/22-00:54:43.829219
            SID:2025381
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249707802021641 11/30/22-00:54:24.716724
            SID:2021641
            Source Port:49707
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249757802025381 11/30/22-00:55:58.948901
            SID:2025381
            Source Port:49757
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249730802021641 11/30/22-00:55:08.823725
            SID:2021641
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.38.8.8.861416532014169 11/30/22-00:55:12.379224
            SID:2014169
            Source Port:61416
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.38.8.8.860088532014169 11/30/22-00:55:21.529314
            SID:2014169
            Source Port:60088
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.395.213.216.20249713802024313 11/30/22-00:54:37.979213
            SID:2024313
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249726802825766 11/30/22-00:55:01.673863
            SID:2825766
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249713802024318 11/30/22-00:54:37.979213
            SID:2024318
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.38.8.8.857743532014169 11/30/22-00:55:08.735474
            SID:2014169
            Source Port:57743
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.395.213.216.20249754802825766 11/30/22-00:55:53.496270
            SID:2825766
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:95.213.216.202192.168.2.380497572025483 11/30/22-00:55:59.773200
            SID:2025483
            Source Port:80
            Destination Port:49757
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249744802025381 11/30/22-00:55:34.401351
            SID:2025381
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.38.8.8.859820532014169 11/30/22-00:55:29.162121
            SID:2014169
            Source Port:59820
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.38.8.8.853305532014169 11/30/22-00:54:54.648302
            SID:2014169
            Source Port:53305
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:95.213.216.202192.168.2.380497532025483 11/30/22-00:55:52.887247
            SID:2025483
            Source Port:80
            Destination Port:49753
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.395.213.216.20249708802025381 11/30/22-00:54:26.803652
            SID:2025381
            Source Port:49708
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:95.213.216.202192.168.2.380497162025483 11/30/22-00:54:45.204539
            SID:2025483
            Source Port:80
            Destination Port:49716
            Protocol:TCP
            Classtype:A Network Trojan was detected