DYNAMIC ANALYSIS REPORT #6780270
Classifications: Spyware
Lokibot Mal/HTMLGen-A Trojan.PWS.ZKD MALICIOUS Threat Names: Gen:Variant.Fugrafa.31802 Gen:Variant.Razy.762033
Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name faa648a8_K9kSnJA_tF.exe
ID #2567952
MD5 faa648a8568e4627e7edc78099d087b5
SHA1 cfd6a3dca64f42f8bb5c3a4e9d7b9cab4d78e177
SHA256 611b569440a6daaf92be62a1958366eb772bd62b7bc2f20893870808e0d5a277
File Size 698.61 KB
Report Created 2021-08-03 13:34 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 22 DYNAMIC ANALYSIS REPORT #6780270
OVERVIEW
VMRay Threat Identifiers (21 rules, 62 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 3 Spyware
• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #1) faa648a8_k9ksnja_tf.exe.
• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #2) faa648a8_k9ksnja_tf.exe.
• Rule "Lokibot" from ruleset "Malware" has matched on the function strings for (process #2) faa648a8_k9ksnja_tf.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Bitvise SSH Client, QtWeb Internet Browser, NCH Fling, WinChips, Pocomail, SecureFX, Pidgin, PuTT...... osoft Outlook, FileZilla, Internet Explorer, IncrediMail, NCH Classic FTP, Internet Explorer / Edge, KiTTY, FAR Manager, BlazeFTP.
4/5 Antivirus Malicious content was detected by heuristic scan 3 -
• Built-in AV detected a memory dump of (process #1) faa648a8_k9ksnja_tf.exe as "Trojan.PWS.ZKD".
• Built-in AV detected a memory dump of (process #2) faa648a8_k9ksnja_tf.exe as "Gen:Variant.Fugrafa.31802".
• Built-in AV detected a memory dump of (process #2) faa648a8_k9ksnja_tf.exe as "Gen:Variant.Razy.762033".
4/5 Reputation Contacts known malicious URL 1 -
• Reputation analysis labels the URL "http://185.227.139.18/dsaicosaicasdi.php/j572NMRHsdmec" which was contacted by (process #2) faa648a8_k9ksnja_tf.exe as "Mal/HTMLGen-A".
3/5 Discovery Reads installed applications 1 Spyware
• Reads installed programs by enumerating the SOFTWARE registry key.
2/5 Data Collection Reads sensitive browser data 4 -
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
2/5 Data Collection Reads sensitive application data 5 -
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "Pidgin" by file.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "Bitvise SSH Client" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "KiTTY" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "PuTTY" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of application "WinChips" by registry.
2/5 Data Collection Reads sensitive ftp data 10 -
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "LinasFTP" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "FileZilla" by file.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "BlazeFTP" by file.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "Total Commander" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "FAR Manager" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "SecureFX" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "NCH Fling" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
X-Ray Vision for Malware - www.vmray.com 2 / 22 DYNAMIC ANALYSIS REPORT #6780270
Score Category Operation Count Classification
2/5 Data Collection Reads sensitive mail data 5 -
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to read sensitive data of mail application "Trojita" by registry.
2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -
• (Process #1) faa648a8_k9ksnja_tf.exe modifies memory of (process #2) faa648a8_k9ksnja_tf.exe.
2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -
• (Process #1) faa648a8_k9ksnja_tf.exe alters context of (process #2) faa648a8_k9ksnja_tf.exe.
2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 5 -
• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtUnmapViewOfSection".
• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtCreateSection".
• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtMapViewOfSection".
• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtWriteVirtualMemory".
• (Process #1) faa648a8_k9ksnja_tf.exe makes a direct system call to "NtResumeThread".
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #1) faa648a8_k9ksnja_tf.exe starts (process #2) faa648a8_k9ksnja_tf.exe with a hidden window.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) faa648a8_k9ksnja_tf.exe reads from (process #2) faa648a8_k9ksnja_tf.exe.
1/5 Discovery Reads system data 1 -
• (Process #2) faa648a8_k9ksnja_tf.exe reads the cryptographic machine GUID from registry.
1/5 Mutex Creates mutex 1 -
• (Process #2) faa648a8_k9ksnja_tf.exe creates mutex with name "B7274519EDDE9BDC8AE51348".
1/5 Discovery Possibly does reconnaissance 13 -
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Comodo IceDragon" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Safari" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "K-Meleon" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Mozilla SeaMonkey" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Mozilla Flock" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Cyberfox" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Total Commander" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "NetScape" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Default Programs" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Bitvise SSH Client" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "SecureFX" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Postbox" by registry.
• (Process #2) faa648a8_k9ksnja_tf.exe tries to gather information about application "Trojita" by registry.
1/5 Privilege Escalation Enables process privilege 1 -
X-Ray Vision for Malware - www.vmray.com 3 / 22 DYNAMIC ANALYSIS REPORT #6780270
Score Category Operation Count Classification
• (Process #2) faa648a8_k9ksnja_tf.exe enables process privilege "SeDebugPrivilege".
1/5 Network Connection Performs DNS request 2 -
• (Process #2) faa648a8_k9ksnja_tf.exe resolves host name "185.227.139.18" to IP "185.227.139.18".
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 • (Process #2) faa648a8_k9ksnja_tf.exe resolves host name " 97 8B 8B 8F åððîçêñííèñîìæñîçð 9B 8C 9E 96 9C 90 8C 9E 96 9C 9E 8C 9B 96 ñð8F 97êèí±8F 95 ²· 8C 9B 92 9A 9C " to IP "-".
1/5 Network Connection Connects to remote host 1 -
• (Process #2) faa648a8_k9ksnja_tf.exe opens an outgoing TCP connection to host "185.227.139.18:80".
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #1) faa648a8_k9ksnja_tf.exe resolves 41 API functions by name.
- Trusted Known clean file 2 -
• File "C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck" is a known clean file.
• File "c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f- c90408af5778" is a known clean file.
X-Ray Vision for Malware - www.vmray.com 4 / 22 DYNAMIC ANALYSIS REPORT #6780270
Mitre ATT&CK Matrix
Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control
#T1082 #T1214 #T1119 #T1143 Hidden System Credentials in Automated Window Information Registry Collection Discovery #T1045 #T1003 #T1005 Data #T1012 Query Software Credential from Local Registry Packing Dumping System #T1217 #T1081 Browser Credentials in Bookmark Files Discovery #T1083 File and Directory Discovery
X-Ray Vision for Malware - www.vmray.com 5 / 22 DYNAMIC ANALYSIS REPORT #6780270
Sample Information
ID #2567952
MD5 faa648a8568e4627e7edc78099d087b5
SHA1 cfd6a3dca64f42f8bb5c3a4e9d7b9cab4d78e177
SHA256 611b569440a6daaf92be62a1958366eb772bd62b7bc2f20893870808e0d5a277
SSDeep 12288:R1Wl8TpYMxskWv6rfIYJ3dqbTeU77xkU7d3:RAGF0yhtqHx77xkUV
ImpHash 49be0836dac021f86af2cb207b4613c8
File Name faa648a8_K9kSnJA_tF.exe
File Size 698.61 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-08-03 13:34 (UTC+2)
Analysis Duration 00:01:18
Termination Reason All processes terminated
Number of Monitored Processes 2
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 28
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 27
X-Ray Vision for Malware - www.vmray.com 6 / 22 DYNAMIC ANALYSIS REPORT #6780270
X-Ray Vision for Malware - www.vmray.com 7 / 22 DYNAMIC ANALYSIS REPORT #6780270
Screenshots truncated
X-Ray Vision for Malware - www.vmray.com 8 / 22 DYNAMIC ANALYSIS REPORT #6780270
NETWORK
General
2.33 KB total sent
44.20 KB total received
1 ports 80
2 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
4 DNS requests for 2 domains
1 nameservers contacted
1 total requests returned errors
HTTP/S
1 URLs contacted, 1 servers
3 sessions, 1.88 KB sent, 40.23 KB received
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
POST http://185.227.139.18/dsaicosaicasdi.php/j572NMRHsdmec - - 0 bytes NA
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
- 185.227.139.18 - 185.227.139.18 NA
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 8B 8B 8F åððîçêñííèñîìæñîçð9B 8C 9E 96 9C 90 8C 9E 96 9C 9E 8C 9B 96 ñð8F 97 8F - 00 00 00 00 00 00 - NA 95 êèí±²· 8C 9B 92 9A 9C
X-Ray Vision for Malware - www.vmray.com 9 / 22 DYNAMIC ANALYSIS REPORT #6780270
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start faa648a8_k9ksnja_tf.exe Child Process faa648a8_k9ksnja_tf.exe
X-Ray Vision for Malware - www.vmray.com 10 / 22 DYNAMIC ANALYSIS REPORT #6780270
Process #1: faa648a8_k9ksnja_tf.exe
ID 1
File Name c:\users\rdhj0cnfevzx\desktop\faa648a8_k9ksnja_tf.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 92344, Reason: Analysis Target
Unmonitor End Time End Time: 125508, Reason: Terminated
Monitor duration 33.16s
Return Code 0
PID 1796
Parent PID 1604
Bitness 32 Bit
Host Behavior
Type Count
Module 66
File 27
Environment 1
Process 1
- 3
- 2
X-Ray Vision for Malware - www.vmray.com 11 / 22 DYNAMIC ANALYSIS REPORT #6780270
Process #2: faa648a8_k9ksnja_tf.exe
ID 2
File Name c:\users\rdhj0cnfevzx\desktop\faa648a8_k9ksnja_tf.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 113190, Reason: Child Process
Unmonitor End Time End Time: 160403, Reason: Terminated
Monitor duration 47.21s
Return Code 3221225477
PID 1464
Parent PID 1796
Bitness 32 Bit
Injection Information (3)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x6d8 0x400000(4194304) 0xa2000 1 \faa648a8_k9ksnja_tf.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x6d8 0x3db008(4042760) 0x4 1 \faa648a8_k9ksnja_tf.exe
#1: c: Modify Control Flow \users\rdhj0cnfevzx\desktop 0x6d8 / 0x164 0x77568fe0(2002161632) - 1 \faa648a8_k9ksnja_tf.exe
Dropped Files (5)
File Name File Size SHA256 YARA Match
e641ff8107a4197ded9f558d1891e716811e9a7f109f14e876f5a8394844d - 53 bytes c34
859ffdca62ee0971821a4b2dedfc023d0f9a021391b5ac336ddb49d53d28 C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb 4 bytes 330e
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck 1 bytes 4b
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852 C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe 0 bytes b855
353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785 - 53 bytes b50
Host Behavior
Type Count
Module 1062
Registry 181
Mutex 1
File 296
System 32
User 10
Network Behavior
Type Count
HTTP 3
X-Ray Vision for Malware - www.vmray.com 12 / 22 DYNAMIC ANALYSIS REPORT #6780270
Type Count
DNS 4
TCP 4
X-Ray Vision for Malware - www.vmray.com 13 / 22 DYNAMIC ANALYSIS REPORT #6780270
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
C: 611b569440a6daaf92be62a1 \Users\RDhJ0CNFevzX\Desktop\faa6 application/ 958366eb772bd62b7bc2f208 48a8_k9ksnja_tf.exe, C: Sample File 698.61 KB vnd.microsoft.portable- Read, Delete, Access MALICIOUS 93870808e0d5a277 \Users\RDhJ0CNFevzX\Desktop\faa6 executable 48a8_K9kSnJA_tF.exe
c: \users\rdhj0cnfevzx\appdata\roaming\ e641ff8107a4197ded9f558d1 microsoft\crypto\rsa\s-1-5-21-156025 891e716811e9a7f109f14e87 8661-3990802383-1811730007-1000\3 Dropped File 53 bytes application/octet-stream - CLEAN 6f5a8394844dc34 d3578a85286f88c6cd9d151e4412949_ 03845cb8-7441-4a2f-8c0f- c90408af5778
859ffdca62ee0971821a4b2d C: Create, Write, Delete, edfc023d0f9a021391b5ac33 \Users\RDhJ0CNFevzX\AppData\Ro Dropped File 4 bytes text/plain CLEAN Access 6ddb49d53d28330e aming\9EDDE9\9BDC8A.hdb
6b86b273ff34fce19d6b804eff C: Create, Write, Delete, 5a3f5747ada4eaa22f1d49c0 \Users\RDhJ0CNFevzX\AppData\Ro Dropped File 1 bytes application/octet-stream CLEAN Access 1e52ddb7875b4b aming\9EDDE9\9BDC8A.lck
c: \users\rdhj0cnfevzx\appdata\roaming\ 353fd628b7f6e7d426e5d6a2 microsoft\crypto\rsa\s-1-5-21-156025 7d1bc3ac22fa7f812e7594cf2 8661-3990802383-1811730007-1000\3 Dropped File 53 bytes application/octet-stream - CLEAN ec5ca1175785b50 d3578a85286f88c6cd9d151e4412949_ 03845cb8-7441-4a2f-8c0f- c90408af5778
Filename
File Name Category Operations Verdict
C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe Sample File Read, Access CLEAN
C:\Windows\SYSTEM32\ntdll.dll Accessed File Read, Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9 Accessed File Create, Access CLEAN
Create, Write, Delete, C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb Dropped File CLEAN Access
Create, Write, Delete, C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck Dropped File CLEAN Access
C: \Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Credentials\DFBE Accessed File Read, Access CLEAN 70A7E5CC19A398EBF1B96859CE5D
C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_k9ksnja_tf.exe Sample File Delete, Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe Accessed File Create, Write, Access CLEAN
URL
URL Category IP Address Country HTTP Methods Verdict
http://185.227.139.18/dsaicosaicasdi.php/ - 185.227.139.18 - POST MALICIOUS j572NMRHsdmec
Domain
Domain IP Address Country Protocols Verdict
185.227.139.18 185.227.139.18 - HTTP, DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
192.168.0.1 - - DNS, UDP CLEAN
185.227.139.18 - United States TCP, HTTP, DNS CLEAN
X-Ray Vision for Malware - www.vmray.com 14 / 22 DYNAMIC ANALYSIS REPORT #6780270
Mutex
Name Operations Parent Process Name Verdict
B7274519EDDE9BDC8AE51348 access faa648a8_k9ksnja_tf.exe CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Ma read, access faa648a8_k9ksnja_tf.exe CLEAN chineGuid
HKEY_LOCAL_MACHINE read, access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\S read, access faa648a8_k9ksnja_tf.exe CLEAN etup\SetupPath
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc. read, access faa648a8_k9ksnja_tf.exe CLEAN \Safari\InstallDir
HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon\CurrentVersion read, access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey\Cur read, access faa648a8_k9ksnja_tf.exe CLEAN rentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Current read, access faa648a8_k9ksnja_tf.exe CLEAN Version
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock\CurrentVersi read, access faa648a8_k9ksnja_tf.exe CLEAN on
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet access faa648a8_k9ksnja_tf.exe CLEAN Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet access faa648a8_k9ksnja_tf.exe CLEAN Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86\R read, access faa648a8_k9ksnja_tf.exe CLEAN ootDir
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox\Path read, access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale read, access faa648a8_k9ksnja_tf.exe CLEAN Moon\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox\CurrentVe read, access faa648a8_k9ksnja_tf.exe CLEAN rsion
HKEY_CURRENT_USER\Software\LinasFTP\Site Manager access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings\La read, access faa648a8_k9ksnja_tf.exe CLEAN stPassword
HKEY_CURRENT_USER\Software\Ghisler\Total read, access faa648a8_k9ksnja_tf.exe CLEAN Commander\FtpIniName
HKEY_CURRENT_USER\Software access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\AppDataLow access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\IM Providers access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Netscape access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\ODBC access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Policies access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\RegisteredApplications access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Wow6432Node access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Classes access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts access faa648a8_k9ksnja_tf.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 15 / 22 DYNAMIC ANALYSIS REPORT #6780270
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Bitvise\BvSshClient\LastUsedPr read, access faa648a8_k9ksnja_tf.exe CLEAN ofile
HKEY_CURRENT_USER\Software\VanDyke\SecureFX\Config Path read, access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\Software\NCH access faa648a8_k9ksnja_tf.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH access faa648a8_k9ksnja_tf.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla read, access faa648a8_k9ksnja_tf.exe CLEAN Thunderbird\CurrentVersion
HKEY_CURRENT_USER\Software\IncrediMail\Identities access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Martin Prikryl access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Martin Prikryl access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox\CurrentVe read, access faa648a8_k9ksnja_tf.exe CLEAN rsion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail\Current read, access faa648a8_k9ksnja_tf.exe CLEAN Version
HKEY_CURRENT_USER\Software\WinChips\UserAccounts access faa648a8_k9ksnja_tf.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows access faa648a8_k9ksnja_tf.exe CLEAN NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\0a0d020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\2db91c5fd8470d46b1a5bc5efab4cae7
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\2db91c5fd8470d46b1a5bc5efab4cae7\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\6c29d51f56390b45a924b3b787013a66
X-Ray Vision for Malware - www.vmray.com 16 / 22 DYNAMIC ANALYSIS REPORT #6780270
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\6c29d51f56390b45a924b3b787013a66\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8503020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8763203907727d498bce4b981b157d7b
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\8763203907727d498bce4b981b157d7b\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\893893ade607c44aa338ac7df5d6cb42
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\893893ade607c44aa338ac7df5d6cb42\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Em read, access faa648a8_k9ksnja_tf.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Em read, access faa648a8_k9ksnja_tf.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Email Address
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Server
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP User Name
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP User
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Server
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 User Name
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 User
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Email Address
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP User Name
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Server
X-Ray Vision for Malware - www.vmray.com 17 / 22 DYNAMIC ANALYSIS REPORT #6780270
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Server
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P User Name
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P User
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TP User
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TP Server URL
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TPMail User Name
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TPMail Server
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Port
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Port
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Port
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Password2
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Password2
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password2
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TPMail Password2
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password2
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO read, access faa648a8_k9ksnja_tf.exe CLEAN P3 Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA read, access faa648a8_k9ksnja_tf.exe CLEAN P Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\NN read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM read, access faa648a8_k9ksnja_tf.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Em read, access faa648a8_k9ksnja_tf.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\dc48e7c6d33441458035ee20beefe18a
X-Ray Vision for Malware - www.vmray.com 18 / 22 DYNAMIC ANALYSIS REPORT #6780270
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\dc48e7c6d33441458035ee20beefe18a\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\e57f6d0b27b6134693ca7113a4ab34a6
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\e57f6d0b27b6134693ca7113a4ab34a6\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f35c115766b7c94cb080da6869ae8f9d
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f35c115766b7c94cb080da6869ae8f9d\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr read, access faa648a8_k9ksnja_tf.exe CLEAN ofiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita\imap.auth.p read, access faa648a8_k9ksnja_tf.exe CLEAN ass
HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita\msa.smtp.a read, access faa648a8_k9ksnja_tf.exe CLEAN uth.pass
HKEY_LOCAL_MACHINE\����������������� ����Л�������������я��Е��ͱ����� write, access faa648a8_k9ksnja_tf.exe CLEAN ���\9EDDE9
Process
Process Name Commandline Verdict
faa648a8_k9ksnja_tf.exe "C:\Users\RDhJ0CNFevzX\Desktop\faa648a8_K9kSnJA_tF.exe" MALICIOUS
X-Ray Vision for Malware - www.vmray.com 19 / 22 DYNAMIC ANALYSIS REPORT #6780270
YARA / AV
YARA (27)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Function Strings function_strings_process_2.txt Spyware 5/5
Antivirus (28)
File Type Threat Name File Name Verdict
Memory Dump Trojan.PWS.ZKD - MALICIOUS
Memory Dump Gen:Variant.Fugrafa.31802 - MALICIOUS
Memory Dump Gen:Variant.Fugrafa.31802 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 20 / 22 DYNAMIC ANALYSIS REPORT #6780270
File Type Threat Name File Name Verdict
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 21 / 22 DYNAMIC ANALYSIS REPORT #6780270
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update Release 2021-08-03 08:18:08+00:00 Date
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.31 / 2021-07-19 18:52:40
YARA Built-in Ruleset Version 4.2.2.32
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 22 / 22