DYNAMIC ANALYSIS REPORT #1173563
Classifications: Spyware
Lokibot Mal/HTMLGen-A Trojan.GenericKD.36738116 MALICIOUS Threat Names: Generic.Andromeda.6165138E Gen:Variant.Razy.762033
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name winlog.exe
ID #385568
MD5 36dff976427ac27d7fb7294960ac4092
SHA1 5b199fd080c210915c6b3c6cdb7ed8d8db119e91
SHA256 5d5c83ef1689244a96edcffb1c59f88a164b2f6c0881214e4338b82c61b28072
File Size 280.00 KB
Report Created 2021-04-19 18:49 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 18 DYNAMIC ANALYSIS REPORT #1173563
OVERVIEW
VMRay Threat Identifiers (18 rules, 54 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 2 Spyware
• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #1) winlog.exe.
• Rule "Lokibot" from ruleset "Malware" has matched on the function strings for (process #1) winlog.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: NCH Classic FTP, FileZilla, Bitvise SSH Client, Opera Mail, NCH Fling, PuTTY, Microsoft Outlook, IncrediMail, KiTTY, WinChips, Pidgin, SecureFX, Internet Explorer / Edge, Pocomail, FTP Navigator, FAR Manager, Total Commander, QtWeb Internet Browser, Trojita, Internet Explorer, BlazeFTP, LinasFTP.
4/5 Reputation Contacts known malicious URL 1 -
• Reputation analysis labels the URL "http://eyecos.ga/kung/gate.php" which was contacted by (process #1) winlog.exe as "Mal/HTMLGen-A".
4/5 Reputation Resolves known malicious domain 1 -
• Reputation analysis labels the resolved domain "eyecos.ga" as "Mal/HTMLGen-A".
4/5 Antivirus Malicious content was detected by heuristic scan 3 -
• Built-in AV detected the sample itself as "Trojan.GenericKD.36738116".
• Built-in AV detected a memory dump of (process #1) winlog.exe as "Generic.Andromeda.6165138E".
• Built-in AV detected a memory dump of (process #1) winlog.exe as "Gen:Variant.Razy.762033".
3/5 Discovery Reads installed applications 1 Spyware
• Reads installed programs by enumerating the SOFTWARE registry key.
2/5 Data Collection Reads sensitive browser data 4 -
• (Process #1) winlog.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.
• (Process #1) winlog.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #1) winlog.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.
• (Process #1) winlog.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
2/5 Data Collection Reads sensitive application data 5 -
• (Process #1) winlog.exe tries to read sensitive data of application "Pidgin" by file.
• (Process #1) winlog.exe tries to read sensitive data of application "Bitvise SSH Client" by registry.
• (Process #1) winlog.exe tries to read sensitive data of application "KiTTY" by registry.
• (Process #1) winlog.exe tries to read sensitive data of application "PuTTY" by registry.
• (Process #1) winlog.exe tries to read sensitive data of application "WinChips" by registry.
2/5 Data Collection Reads sensitive ftp data 10 -
X-Ray Vision for Malware - www.vmray.com 2 / 18 DYNAMIC ANALYSIS REPORT #1173563
• (Process #1) winlog.exe tries to read sensitive data of ftp application "LinasFTP" by registry.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "FileZilla" by file.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "BlazeFTP" by file.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "Total Commander" by registry.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "FAR Manager" by registry.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "SecureFX" by registry.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "NCH Fling" by registry.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry.
• (Process #1) winlog.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
2/5 Data Collection Reads sensitive mail data 5 -
• (Process #1) winlog.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #1) winlog.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #1) winlog.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #1) winlog.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #1) winlog.exe tries to read sensitive data of mail application "Trojita" by registry.
2/5 Anti Analysis Delays execution 1 -
• (Process #1) winlog.exe has a thread which sleeps more than 5 minutes.
1/5 Discovery Reads system data 1 -
• (Process #1) winlog.exe reads the cryptographic machine GUID from registry.
1/5 Mutex Creates mutex 1 -
• (Process #1) winlog.exe creates mutex with name "B7274519EDDE9BDC8AE51348".
1/5 Discovery Possibly does reconnaissance 13 -
• (Process #1) winlog.exe tries to gather information about application "Mozilla Firefox" by registry.
• (Process #1) winlog.exe tries to gather information about application "Comodo IceDragon" by registry.
• (Process #1) winlog.exe tries to gather information about application "Safari" by registry.
• (Process #1) winlog.exe tries to gather information about application "K-Meleon" by registry.
• (Process #1) winlog.exe tries to gather information about application "Mozilla SeaMonkey" by registry.
• (Process #1) winlog.exe tries to gather information about application "Mozilla Flock" by registry.
• (Process #1) winlog.exe tries to gather information about application "Cyberfox" by registry.
• (Process #1) winlog.exe tries to gather information about application "Total Commander" by registry.
• (Process #1) winlog.exe tries to gather information about application "Default Programs" by registry.
• (Process #1) winlog.exe tries to gather information about application "Bitvise SSH Client" by registry.
• (Process #1) winlog.exe tries to gather information about application "SecureFX" by registry.
• (Process #1) winlog.exe tries to gather information about application "Postbox" by registry.
• (Process #1) winlog.exe tries to gather information about application "Trojita" by registry.
1/5 Privilege Escalation Enables process privilege 1 -
• (Process #1) winlog.exe enables process privilege "SeDebugPrivilege".
1/5 Network Connection Performs DNS request 2 -
• (Process #1) winlog.exe resolves host name "eyecos.ga" to IP "35.247.234.230".
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 • (Process #1) winlog.exe resolves host name " 97 8B 8B 8F åððñ9Að86ð9Añ9C 90 8C " 98to9E IP94 "-".8A 91 98 98 9E 8B 9A 8F 97 8F
1/5 Network Connection Connects to remote host 1 -
• (Process #1) winlog.exe opens an outgoing TCP connection to host "35.247.234.230:80".
X-Ray Vision for Malware - www.vmray.com 3 / 18 DYNAMIC ANALYSIS REPORT #1173563
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #1) winlog.exe resolves 46 API functions by name.
- Trusted Known clean file 2 -
• File "C:\Users\gsanders\AppData\Roaming\9EDDE9\9BDC8A.lck" is a known clean file.
• File "c: \users\gsanders\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1001\0a0eb714d9b6ebd0c6a49a4945de26ad_03845cb8-7441-4a2f-8c 0f-c90408af5778" is a known clean file.
Remarks
Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "2 hours, 51 minutes" to "20 seconds" to reveal dormant functionality.
X-Ray Vision for Malware - www.vmray.com 4 / 18 DYNAMIC ANALYSIS REPORT #1173563
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1082 System ------Information Discovery
#T1012 ------Query - - - - - Registry
#T1119 ------Automated - - - Collection
#T1214 - - - - - Credentials ------in Registry
#T1005 Data ------from Local - - - System
#T1217 Browser ------Bookmark Discovery
#T1003 - - - - - Credential ------Dumping
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
#T1045 - - - - Software ------Packing
X-Ray Vision for Malware - www.vmray.com 5 / 18 DYNAMIC ANALYSIS REPORT #1173563
Sample Information
ID 1173563
MD5 36dff976427ac27d7fb7294960ac4092
SHA1 5b199fd080c210915c6b3c6cdb7ed8d8db119e91
SHA256 5d5c83ef1689244a96edcffb1c59f88a164b2f6c0881214e4338b82c61b28072
SSDeep 6144:1WkL1Ys1HIRcZbLCaD0YGUaoFP3eNoG0Q+kRuIhbl:4kf1HjnDxasvuT7uul
ImpHash 0c1de0d2a8383c4df108890e036a0ae1
Filename winlog.exe
File Size 280.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-04-19 18:49 (UTC+2)
Analysis Duration 00:03:51
Termination Reason Timeout
Number of Monitored Processes 1
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 17
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 16
X-Ray Vision for Malware - www.vmray.com 6 / 18 DYNAMIC ANALYSIS REPORT #1173563
X-Ray Vision for Malware - www.vmray.com 7 / 18 DYNAMIC ANALYSIS REPORT #1173563
Screenshots trunkated.
X-Ray Vision for Malware - www.vmray.com 8 / 18 DYNAMIC ANALYSIS REPORT #1173563
NETWORK
General
101.46 KB total sent
64.76 KB total received
1 ports 80
2 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
346 DNS requests for 2 domains
1 nameservers contacted
172 total requests returned errors
HTTP/S
1 URLs contacted, 1 servers
174 sessions, 100.54 KB sent, 64.33 KB recivied
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
A eyecos.ga NoError 35.247.234.230 N/A
00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 8B 8B 8F åððñ9Að86 9A 9C 90 8C 98 9E 94 8A 00 00 00 00 00 00 00 00 00 N/A 91 98 ðñ98 9E 8B 9A 8F 97 8F
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
http://eyecos.ga/kung/ POST 0 bytes N/A gate.php
X-Ray Vision for Malware - www.vmray.com 9 / 18 DYNAMIC ANALYSIS REPORT #1173563
BEHAVIOR
Process Graph
#1 Sample Start winlog.exe
X-Ray Vision for Malware - www.vmray.com 10 / 18 DYNAMIC ANALYSIS REPORT #1173563
Process #1: winlog.exe
ID 1
Filename c:\users\gsanders\desktop\winlog.exe
Command Line "C:\Users\gsanders\Desktop\winlog.exe"
Initial Working Directory C:\Users\gsanders\Desktop\
Monitor Start Time Start Time: 190842, Reason: Analysis Target
Unmonitor End Time End Time: 421188, Reason: Terminated by Timeout
Monitor Duration 230.35s
Return Code Unknown
PID 4560
Parent PID 1376
Bitness 32 Bit
Dropped Files (4)
Filename File Size SHA256 YARA Match
58d997e54748bf6aa6e2f42a262803729d88d - 49 bytes c86f0f80277ab8b6968096225d1
C: 6b86b273ff34fce19d6b804eff5a3f5747ada4e \Users\gsanders\AppData\Roaming\9EDDE9\ 1 bytes aa22f1d49c01e52ddb7875b4b 9BDC8A.lck
C: e3b0c44298fc1c149afbf4c8996fb92427ae41 \Users\gsanders\AppData\Roaming\9EDDE9\ 0 bytes e4649b934ca495991b7852b855 9BDC8A.exe
78877fa898f0b4c45c9c33ae941e40617ad7c - 49 bytes 8657a307db62bc5691f92f4f60e
Host Behavior
Type Count
System 206
Module 5378
File 290
Environment 1
Registry 59
Mutex 1
User 10
Network Behavior
Type Count
HTTP 174
DNS 346
TCP 176
X-Ray Vision for Malware - www.vmray.com 11 / 18 DYNAMIC ANALYSIS REPORT #1173563
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
5d5c83ef1689244a96ed C: application/ cffb1c59f88a164b2f6c08 \Users\gsanders\Deskto Sample File 280.00 KB vnd.microsoft.portable- Access, Delete MALICIOUS 81214e4338b82c61b28 p\winlog.exe executable 072
c: \users\gsanders\appdat a\roaming\microsoft\cryp 58d997e54748bf6aa6e2 to\rsa\s-1-5-21-1560258 f42a262803729d88dc86 661-3990802383-18117 Dropped File 49 bytes application/octet-stream CLEAN f0f80277ab8b69680962 30007-1001\0a0eb714d 25d1 9b6ebd0c6a49a4945de 26ad_03845cb8-7441-4 a2f-8c0f-c90408af5778
6b86b273ff34fce19d6b8 C: 04eff5a3f5747ada4eaa2 \Users\gsanders\AppDat Access, Write, Delete, Dropped File 1 bytes application/octet-stream CLEAN 2f1d49c01e52ddb7875b a\Roaming\9EDDE9\9B Create 4b DC8A.lck
c: \users\gsanders\appdat a\roaming\microsoft\cryp 78877fa898f0b4c45c9c3 to\rsa\s-1-5-21-1560258 3ae941e40617ad7c865 661-3990802383-18117 Dropped File 49 bytes application/octet-stream CLEAN 7a307db62bc5691f92f4f 30007-1001\0a0eb714d 60e 9b6ebd0c6a49a4945de 26ad_03845cb8-7441-4 a2f-8c0f-c90408af5778
Filename
Filename Category Operations Verdict
C:\Users\gsanders\Desktop\winlog.exe Sample File Access, Delete CLEAN
C: Accessed File Access, Create CLEAN \Users\gsanders\AppData\Roaming\9EDDE9
C: \Users\gsanders\AppData\Roaming\9EDDE9\ Dropped File Access, Write, Delete, Create CLEAN 9BDC8A.lck
C: \Users\gsanders\AppData\Roaming\9EDDE9\ Accessed File Access, Write, Create CLEAN 9BDC8A.exe
URL
URL Category IP Address Country HTTP Methods Verdict
http://eyecos.ga/kung/ 35.247.234.230 POST MALICIOUS gate.php
Domain
Domain IP Address Country Protocols Verdict
eyecos.ga 35.247.234.230 HTTP, DNS MALICIOUS
IP
IP Address Domains Country Protocols Verdict
192.168.0.1 - UDP, DNS CLEAN
35.247.234.230 eyecos.ga Brazil HTTP, TCP, DNS CLEAN
-
X-Ray Vision for Malware - www.vmray.com 12 / 18 DYNAMIC ANALYSIS REPORT #1173563
Email Address
-
Mutex
Name Operations Parent Process Name Verdict
B7274519EDDE9BDC8AE51348 access winlog.exe CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access winlog.exe CLEAN osoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access, read winlog.exe CLEAN osoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Mozilla Firefox\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Com access, read winlog.exe CLEAN odoGroup\IceDragon\Setup\SetupPath
HKEY_LOCAL_MACHINE\SOFTWARE\Appl access, read winlog.exe CLEAN e Computer, Inc.\Safari\InstallDir
HKEY_LOCAL_MACHINE\SOFTWARE\K- access, read winlog.exe CLEAN Meleon\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\mozil access, read winlog.exe CLEAN la.org\SeaMonkey\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\SeaMonkey\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Flock\CurrentVersion
HKEY_CURRENT_USER\Software\QtWeb.N access winlog.exe CLEAN ET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN \Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pec access, read winlog.exe CLEAN xstudios\Cyberfox86\RootDir
HKEY_LOCAL_MACHINE\SOFTWARE\8pec access, read winlog.exe CLEAN xstudios\Cyberfox\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Pale Moon\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Waterfox\CurrentVersion
HKEY_CURRENT_USER\Software\LinasFTP access winlog.exe CLEAN \Site Manager
HKEY_CURRENT_USER\Software\FlashPea access, read winlog.exe CLEAN k\BlazeFtp\Settings\LastPassword
HKEY_CURRENT_USER\Software\Ghisler\T access, read winlog.exe CLEAN otal Commander\FtpIniName
HKEY_CURRENT_USER\Software access winlog.exe CLEAN
HKEY_CURRENT_USER\Software\AppData access winlog.exe CLEAN Low
HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN
HKEY_CURRENT_USER\Software\Policies access winlog.exe CLEAN
HKEY_CURRENT_USER\Software\Registere access winlog.exe CLEAN dApplications
HKEY_CURRENT_USER\Software\Wow643 access winlog.exe CLEAN 2Node
X-Ray Vision for Malware - www.vmray.com 13 / 18 DYNAMIC ANALYSIS REPORT #1173563
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Classes access winlog.exe CLEAN
HKEY_CURRENT_USER\Software\Far\Plugi access winlog.exe CLEAN ns\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plu access winlog.exe CLEAN gins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\B access, read winlog.exe CLEAN vSshClient\LastUsedProfile
HKEY_CURRENT_USER\Software\VanDyke\ access, read winlog.exe CLEAN SecureFX\Config Path
HKEY_LOCAL_MACHINE\Software\NCH access winlog.exe CLEAN Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH access winlog.exe CLEAN Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH access winlog.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH access winlog.exe CLEAN Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\ access winlog.exe CLEAN KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTat access winlog.exe CLEAN ham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTa access winlog.exe CLEAN tham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com access winlog.exe CLEAN \KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\Mozilla Thunderbird\CurrentVersion
HKEY_CURRENT_USER\Software\IncrediM access winlog.exe CLEAN ail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediM access winlog.exe CLEAN ail\Identities
HKEY_CURRENT_USER\Software\Martin access winlog.exe CLEAN Prikryl
HKEY_LOCAL_MACHINE\Software\Martin access winlog.exe CLEAN Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Post access, read winlog.exe CLEAN box\Postbox\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozil access, read winlog.exe CLEAN la\FossaMail\CurrentVersion
HKEY_CURRENT_USER\Software\WinChips access winlog.exe CLEAN \UserAccounts
HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows access winlog.exe CLEAN Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN \Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft access winlog.exe CLEAN \Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\SOFTWARE\flaska access, read winlog.exe CLEAN .net\trojita\imap.auth.pass
HKEY_CURRENT_USER\SOFTWARE\flaska access, read winlog.exe CLEAN .net\trojita\msa.smtp.auth.pass
HKEY_LOCAL_MACHINE\������К� access, write winlog.exe CLEAN ����ј�Д���И���я��\9EDDE9
X-Ray Vision for Malware - www.vmray.com 14 / 18 DYNAMIC ANALYSIS REPORT #1173563
Process
Process Name Commandline Verdict
winlog.exe "C:\Users\gsanders\Desktop\winlog.exe" MALICIOUS
X-Ray Vision for Malware - www.vmray.com 15 / 18 DYNAMIC ANALYSIS REPORT #1173563
YARA / AV
YARA (16)
Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
function_strings_proces Malware Lokibot Lokibot Stealer Function Strings Spyware 5/5 s_1.txt
Antivirus (17)
File Type Threat Name Filename Verdict
SAMPLE Trojan.GenericKD.36738116 C:\Users\gsanders\Desktop\winlog.exe MALICIOUS
MEMORY_DUMP Generic.Andromeda.6165138E - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 16 / 18 DYNAMIC ANALYSIS REPORT #1173563
File Type Threat Name Filename Verdict
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
MEMORY_DUMP Gen:Variant.Razy.762033 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 17 / 18 DYNAMIC ANALYSIS REPORT #1173563
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-04-19 14:27:28+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 18 / 18