DYNAMIC ANALYSIS REPORT #6972494
Classifications: Spyware
Lokibot Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab MALICIOUS Threat Names: Gen:Variant.Razy.762033
Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe
ID #2651322
MD5 bcd3e420575492db9ee58c42b2032094
SHA1 3d31aace807806cfe8652f07e695b881ba0876e1
SHA256 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b
File Size 100.00 KB
Report Created 2021-08-23 14:04 (UTC+2)
Target Environment win7_64_sp1_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 18 DYNAMIC ANALYSIS REPORT #6972494
OVERVIEW
VMRay Threat Identifiers (20 rules, 38 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 1 Spyware
• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: FileZilla, Internet Explorer, BlazeFTP, Total Commander, Pidgin, QtWeb Internet Browser, Internet Explorer / Edge, LinasFTP.
4/5 Antivirus Malicious content was detected by heuristic scan 2 -
• Built-in AV detected a memory dump of (process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe as "Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab".
• Built-in AV detected a memory dump of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe as "Gen:Variant.Razy.762033".
3/5 Anti Analysis Tries to evade debugger 1 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe hides thread via API "NtSetInformationThread".
3/5 Discovery Reads installed applications 1 Spyware
• Reads installed programs by enumerating the SOFTWARE registry key.
2/5 Anti Analysis Tries to detect debugger 1 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to detect a debugger via API "NtQueryInformationProcess".
2/5 Data Collection Reads sensitive browser data 3 -
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.
2/5 Data Collection Reads sensitive application data 1 -
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of application "Pidgin" by file.
2/5 Data Collection Reads sensitive ftp data 5 -
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "LinasFTP" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "FileZilla" by file.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "BlazeFTP" by file.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "Total Commander" by registry.
2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe modifies memory of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.
2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe alters context of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.
2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 2 -
X-Ray Vision for Malware - www.vmray.com 2 / 18 DYNAMIC ANALYSIS REPORT #6972494
Score Category Operation Count Classification
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe makes a direct system call to "NtAllocateVirtualMemory".
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe makes a direct system call to "NtAllocateVirtualMemory".
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe starts (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe with a hidden window.
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Discovery Reads system data 1 -
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe reads the cryptographic machine GUID from registry.
1/5 Mutex Creates mutex 1 -
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe creates mutex with name "AC886C1380004474ED06FF77".
1/5 Discovery Possibly does reconnaissance 9 -
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla Firefox" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Comodo IceDragon" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Safari" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "K-Meleon" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla SeaMonkey" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla Flock" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Cyberfox" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Total Commander" by registry.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "NetScape" by registry.
1/5 Obfuscation Overwrites code 2 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe overwrites code to possibly hide behavior.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe overwrites code to possibly hide behavior.
1/5 Obfuscation Resolves API functions dynamically 2 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe resolves 72 API functions by name.
• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe resolves 25 API functions by name.
1/5 Execution Executes itself 1 -
• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe executes a copy of the sample at tag">C: \Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.
X-Ray Vision for Malware - www.vmray.com 3 / 18 DYNAMIC ANALYSIS REPORT #6972494
Mitre ATT&CK Matrix
Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control
#T1082 #T1214 #T1119 #T1143 Hidden System Credentials in Automated Window Information Registry Collection Discovery #T1045 #T1003 #T1005 Data #T1012 Query Software Credential from Local Registry Packing Dumping System #T1217 #T1081 Browser Credentials in Bookmark Files Discovery #T1083 File and Directory Discovery
X-Ray Vision for Malware - www.vmray.com 4 / 18 DYNAMIC ANALYSIS REPORT #6972494
Sample Information
ID #2651322
MD5 bcd3e420575492db9ee58c42b2032094
SHA1 3d31aace807806cfe8652f07e695b881ba0876e1
SHA256 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b
SSDeep 1536:Y3AExAD534Dy5EqP6zW6X48mPTzJ5V0Le5xK:+xi4YmX48mP/+K5xK
ImpHash 877d76f42120b733733986666dfbed46
File Name 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe
File Size 100.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-08-23 14:04 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 2
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 41
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 40
X-Ray Vision for Malware - www.vmray.com 5 / 18 DYNAMIC ANALYSIS REPORT #6972494
X-Ray Vision for Malware - www.vmray.com 6 / 18 DYNAMIC ANALYSIS REPORT #6972494
NETWORK
General
965 bytes total sent
9.04 KB total received
1 ports 443
1 contacted IP addresses
0 URLs extracted
1 files downloaded
0 malicious hosts detected
DNS
0 DNS requests for 0 domains
0 nameservers contacted
0 total requests returned errors
HTTP/S
1 URLs contacted, 1 servers
1 sessions, 965 bytes sent, 9.04 KB received
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
https://drive.google.com/uc? GET export=download&id=19a01RrgyI- - - 0 bytes NA MoTWQV_MtVM1iosugK4zZG
X-Ray Vision for Malware - www.vmray.com 7 / 18 DYNAMIC ANALYSIS REPORT #6972494
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe Child Process
X-Ray Vision for Malware - www.vmray.com 8 / 18 DYNAMIC ANALYSIS REPORT #6972494
Process #1: 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe
ID 1
File Name c:\users\keecfmwgj\desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe
Command Line "C:\Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 45785, Reason: Analysis Target
Unmonitor End Time End Time: 106672, Reason: Terminated
Monitor duration 60.89s
Return Code 0
PID 3816
Parent PID 876
Bitness 32 Bit
Host Behavior
Type Count
System 13
Module 138
Environment 1
File 9
- 2
Mutex 1
Window 11
Registry 3
Keyboard 1
- 2
- 173
- 2
Process 1
- 2
- 3
X-Ray Vision for Malware - www.vmray.com 9 / 18 DYNAMIC ANALYSIS REPORT #6972494
Process #2: 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe
ID 2
File Name c:\users\keecfmwgj\desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe
Command Line "C:\Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 105224, Reason: Child Process
Unmonitor End Time End Time: 286861, Reason: Terminated by Timeout
Monitor duration 181.64s
Return Code Unknown
PID 3876
Parent PID 3816
Bitness 32 Bit
Injection Information (3)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: \users\keecfmwgj\desktop\3 Modify Memory 8bc9d836ab63101c9eddcb9 0xeec 0x400000(4194304) 0x153000 1 232e7c1ad227517701caf73f 799ec07abdd4386b.exe
#1: c: \users\keecfmwgj\desktop\3 Modify Memory 8bc9d836ab63101c9eddcb9 0xeec 0x1a0000(1703936) 0x12000 1 232e7c1ad227517701caf73f 799ec07abdd4386b.exe
#1: c: \users\keecfmwgj\desktop\3 Modify Control Flow 8bc9d836ab63101c9eddcb9 0xeec / 0xf28 0x1a0000(1703936) - 1 232e7c1ad227517701caf73f 799ec07abdd4386b.exe
Dropped Files (3)
File Name File Size SHA256 YARA Match
6c78ef77acef978321ccd30ee126fb7d30285bc186ddbdbe8b3e8f6e69d0 - 155.25 KB 1353
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c - 59.59 KB 1544
4795e528c8379d0b85214ecaf3e22e25b7b915d689a1991aede47c1c50b - 239 bytes f7079
Host Behavior
Type Count
Module 667
- 3
File 234
- 173
- 2
System 1679
Registry 36
Mutex 1
X-Ray Vision for Malware - www.vmray.com 10 / 18 DYNAMIC ANALYSIS REPORT #6972494
Network Behavior
Type Count
HTTP 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 11 / 18 DYNAMIC ANALYSIS REPORT #6972494
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
C: 38bc9d836ab63101c9eddcb application/ \Users\kEecfMwgj\Desktop\38bc9d83 9232e7c1ad227517701caf73 Sample File 100.00 KB vnd.microsoft.portable- Access MALICIOUS 6ab63101c9eddcb9232e7c1ad2275177 f799ec07abdd4386b executable 01caf73f799ec07abdd4386b.exe
e6480383ad2f3174092c5a54 c: f76156113a93609ba6190c65 \users\keecfmwgj\appdata\roaming\mi Modified File 32.00 KB application/octet-stream - CLEAN 8475452988d64c18 crosoft\windows\cookies\index.dat
6c78ef77acef978321ccd30e e126fb7d30285bc186ddbdbe authroot.stl Embedded File 155.25 KB application/octet-stream - CLEAN 8b3e8f6e69d01353
c: 4795e528c8379d0b85214ec \users\keecfmwgj\appdata\roaming\mi af3e22e25b7b915d689a1991 Dropped File 239 bytes text/plain - CLEAN crosoft\windows\cookies\keecfmwgj aede47c1c50bf7079 @google[1].txt
e6a7f1f8810e46a736e80ee5 c: application/vnd.ms-cab- ac6187690f28f4d5d35d130d \users\keecfmwgj\appdata\local\temp\ Downloaded File 59.59 KB - CLEAN compressed 410e20084b2c1544 cabd16b.tmp
Filename
File Name Category Operations Verdict
C: \Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad2 Sample File Access CLEAN 27517701caf73f799ec07abdd4386b.exe
C:\Windows\system32\MSVBVM60.DLL Accessed File Access CLEAN
C:\Program Files\Qemu-ga\qemu-ga.exe Accessed File Access CLEAN
C:\Program Files\qga\qga.exe Accessed File Access CLEAN
\??\C:\Windows\syswow64\msvbvm60.dll Accessed File Access CLEAN
URL
URL Category IP Address Country HTTP Methods Verdict
https://drive.google.com/uc? export=download&id=19a01RrgyI- - 142.250.185.206 - GET CLEAN MoTWQV_MtVM1iosugK4zZG
Domain
Domain IP Address Country Protocols Verdict
drive.google.com 142.250.185.206 - HTTP CLEAN
IP
IP Address Domains Country Protocols Verdict
142.250.185.206 drive.google.com United States DNS, HTTPS, TCP CLEAN
Mutex
Name Operations Parent Process Name Verdict
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 AC886C1380004474ED06FF77 access CLEAN 9ec07abdd4386b.exe
Registry
Registry Key Operations Parent Process Name Verdict
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors access CLEAN 9ec07abdd4386b.exe
X-Ray Vision for Malware - www.vmray.com 12 / 18 DYNAMIC ANALYSIS REPORT #6972494
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\VB and VBA Program 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access CLEAN Settings\Afkrydses\signaldetektoren 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography access CLEAN 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Ma 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN chineGuid 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Firefox\CurrentVersion 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\S 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN etup\SetupPath 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc. 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN \Safari\InstallDir 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon\CurrentVersion access, read CLEAN 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey\Cur 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN rentVersion 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Current 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Version 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock\CurrentVersi 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN on 9ec07abdd4386b.exe
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access CLEAN Browser\AutoComplete 9ec07abdd4386b.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access CLEAN Explorer\IntelliForms\Storage2 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86\R 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN ootDir 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox\Path access, read CLEAN 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Moon\CurrentVersion 9ec07abdd4386b.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox\CurrentVe 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN rsion 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\LinasFTP\Site Manager access CLEAN 9ec07abdd4386b.exe
HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings\La 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN stPassword 9ec07abdd4386b.exe
HKEY_CURRENT_USER\Software\Ghisler\Total 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Commander\FtpIniName 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\AppDataLow access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\IM Providers access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Microsoft access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Netscape access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\ODBC access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Policies access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Wow6432Node access CLEAN 9ec07abdd4386b.exe
38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Classes access CLEAN 9ec07abdd4386b.exe
X-Ray Vision for Malware - www.vmray.com 13 / 18 DYNAMIC ANALYSIS REPORT #6972494
Process
Process Name Commandline Verdict
"C: 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd \Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd438 MALICIOUS 4386b.exe 6b.exe"
X-Ray Vision for Malware - www.vmray.com 14 / 18 DYNAMIC ANALYSIS REPORT #6972494
YARA / AV
YARA (40)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
X-Ray Vision for Malware - www.vmray.com 15 / 18 DYNAMIC ANALYSIS REPORT #6972494
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5
Antivirus (41)
File Type Threat Name File Name Verdict
Memory Dump Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 16 / 18 DYNAMIC ANALYSIS REPORT #6972494
File Type Threat Name File Name Verdict
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
Memory Dump Gen:Variant.Razy.762033 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 17 / 18 DYNAMIC ANALYSIS REPORT #6972494
ENVIRONMENT
Virtual Machine Information
Name win7_64_sp1_en_mso2016
Description win7_64_sp1_en_mso2016
Architecture x86 64-bit
Operating System Windows 7
Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update Release 2021-08-23 08:58:22+00:00 Date
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.33 / 2021-08-02 14:31:04
YARA Built-in Ruleset Version 4.2.2.34
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 18 / 18