DYNAMIC ANALYSIS REPORT #6972494

Classifications: Spyware

Lokibot Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab MALICIOUS Threat Names: Gen:Variant.Razy.762033

Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe

ID #2651322

MD5 bcd3e420575492db9ee58c42b2032094

SHA1 3d31aace807806cfe8652f07e695b881ba0876e1

SHA256 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b

File Size 100.00 KB

Report Created 2021-08-23 14:04 (UTC+2)

Target Environment win7_64_sp1_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 18 DYNAMIC ANALYSIS REPORT #6972494

OVERVIEW

VMRay Threat Identifiers (20 rules, 38 matches)

Score Category Operation Count Classification

5/5 YARA Malicious content matched by YARA rules 1 Spyware

• Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: FileZilla, Internet Explorer, BlazeFTP, Total Commander, Pidgin, QtWeb Internet Browser, Internet Explorer / Edge, LinasFTP.

4/5 Antivirus Malicious content was detected by heuristic scan 2 -

• Built-in AV detected a memory dump of (process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe as "Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab".

• Built-in AV detected a memory dump of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe as "Gen:Variant.Razy.762033".

3/5 Anti Analysis Tries to evade debugger 1 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe hides thread via API "NtSetInformationThread".

3/5 Discovery Reads installed applications 1 Spyware

• Reads installed programs by enumerating the SOFTWARE registry key.

2/5 Anti Analysis Tries to detect debugger 1 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to detect a debugger via API "NtQueryInformationProcess".

2/5 Data Collection Reads sensitive browser data 3 -

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.

2/5 Data Collection Reads sensitive application data 1 -

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of application "Pidgin" by file.

2/5 Data Collection Reads sensitive ftp data 5 -

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "LinasFTP" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "FileZilla" by file.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "BlazeFTP" by file.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "BlazeFTP" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "Total Commander" by registry.

2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe modifies memory of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.

2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe alters context of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.

2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 2 -

X-Ray Vision for Malware - www.vmray.com 2 / 18 DYNAMIC ANALYSIS REPORT #6972494

Score Category Operation Count Classification

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe makes a direct system call to "NtAllocateVirtualMemory".

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe makes a direct system call to "NtAllocateVirtualMemory".

1/5 Hide Tracks Creates process with hidden window 1 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe starts (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe with a hidden window.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Discovery Reads system data 1 -

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe reads the cryptographic machine GUID from registry.

1/5 Mutex Creates mutex 1 -

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe creates mutex with name "AC886C1380004474ED06FF77".

1/5 Discovery Possibly does reconnaissance 9 -

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla Firefox" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Comodo IceDragon" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Safari" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "K-Meleon" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla SeaMonkey" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla Flock" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Cyberfox" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Total Commander" by registry.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "NetScape" by registry.

1/5 Obfuscation Overwrites code 2 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe overwrites code to possibly hide behavior.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe overwrites code to possibly hide behavior.

1/5 Obfuscation Resolves API functions dynamically 2 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe resolves 72 API functions by name.

• (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe resolves 25 API functions by name.

1/5 Execution Executes itself 1 -

• (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe executes a copy of the sample at tag">C: \Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe.

X-Ray Vision for Malware - www.vmray.com 3 / 18 DYNAMIC ANALYSIS REPORT #6972494

Mitre ATT&CK Matrix

Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control

#T1082 #T1214 #T1119 #T1143 Hidden System Credentials in Automated Window Information Registry Collection Discovery #T1045 #T1003 #T1005 Data #T1012 Query Software Credential from Local Registry Packing Dumping System #T1217 #T1081 Browser Credentials in Bookmark Files Discovery #T1083 File and Directory Discovery

X-Ray Vision for Malware - www.vmray.com 4 / 18 DYNAMIC ANALYSIS REPORT #6972494

Sample Information

ID #2651322

MD5 bcd3e420575492db9ee58c42b2032094

SHA1 3d31aace807806cfe8652f07e695b881ba0876e1

SHA256 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b

SSDeep 1536:Y3AExAD534Dy5EqP6zW6X48mPTzJ5V0Le5xK:+xi4YmX48mP/+K5xK

ImpHash 877d76f42120b733733986666dfbed46

File Name 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe

File Size 100.00 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-08-23 14:04 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 2

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 41

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 40

X-Ray Vision for Malware - www.vmray.com 5 / 18 DYNAMIC ANALYSIS REPORT #6972494

X-Ray Vision for Malware - www.vmray.com 6 / 18 DYNAMIC ANALYSIS REPORT #6972494

NETWORK

General

965 bytes total sent

9.04 KB total received

1 ports 443

1 contacted IP addresses

0 URLs extracted

1 files downloaded

0 malicious hosts detected

DNS

0 DNS requests for 0 domains

0 nameservers contacted

0 total requests returned errors

HTTP/S

1 URLs contacted, 1 servers

1 sessions, 965 bytes sent, 9.04 KB received

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

https://drive.google.com/uc? GET export=download&id=19a01RrgyI- - - 0 bytes NA MoTWQV_MtVM1iosugK4zZG

X-Ray Vision for Malware - www.vmray.com 7 / 18 DYNAMIC ANALYSIS REPORT #6972494

BEHAVIOR

Process Graph

Modify Memory #1 Modify Control Flow #2 Sample Start 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe Child Process

X-Ray Vision for Malware - www.vmray.com 8 / 18 DYNAMIC ANALYSIS REPORT #6972494

Process #1: 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe

ID 1

File Name c:\users\keecfmwgj\desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe

Command Line "C:\Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe"

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 45785, Reason: Analysis Target

Unmonitor End Time End Time: 106672, Reason: Terminated

Monitor duration 60.89s

Return Code 0

PID 3816

Parent PID 876

Bitness 32 Bit

Host Behavior

Type Count

System 13

Module 138

Environment 1

File 9

- 2

Mutex 1

Window 11

Registry 3

Keyboard 1

- 2

- 173

- 2

Process 1

- 2

- 3

X-Ray Vision for Malware - www.vmray.com 9 / 18 DYNAMIC ANALYSIS REPORT #6972494

Process #2: 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe

ID 2

File Name c:\users\keecfmwgj\desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe

Command Line "C:\Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe"

Initial Working Directory C:\Users\kEecfMwgj\Desktop\

Monitor Start Time Start Time: 105224, Reason: Child Process

Unmonitor End Time End Time: 286861, Reason: Terminated by Timeout

Monitor duration 181.64s

Return Code Unknown

PID 3876

Parent PID 3816

Bitness 32 Bit

Injection Information (3)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: \users\keecfmwgj\desktop\3 Modify Memory 8bc9d836ab63101c9eddcb9 0xeec 0x400000(4194304) 0x153000 1 232e7c1ad227517701caf73f 799ec07abdd4386b.exe

#1: c: \users\keecfmwgj\desktop\3 Modify Memory 8bc9d836ab63101c9eddcb9 0xeec 0x1a0000(1703936) 0x12000 1 232e7c1ad227517701caf73f 799ec07abdd4386b.exe

#1: c: \users\keecfmwgj\desktop\3 Modify Control Flow 8bc9d836ab63101c9eddcb9 0xeec / 0xf28 0x1a0000(1703936) - 1 232e7c1ad227517701caf73f 799ec07abdd4386b.exe

Dropped Files (3)

File Name File Size SHA256 YARA Match

6c78ef77acef978321ccd30ee126fb7d30285bc186ddbdbe8b3e8f6e69d0 - 155.25 KB 1353

e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c - 59.59 KB 1544

4795e528c8379d0b85214ecaf3e22e25b7b915d689a1991aede47c1c50b - 239 bytes f7079

Host Behavior

Type Count

Module 667

- 3

File 234

- 173

- 2

System 1679

Registry 36

Mutex 1

X-Ray Vision for Malware - www.vmray.com 10 / 18 DYNAMIC ANALYSIS REPORT #6972494

Network Behavior

Type Count

HTTP 1

TCP 1

X-Ray Vision for Malware - www.vmray.com 11 / 18 DYNAMIC ANALYSIS REPORT #6972494

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

C: 38bc9d836ab63101c9eddcb application/ \Users\kEecfMwgj\Desktop\38bc9d83 9232e7c1ad227517701caf73 Sample File 100.00 KB vnd.microsoft.portable- Access MALICIOUS 6ab63101c9eddcb9232e7c1ad2275177 f799ec07abdd4386b executable 01caf73f799ec07abdd4386b.exe

e6480383ad2f3174092c5a54 c: f76156113a93609ba6190c65 \users\keecfmwgj\appdata\roaming\mi Modified File 32.00 KB application/octet-stream - CLEAN 8475452988d64c18 crosoft\windows\cookies\index.dat

6c78ef77acef978321ccd30e e126fb7d30285bc186ddbdbe authroot.stl Embedded File 155.25 KB application/octet-stream - CLEAN 8b3e8f6e69d01353

c: 4795e528c8379d0b85214ec \users\keecfmwgj\appdata\roaming\mi af3e22e25b7b915d689a1991 Dropped File 239 bytes text/plain - CLEAN crosoft\windows\cookies\keecfmwgj aede47c1c50bf7079 @google[1].txt

e6a7f1f8810e46a736e80ee5 c: application/vnd.ms-cab- ac6187690f28f4d5d35d130d \users\keecfmwgj\appdata\local\temp\ Downloaded File 59.59 KB - CLEAN compressed 410e20084b2c1544 cabd16b.tmp

Filename

File Name Category Operations Verdict

C: \Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad2 Sample File Access CLEAN 27517701caf73f799ec07abdd4386b.exe

C:\Windows\system32\MSVBVM60.DLL Accessed File Access CLEAN

C:\Program Files\Qemu-ga\qemu-ga.exe Accessed File Access CLEAN

C:\Program Files\qga\qga.exe Accessed File Access CLEAN

\??\C:\Windows\syswow64\msvbvm60.dll Accessed File Access CLEAN

URL

URL Category IP Address Country HTTP Methods Verdict

https://drive.google.com/uc? export=download&id=19a01RrgyI- - 142.250.185.206 - GET CLEAN MoTWQV_MtVM1iosugK4zZG

Domain

Domain IP Address Country Protocols Verdict

drive.google.com 142.250.185.206 - HTTP CLEAN

IP

IP Address Domains Country Protocols Verdict

142.250.185.206 drive.google.com United States DNS, HTTPS, TCP CLEAN

Mutex

Name Operations Parent Process Name Verdict

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 AC886C1380004474ED06FF77 access CLEAN 9ec07abdd4386b.exe

Registry

Registry Key Operations Parent Process Name Verdict

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors access CLEAN 9ec07abdd4386b.exe

X-Ray Vision for Malware - www.vmray.com 12 / 18 DYNAMIC ANALYSIS REPORT #6972494

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\VB and VBA Program 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access CLEAN Settings\Afkrydses\signaldetektoren 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography access CLEAN 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Ma 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN chineGuid 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Firefox\CurrentVersion 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\S 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN etup\SetupPath 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc. 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN \Safari\InstallDir 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon\CurrentVersion access, read CLEAN 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey\Cur 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN rentVersion 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\Current 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Version 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock\CurrentVersi 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN on 9ec07abdd4386b.exe

HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access CLEAN Browser\AutoComplete 9ec07abdd4386b.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access CLEAN Explorer\IntelliForms\Storage2 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86\R 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN ootDir 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox\Path access, read CLEAN 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Moon\CurrentVersion 9ec07abdd4386b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox\CurrentVe 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN rsion 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\LinasFTP\Site Manager access CLEAN 9ec07abdd4386b.exe

HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings\La 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN stPassword 9ec07abdd4386b.exe

HKEY_CURRENT_USER\Software\Ghisler\Total 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 access, read CLEAN Commander\FtpIniName 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\AppDataLow access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\IM Providers access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Microsoft access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Netscape access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\ODBC access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Policies access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Wow6432Node access CLEAN 9ec07abdd4386b.exe

38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f79 HKEY_CURRENT_USER\Software\Classes access CLEAN 9ec07abdd4386b.exe

X-Ray Vision for Malware - www.vmray.com 13 / 18 DYNAMIC ANALYSIS REPORT #6972494

Process

Process Name Commandline Verdict

"C: 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd \Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd438 MALICIOUS 4386b.exe 6b.exe"

X-Ray Vision for Malware - www.vmray.com 14 / 18 DYNAMIC ANALYSIS REPORT #6972494

YARA / AV

YARA (40)

Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

X-Ray Vision for Malware - www.vmray.com 15 / 18 DYNAMIC ANALYSIS REPORT #6972494

Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Malware Lokibot Lokibot Stealer Memory Dump - Spyware 5/5

Antivirus (41)

File Type Threat Name File Name Verdict

Memory Dump Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 16 / 18 DYNAMIC ANALYSIS REPORT #6972494

File Type Threat Name File Name Verdict

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

Memory Dump Gen:Variant.Razy.762033 - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 17 / 18 DYNAMIC ANALYSIS REPORT #6972494

ENVIRONMENT

Virtual Machine Information

Name win7_64_sp1_en_mso2016

Description win7_64_sp1_en_mso2016

Architecture x86 64-bit

Operating System Windows 7

Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update Release 2021-08-23 08:58:22+00:00 Date

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.33 / 2021-08-02 14:31:04

YARA Built-in Ruleset Version 4.2.2.34

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 8.0.7601.17514

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 18 / 18