DYNAMIC ANALYSIS REPORT #6972494 Classifications: Spyware Lokibot Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab MALICIOUS Threat Names: Gen:Variant.Razy.762033 Verdict Reason: - Sample Type Windows Exe (x86-32) File Name 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe ID #2651322 MD5 bcd3e420575492db9ee58c42b2032094 SHA1 3d31aace807806cfe8652f07e695b881ba0876e1 SHA256 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b File Size 100.00 KB Report Created 2021-08-23 14:04 (UTC+2) Target Environment win7_64_sp1_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 18 DYNAMIC ANALYSIS REPORT #6972494 OVERVIEW VMRay Threat Identifiers (20 rules, 38 matches) Score Category Operation Count Classification 5/5 YARA Malicious content matched by YARA rules 1 Spyware • Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe. 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: FileZilla, Internet Explorer, BlazeFTP, Total Commander, Pidgin, QtWeb Internet Browser, Internet Explorer / Edge, LinasFTP. 4/5 Antivirus Malicious content was detected by heuristic scan 2 - • Built-in AV detected a memory dump of (process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe as "Gen:Trojan.Heur3.LPT.gmX@aSs4QPdab". • Built-in AV detected a memory dump of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe as "Gen:Variant.Razy.762033". 3/5 Anti Analysis Tries to evade debugger 1 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe hides thread via API "NtSetInformationThread". 3/5 Discovery Reads installed applications 1 Spyware • Reads installed programs by enumerating the SOFTWARE registry key. 2/5 Anti Analysis Tries to detect debugger 1 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to detect a debugger via API "NtQueryInformationProcess". 2/5 Data Collection Reads sensitive browser data 3 - • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry. 2/5 Data Collection Reads sensitive application data 1 - • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of application "Pidgin" by file. 2/5 Data Collection Reads sensitive ftp data 5 - • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "LinasFTP" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "FileZilla" by file. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "BlazeFTP" by file. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "BlazeFTP" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to read sensitive data of ftp application "Total Commander" by registry. 2/5 Injection Writes into the memory of a process started from a created or modified executable 1 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe modifies memory of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe. 2/5 Injection Modifies control flow of a process started from a created or modified executable 1 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe alters context of (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe. 2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 2 - X-Ray Vision for Malware - www.vmray.com 2 / 18 DYNAMIC ANALYSIS REPORT #6972494 Score Category Operation Count Classification • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe makes a direct system call to "NtAllocateVirtualMemory". • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe makes a direct system call to "NtAllocateVirtualMemory". 1/5 Hide Tracks Creates process with hidden window 1 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe starts (process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe with a hidden window. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Discovery Reads system data 1 - • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe reads the cryptographic machine GUID from registry. 1/5 Mutex Creates mutex 1 - • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe creates mutex with name "AC886C1380004474ED06FF77". 1/5 Discovery Possibly does reconnaissance 9 - • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla Firefox" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Comodo IceDragon" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Safari" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "K-Meleon" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla SeaMonkey" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Mozilla Flock" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Cyberfox" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "Total Commander" by registry. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe tries to gather information about application "NetScape" by registry. 1/5 Obfuscation Overwrites code 2 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe overwrites code to possibly hide behavior. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe overwrites code to possibly hide behavior. 1/5 Obfuscation Resolves API functions dynamically 2 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe resolves 72 API functions by name. • (Process #2) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe resolves 25 API functions by name. 1/5 Execution Executes itself 1 - • (Process #1) 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe executes a copy of the sample at C: \Users\kEecfMwgj\Desktop\38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe. X-Ray Vision for Malware - www.vmray.com 3 / 18 DYNAMIC ANALYSIS REPORT #6972494 Mitre ATT&CK Matrix Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control #T1082 #T1214 #T1119 #T1143 Hidden System Credentials in Automated Window Information Registry Collection Discovery #T1045 #T1003 #T1005 Data #T1012 Query Software Credential from Local Registry Packing Dumping System #T1217 #T1081 Browser Credentials in Bookmark Files Discovery #T1083 File and Directory Discovery X-Ray Vision for Malware - www.vmray.com 4 / 18 DYNAMIC ANALYSIS REPORT #6972494 Sample Information ID #2651322 MD5 bcd3e420575492db9ee58c42b2032094 SHA1 3d31aace807806cfe8652f07e695b881ba0876e1 SHA256 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b SSDeep 1536:Y3AExAD534Dy5EqP6zW6X48mPTzJ5V0Le5xK:+xi4YmX48mP/+K5xK ImpHash 877d76f42120b733733986666dfbed46 File Name 38bc9d836ab63101c9eddcb9232e7c1ad227517701caf73f799ec07abdd4386b.exe File Size 100.00 KB Sample Type Windows Exe (x86-32) Has Macros Analysis Information Creation Time 2021-08-23 14:04 (UTC+2) Analysis Duration 00:04:00 Termination Reason Timeout Number of Monitored Processes 2 Execution Successful False Reputation Enabled WHOIS Enabled Built-in AV Enabled Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of AV Matches 41 YARA Enabled YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of YARA Matches 40 X-Ray Vision for Malware - www.vmray.com 5 / 18