Try VMRay Platform
Malicious
Classifications

Spyware Injector

Threat Names

Lokibot.v2 Lokibot C2/Generic-A Mal/Generic-S

Dynamic Analysis Report

Created on 2022-08-05T08:17:15+00:00

08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "1 hour, 40 minutes" to "20 seconds" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe Sample File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 1.45 MB
MD5 6153ed96a83ceea98dbae09e7b77fcf6 Copy to Clipboard
SHA1 7f9a6ce71969ef0eb7deeafed635a127f23e37a8 Copy to Clipboard
SHA256 08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e Copy to Clipboard
SSDeep 24576:fUKvdOVvLnRj8kp67n/N+fzUA23AwgTobYS:ZcbCDC63AwgTobYS Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x00573C12
Size Of Code 0x00171C18
Size Of Initialized Data 0x00000570
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-12-27 19:34 (UTC+1)
Version Information (10)
»
Assembly Version 16.0.0.0
Comments a2c3f171
CompanyName Microsoft Corporation
FileDescription Microsoft.VisualStudio.Services.Search.Shared.WebApi.dll
FileVersion 16.162.29627.1 built by: releases/M162 (f47f2edcc3)
InternalName Microsoft.VisualStudio.Services.Search.Shared.WebApi.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename Microsoft.VisualStudio.Services.Search.Shared.WebApi.dll
ProductName Microsoft® Azure® DevOps Server®
ProductVersion 16.162.29627.1
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x00171C18 0x00171E00 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.46
.rsrc 0x00574000 0x00000564 0x00000600 0x00172000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.18
.reloc 0x00576000 0x0000000C 0x00000200 0x00172600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x00173B20 0x00171D20 0x00000000
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe 1 0x00400000 0x00577FFF Relevant Image False 32-bit - False
...
buffer 1 0x022B0000 0x02313FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
amsi.dll 1 0x6E8F0000 0x6E8FCFFF Content Changed False 32-bit - False
...
08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe 1 0x00400000 0x00577FFF Process Termination False 32-bit - False
...
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe Dropped File Binary
Clean
Known to be clean.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 15.00 KB
MD5 d4e89c95e0a8c76dee878475476e32dd Copy to Clipboard
SHA1 ca38529a1dce7814e9d346c5164bdd83cbe7450f Copy to Clipboard
SHA256 e50486e8c70a8a05db15c5fa32b30d9cf36bc72f739a8429b97174e92878dbd4 Copy to Clipboard
SSDeep 384:gAvWS6g3JJwe+Lke0swtXhrijj8LWJIWgv:gAv76g3JJwekke0swLrOgq Copy to Clipboard
ImpHash 8fa33a618d0cf65fe7234746100f5e3e Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x00400000
Entry Point 0x004023C0
Size Of Code 0x00001C00
Size Of Initialized Data 0x00001E00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2015-10-30 03:38 (UTC+1)
Version Information (8)
»
CompanyName Microsoft Corporation
FileDescription Find String (grep) Utility
FileVersion 10.0.10586.0 (th2_release.151029-1700)
InternalName find
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename FIND.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.10586.0
Sections (5)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x00001AA4 0x00001C00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.61
.data 0x00403000 0x00000374 0x00000200 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.18
.idata 0x00404000 0x00000D08 0x00000E00 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.2
.rsrc 0x00405000 0x00000800 0x00000800 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.34
.reloc 0x00406000 0x000002C4 0x00000400 0x00003800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.26
Imports (4)
»
KERNEL32.dll (13)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CompareStringW - 0x00404000 0x000041C4 0x000023C4 0x00000090
HeapSetInformation - 0x00404004 0x000041C8 0x000023C8 0x0000033B
GetCurrentProcess - 0x00404008 0x000041CC 0x000023CC 0x0000020A
UnhandledExceptionFilter - 0x0040400C 0x000041D0 0x000023D0 0x00000592
GetTickCount - 0x00404010 0x000041D4 0x000023D4 0x000002F6
GetSystemTimeAsFileTime - 0x00404014 0x000041D8 0x000023D8 0x000002D9
GetCurrentThreadId - 0x00404018 0x000041DC 0x000023DC 0x0000020F
GetCurrentProcessId - 0x0040401C 0x000041E0 0x000023E0 0x0000020B
QueryPerformanceCounter - 0x00404020 0x000041E4 0x000023E4 0x00000436
GetModuleHandleA - 0x00404024 0x000041E8 0x000023E8 0x00000265
SetUnhandledExceptionFilter - 0x00404028 0x000041EC 0x000023EC 0x00000553
Sleep - 0x0040402C 0x000041F0 0x000023F0 0x00000562
TerminateProcess - 0x00404030 0x000041F4 0x000023F4 0x00000571
msvcrt.dll (14)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
?terminate@@YAXXZ - 0x00404038 0x000041FC 0x000023FC 0x00000035
_controlfp - 0x0040403C 0x00004200 0x00002400 0x00000137
_except_handler4_common - 0x00404040 0x00004204 0x00002404 0x0000016A
_XcptFilter - 0x00404044 0x00004208 0x00002408 0x0000006F
__p__commode - 0x00404048 0x0000420C 0x0000240C 0x000000C9
_amsg_exit - 0x0040404C 0x00004210 0x00002410 0x00000111
__getmainargs - 0x00404050 0x00004214 0x00002414 0x000000A1
__set_app_type - 0x00404054 0x00004218 0x00002418 0x000000E2
_exit - 0x00404058 0x0000421C 0x0000241C 0x00000173
_cexit - 0x0040405C 0x00004220 0x00002420 0x00000124
__p__fmode - 0x00404060 0x00004224 0x00002424 0x000000CE
__setusermatherr - 0x00404064 0x00004228 0x00002428 0x000000E4
exit - 0x00404068 0x0000422C 0x0000242C 0x000004AE
_initterm - 0x0040406C 0x00004230 0x00002430 0x000001E8
ulib.dll (54)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
??1DSTRING@@UAE@XZ - 0x00404080 0x00004244 0x00002444 0x00000039
??0DSTRING@@QAE@XZ - 0x00404084 0x00004248 0x00002448 0x0000000E
?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z - 0x00404088 0x0000424C 0x0000244C 0x000000C9
??0FLAG_ARGUMENT@@QAE@XZ - 0x0040408C 0x00004250 0x00002450 0x0000000F
?QueryStream@FSN_FILE@@QAEPAVFILE_STREAM@@W4STREAMACCESS@@K@Z - 0x00404090 0x00004254 0x00002454 0x0000014B
?SetConsoleConversions@WSTRING@@SGXXZ - 0x00404094 0x00004258 0x00002458 0x0000017A
?Initialize@WSTRING@@QAEEPBV1@KK@Z - 0x00404098 0x0000425C 0x0000245C 0x000000EA
?Initialize@WSTRING@@QAEEPBGK@Z - 0x0040409C 0x00004260 0x00002460 0x000000E9
?Initialize@WSTRING@@QAEEPBDK@Z - 0x004040A0 0x00004264 0x00002464 0x000000E8
?ReadLine@STREAM@@QAEEPAVWSTRING@@E@Z - 0x004040A4 0x00004268 0x00002468 0x00000156
?IsValueSet@ARGUMENT@@QAEEXZ - 0x004040A8 0x0000426C 0x0000246C 0x000000FD
??0PROGRAM@@IAE@XZ - 0x004040AC 0x00004270 0x00002470 0x00000024
?DebugDump@OBJECT@@UBEXE@Z - 0x004040B0 0x00004274 0x00002474 0x00000082
?Usage@PROGRAM@@UBEXXZ - 0x004040B4 0x00004278 0x00002478 0x000001BE
?GetStandardError@PROGRAM@@UAEPAVSTREAM@@XZ - 0x004040B8 0x0000427C 0x0000247C 0x000000B5
?GetStandardOutput@PROGRAM@@UAEPAVSTREAM@@XZ - 0x004040BC 0x00004280 0x00002480 0x000000B7
?GetStandardInput@PROGRAM@@UAEPAVSTREAM@@XZ - 0x004040C0 0x00004284 0x00002484 0x000000B6
?Fatal@PROGRAM@@UBEXXZ - 0x004040C4 0x00004288 0x00002488 0x000000A3
??0CLASS_DESCRIPTOR@@QAE@XZ - 0x004040C8 0x0000428C 0x0000248C 0x0000000A
?DisplayMessage@PROGRAM@@UBEEKW4MESSAGE_TYPE@@@Z - 0x004040CC 0x00004290 0x00002490 0x00000090
?DisplayMessage@PROGRAM@@UBAEKW4MESSAGE_TYPE@@PADZZ - 0x004040D0 0x00004294 0x00002494 0x0000008F
??1PROGRAM@@UAE@XZ - 0x004040D4 0x00004298 0x00002498 0x00000048
?IsDrive@PATH@@QBEEXZ - 0x004040D8 0x0000429C 0x0000249C 0x000000F0
?Initialize@MULTIPLE_PATH_ARGUMENT@@QAEEPADEE@Z - 0x004040DC 0x000042A0 0x000024A0 0x000000D5
??1MULTIPLE_PATH_ARGUMENT@@UAE@XZ - 0x004040E0 0x000042A4 0x000024A4 0x00000043
??0MULTIPLE_PATH_ARGUMENT@@QAE@XZ - 0x004040E4 0x000042A8 0x000024A8 0x0000001E
?Put@ARRAY@@UAEEPAVOBJECT@@@Z - 0x004040E8 0x000042AC 0x000024AC 0x00000117
?Initialize@ARRAY@@QAEEKK@Z - 0x004040EC 0x000042B0 0x000024B0 0x000000BF
??1ARRAY@@UAE@XZ - 0x004040F0 0x000042B4 0x000024B4 0x00000032
??0ARRAY@@QAE@XZ - 0x004040F4 0x000042B8 0x000024B8 0x00000002
??1STREAM_MESSAGE@@UAE@XZ - 0x004040F8 0x000042BC 0x000024BC 0x0000004C
??0STREAM_MESSAGE@@QAE@XZ - 0x004040FC 0x000042C0 0x000024C0 0x00000029
?Initialize@STRING_ARGUMENT@@QAEEPAD@Z - 0x00404100 0x000042C4 0x000024C4 0x000000E0
??1STRING_ARGUMENT@@UAE@XZ - 0x00404104 0x000042C8 0x000024C8 0x0000004D
??0STRING_ARGUMENT@@QAE@XZ - 0x00404108 0x000042CC 0x000024CC 0x0000002A
?QueryFile@SYSTEM@@SGPAVFSN_FILE@@PBVPATH@@EPAE@Z - 0x0040410C 0x000042D0 0x000024D0 0x0000012E
?QueryDirectory@SYSTEM@@SGPAVFSN_DIRECTORY@@PBVPATH@@E@Z - 0x00404110 0x000042D4 0x000024D4 0x0000012B
?IsCorrectVersion@SYSTEM@@SGEXZ - 0x00404114 0x000042D8 0x000024D8 0x000000EF
?Strupr@WSTRING@@QAEPAV1@XZ - 0x00404118 0x000042DC 0x000024DC 0x000001B3
?Initialize@WSTRING@@QAEEXZ - 0x0040411C 0x000042E0 0x000024E0 0x000000EB
??1OBJECT@@UAE@XZ - 0x00404120 0x000042E4 0x000024E4 0x00000044
?Initialize@PROGRAM@@QAEEKKK@Z - 0x00404124 0x000042E8 0x000024E8 0x000000DB
?Compare@OBJECT@@UBEJPBV1@@Z - 0x00404128 0x000042EC 0x000024EC 0x00000075
?Initialize@CLASS_DESCRIPTOR@@QAEEPBD@Z - 0x0040412C 0x000042F0 0x000024F0 0x000000C6
??0ARGUMENT_LEXEMIZER@@QAE@XZ - 0x00404130 0x000042F4 0x000024F4 0x00000001
??1ARGUMENT_LEXEMIZER@@UAE@XZ - 0x00404134 0x000042F8 0x000024F8 0x00000031
?Initialize@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z - 0x00404138 0x000042FC 0x000024FC 0x000000BE
?DoParsing@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z - 0x0040413C 0x00004300 0x00002500 0x00000097
?PutSeparators@ARGUMENT_LEXEMIZER@@QAEXPBD@Z - 0x00404140 0x00004304 0x00002504 0x0000011C
?PutSwitches@ARGUMENT_LEXEMIZER@@QAEXPBD@Z - 0x00404144 0x00004308 0x00002508 0x00000120
?PrepareToParse@ARGUMENT_LEXEMIZER@@QAEEPAVWSTRING@@@Z - 0x00404148 0x0000430C 0x0000250C 0x00000116
?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QAEXE@Z - 0x0040414C 0x00004310 0x00002510 0x00000176
?Fatal@PROGRAM@@UBAXKKPADZZ - 0x00404150 0x00004314 0x00002514 0x000000A2
?ValidateVersion@PROGRAM@@UBEXKK@Z - 0x00404154 0x00004318 0x00002518 0x000001C0
ntdll.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
RtlFreeHeap - 0x00404074 0x00004238 0x00002438 0x000003AB
RtlAllocateHeap - 0x00404078 0x0000423C 0x0000243C 0x000002AC
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 53 Bytes
MD5 9c3c1a69a3c43835d6a2579570e6aa0d Copy to Clipboard
SHA1 8af2c3b90473b35f1bb936de12a8bf72fe658468 Copy to Clipboard
SHA256 e641ff8107a4197ded9f558d1891e716811e9a7f109f14e876f5a8394844dc34 Copy to Clipboard
SSDeep 3:/l4l5mrc9l:e4rc9l Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 Dropped File Stream
Clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 53 Bytes
MD5 eca0470178275ac94e5de381969ed232 Copy to Clipboard
SHA1 d6de27e734eec57d1dda73489b4a6d6eecae3038 Copy to Clipboard
SHA256 353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb Dropped File Text
Clean
...
»
MIME Type text/plain
File Size 4 Bytes
MD5 90f2527e58191a885a8cc35c99b89ba8 Copy to Clipboard
SHA1 10455ce0eb31eead75481e75dcba232d28c7e4c7 Copy to Clipboard
SHA256 859ffdca62ee0971821a4b2dedfc023d0f9a021391b5ac336ddb49d53d28330e Copy to Clipboard
SSDeep 3:Kn:Kn Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck Dropped File Stream
Clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 1 Bytes
MD5 c4ca4238a0b923820dcc509a6f75849b Copy to Clipboard
SHA1 356a192b7913b04c54574d18c28d46e6395428ab Copy to Clipboard
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b Copy to Clipboard
SSDeep 3:U:U Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
c64510503435c2143bad854faba7891308b4b089d140449ceb903620fea45d6a Downloaded File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 23 Bytes
MD5 f74f0c674b6a20bbb1a7afac774bcfde Copy to Clipboard
SHA1 07a2ca2822e69fcd2a70c73cc83dd553b8b97235 Copy to Clipboard
SHA256 c64510503435c2143bad854faba7891308b4b089d140449ceb903620fea45d6a Copy to Clipboard
SSDeep 3:1lMgne9n:Ewe9n Copy to Clipboard
ImpHash -
b14395003e5efba733d717f89486aee8222abf00b33190ea2d34e7b68d2bca73 Downloaded File Text
Clean
Known to be clean.
...
»
MIME Type text/plain
File Size 15 Bytes
MD5 003b3bb995c2451098869088630871df Copy to Clipboard
SHA1 5d24783bc3514543ed9bd164e49f027d77b501f5 Copy to Clipboard
SHA256 b14395003e5efba733d717f89486aee8222abf00b33190ea2d34e7b68d2bca73 Copy to Clipboard
SSDeep 3:8gne9n:8we9n Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Clean
Known to be clean.
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image