Malicious
Classifications
Spyware Injector
Threat Names
Lokibot.v2 Lokibot C2/Generic-A Mal/Generic-S
Dynamic Analysis Report
Created on 2022-08-05T08:17:15+00:00
08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe
Windows Exe (x86-32)
Remarks (1/1)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "1 hour, 40 minutes" to "20 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x00573C12 |
Size Of Code | 0x00171C18 |
Size Of Initialized Data | 0x00000570 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2019-12-27 19:34 (UTC+1) |
Version Information (10)
»
Assembly Version | 16.0.0.0 |
Comments | a2c3f171 |
CompanyName | Microsoft Corporation |
FileDescription | Microsoft.VisualStudio.Services.Search.Shared.WebApi.dll |
FileVersion | 16.162.29627.1 built by: releases/M162 (f47f2edcc3) |
InternalName | Microsoft.VisualStudio.Services.Search.Shared.WebApi.dll |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | Microsoft.VisualStudio.Services.Search.Shared.WebApi.dll |
ProductName | Microsoft® Azure® DevOps Server® |
ProductVersion | 16.162.29627.1 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00171C18 | 0x00171E00 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.46 |
.rsrc | 0x00574000 | 0x00000564 | 0x00000600 | 0x00172000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.18 |
.reloc | 0x00576000 | 0x0000000C | 0x00000200 | 0x00172600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00173B20 | 0x00171D20 | 0x00000000 |
Memory Dumps (4)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe | 1 | 0x00400000 | 0x00577FFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 1 | 0x022B0000 | 0x02313FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
amsi.dll | 1 | 0x6E8F0000 | 0x6E8FCFFF | Content Changed | 32-bit | - |
...
|
||
08b3772f35997a0eb0894e7e58b4a324324de6121f557976909bdaa31a2c883e.exe | 1 | 0x00400000 | 0x00577FFF | Process Termination | 32-bit | - |
...
|
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.exe | Dropped File | Binary |
Clean
Known to be clean.
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x004023C0 |
Size Of Code | 0x00001C00 |
Size Of Initialized Data | 0x00001E00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2015-10-30 03:38 (UTC+1) |
Version Information (8)
»
CompanyName | Microsoft Corporation |
FileDescription | Find String (grep) Utility |
FileVersion | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | find |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | FIND.EXE |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.10586.0 |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00401000 | 0x00001AA4 | 0x00001C00 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.61 |
.data | 0x00403000 | 0x00000374 | 0x00000200 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.18 |
.idata | 0x00404000 | 0x00000D08 | 0x00000E00 | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.2 |
.rsrc | 0x00405000 | 0x00000800 | 0x00000800 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.34 |
.reloc | 0x00406000 | 0x000002C4 | 0x00000400 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.26 |
Imports (4)
»
KERNEL32.dll (13)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CompareStringW | - | 0x00404000 | 0x000041C4 | 0x000023C4 | 0x00000090 |
HeapSetInformation | - | 0x00404004 | 0x000041C8 | 0x000023C8 | 0x0000033B |
GetCurrentProcess | - | 0x00404008 | 0x000041CC | 0x000023CC | 0x0000020A |
UnhandledExceptionFilter | - | 0x0040400C | 0x000041D0 | 0x000023D0 | 0x00000592 |
GetTickCount | - | 0x00404010 | 0x000041D4 | 0x000023D4 | 0x000002F6 |
GetSystemTimeAsFileTime | - | 0x00404014 | 0x000041D8 | 0x000023D8 | 0x000002D9 |
GetCurrentThreadId | - | 0x00404018 | 0x000041DC | 0x000023DC | 0x0000020F |
GetCurrentProcessId | - | 0x0040401C | 0x000041E0 | 0x000023E0 | 0x0000020B |
QueryPerformanceCounter | - | 0x00404020 | 0x000041E4 | 0x000023E4 | 0x00000436 |
GetModuleHandleA | - | 0x00404024 | 0x000041E8 | 0x000023E8 | 0x00000265 |
SetUnhandledExceptionFilter | - | 0x00404028 | 0x000041EC | 0x000023EC | 0x00000553 |
Sleep | - | 0x0040402C | 0x000041F0 | 0x000023F0 | 0x00000562 |
TerminateProcess | - | 0x00404030 | 0x000041F4 | 0x000023F4 | 0x00000571 |
msvcrt.dll (14)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
?terminate@@YAXXZ | - | 0x00404038 | 0x000041FC | 0x000023FC | 0x00000035 |
_controlfp | - | 0x0040403C | 0x00004200 | 0x00002400 | 0x00000137 |
_except_handler4_common | - | 0x00404040 | 0x00004204 | 0x00002404 | 0x0000016A |
_XcptFilter | - | 0x00404044 | 0x00004208 | 0x00002408 | 0x0000006F |
__p__commode | - | 0x00404048 | 0x0000420C | 0x0000240C | 0x000000C9 |
_amsg_exit | - | 0x0040404C | 0x00004210 | 0x00002410 | 0x00000111 |
__getmainargs | - | 0x00404050 | 0x00004214 | 0x00002414 | 0x000000A1 |
__set_app_type | - | 0x00404054 | 0x00004218 | 0x00002418 | 0x000000E2 |
_exit | - | 0x00404058 | 0x0000421C | 0x0000241C | 0x00000173 |
_cexit | - | 0x0040405C | 0x00004220 | 0x00002420 | 0x00000124 |
__p__fmode | - | 0x00404060 | 0x00004224 | 0x00002424 | 0x000000CE |
__setusermatherr | - | 0x00404064 | 0x00004228 | 0x00002428 | 0x000000E4 |
exit | - | 0x00404068 | 0x0000422C | 0x0000242C | 0x000004AE |
_initterm | - | 0x0040406C | 0x00004230 | 0x00002430 | 0x000001E8 |
ulib.dll (54)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
??1DSTRING@@UAE@XZ | - | 0x00404080 | 0x00004244 | 0x00002444 | 0x00000039 |
??0DSTRING@@QAE@XZ | - | 0x00404084 | 0x00004248 | 0x00002448 | 0x0000000E |
?Initialize@FLAG_ARGUMENT@@QAEEPAD@Z | - | 0x00404088 | 0x0000424C | 0x0000244C | 0x000000C9 |
??0FLAG_ARGUMENT@@QAE@XZ | - | 0x0040408C | 0x00004250 | 0x00002450 | 0x0000000F |
?QueryStream@FSN_FILE@@QAEPAVFILE_STREAM@@W4STREAMACCESS@@K@Z | - | 0x00404090 | 0x00004254 | 0x00002454 | 0x0000014B |
?SetConsoleConversions@WSTRING@@SGXXZ | - | 0x00404094 | 0x00004258 | 0x00002458 | 0x0000017A |
?Initialize@WSTRING@@QAEEPBV1@KK@Z | - | 0x00404098 | 0x0000425C | 0x0000245C | 0x000000EA |
?Initialize@WSTRING@@QAEEPBGK@Z | - | 0x0040409C | 0x00004260 | 0x00002460 | 0x000000E9 |
?Initialize@WSTRING@@QAEEPBDK@Z | - | 0x004040A0 | 0x00004264 | 0x00002464 | 0x000000E8 |
?ReadLine@STREAM@@QAEEPAVWSTRING@@E@Z | - | 0x004040A4 | 0x00004268 | 0x00002468 | 0x00000156 |
?IsValueSet@ARGUMENT@@QAEEXZ | - | 0x004040A8 | 0x0000426C | 0x0000246C | 0x000000FD |
??0PROGRAM@@IAE@XZ | - | 0x004040AC | 0x00004270 | 0x00002470 | 0x00000024 |
?DebugDump@OBJECT@@UBEXE@Z | - | 0x004040B0 | 0x00004274 | 0x00002474 | 0x00000082 |
?Usage@PROGRAM@@UBEXXZ | - | 0x004040B4 | 0x00004278 | 0x00002478 | 0x000001BE |
?GetStandardError@PROGRAM@@UAEPAVSTREAM@@XZ | - | 0x004040B8 | 0x0000427C | 0x0000247C | 0x000000B5 |
?GetStandardOutput@PROGRAM@@UAEPAVSTREAM@@XZ | - | 0x004040BC | 0x00004280 | 0x00002480 | 0x000000B7 |
?GetStandardInput@PROGRAM@@UAEPAVSTREAM@@XZ | - | 0x004040C0 | 0x00004284 | 0x00002484 | 0x000000B6 |
?Fatal@PROGRAM@@UBEXXZ | - | 0x004040C4 | 0x00004288 | 0x00002488 | 0x000000A3 |
??0CLASS_DESCRIPTOR@@QAE@XZ | - | 0x004040C8 | 0x0000428C | 0x0000248C | 0x0000000A |
?DisplayMessage@PROGRAM@@UBEEKW4MESSAGE_TYPE@@@Z | - | 0x004040CC | 0x00004290 | 0x00002490 | 0x00000090 |
?DisplayMessage@PROGRAM@@UBAEKW4MESSAGE_TYPE@@PADZZ | - | 0x004040D0 | 0x00004294 | 0x00002494 | 0x0000008F |
??1PROGRAM@@UAE@XZ | - | 0x004040D4 | 0x00004298 | 0x00002498 | 0x00000048 |
?IsDrive@PATH@@QBEEXZ | - | 0x004040D8 | 0x0000429C | 0x0000249C | 0x000000F0 |
?Initialize@MULTIPLE_PATH_ARGUMENT@@QAEEPADEE@Z | - | 0x004040DC | 0x000042A0 | 0x000024A0 | 0x000000D5 |
??1MULTIPLE_PATH_ARGUMENT@@UAE@XZ | - | 0x004040E0 | 0x000042A4 | 0x000024A4 | 0x00000043 |
??0MULTIPLE_PATH_ARGUMENT@@QAE@XZ | - | 0x004040E4 | 0x000042A8 | 0x000024A8 | 0x0000001E |
?Put@ARRAY@@UAEEPAVOBJECT@@@Z | - | 0x004040E8 | 0x000042AC | 0x000024AC | 0x00000117 |
?Initialize@ARRAY@@QAEEKK@Z | - | 0x004040EC | 0x000042B0 | 0x000024B0 | 0x000000BF |
??1ARRAY@@UAE@XZ | - | 0x004040F0 | 0x000042B4 | 0x000024B4 | 0x00000032 |
??0ARRAY@@QAE@XZ | - | 0x004040F4 | 0x000042B8 | 0x000024B8 | 0x00000002 |
??1STREAM_MESSAGE@@UAE@XZ | - | 0x004040F8 | 0x000042BC | 0x000024BC | 0x0000004C |
??0STREAM_MESSAGE@@QAE@XZ | - | 0x004040FC | 0x000042C0 | 0x000024C0 | 0x00000029 |
?Initialize@STRING_ARGUMENT@@QAEEPAD@Z | - | 0x00404100 | 0x000042C4 | 0x000024C4 | 0x000000E0 |
??1STRING_ARGUMENT@@UAE@XZ | - | 0x00404104 | 0x000042C8 | 0x000024C8 | 0x0000004D |
??0STRING_ARGUMENT@@QAE@XZ | - | 0x00404108 | 0x000042CC | 0x000024CC | 0x0000002A |
?QueryFile@SYSTEM@@SGPAVFSN_FILE@@PBVPATH@@EPAE@Z | - | 0x0040410C | 0x000042D0 | 0x000024D0 | 0x0000012E |
?QueryDirectory@SYSTEM@@SGPAVFSN_DIRECTORY@@PBVPATH@@E@Z | - | 0x00404110 | 0x000042D4 | 0x000024D4 | 0x0000012B |
?IsCorrectVersion@SYSTEM@@SGEXZ | - | 0x00404114 | 0x000042D8 | 0x000024D8 | 0x000000EF |
?Strupr@WSTRING@@QAEPAV1@XZ | - | 0x00404118 | 0x000042DC | 0x000024DC | 0x000001B3 |
?Initialize@WSTRING@@QAEEXZ | - | 0x0040411C | 0x000042E0 | 0x000024E0 | 0x000000EB |
??1OBJECT@@UAE@XZ | - | 0x00404120 | 0x000042E4 | 0x000024E4 | 0x00000044 |
?Initialize@PROGRAM@@QAEEKKK@Z | - | 0x00404124 | 0x000042E8 | 0x000024E8 | 0x000000DB |
?Compare@OBJECT@@UBEJPBV1@@Z | - | 0x00404128 | 0x000042EC | 0x000024EC | 0x00000075 |
?Initialize@CLASS_DESCRIPTOR@@QAEEPBD@Z | - | 0x0040412C | 0x000042F0 | 0x000024F0 | 0x000000C6 |
??0ARGUMENT_LEXEMIZER@@QAE@XZ | - | 0x00404130 | 0x000042F4 | 0x000024F4 | 0x00000001 |
??1ARGUMENT_LEXEMIZER@@UAE@XZ | - | 0x00404134 | 0x000042F8 | 0x000024F8 | 0x00000031 |
?Initialize@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z | - | 0x00404138 | 0x000042FC | 0x000024FC | 0x000000BE |
?DoParsing@ARGUMENT_LEXEMIZER@@QAEEPAVARRAY@@@Z | - | 0x0040413C | 0x00004300 | 0x00002500 | 0x00000097 |
?PutSeparators@ARGUMENT_LEXEMIZER@@QAEXPBD@Z | - | 0x00404140 | 0x00004304 | 0x00002504 | 0x0000011C |
?PutSwitches@ARGUMENT_LEXEMIZER@@QAEXPBD@Z | - | 0x00404144 | 0x00004308 | 0x00002508 | 0x00000120 |
?PrepareToParse@ARGUMENT_LEXEMIZER@@QAEEPAVWSTRING@@@Z | - | 0x00404148 | 0x0000430C | 0x0000250C | 0x00000116 |
?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QAEXE@Z | - | 0x0040414C | 0x00004310 | 0x00002510 | 0x00000176 |
?Fatal@PROGRAM@@UBAXKKPADZZ | - | 0x00404150 | 0x00004314 | 0x00002514 | 0x000000A2 |
?ValidateVersion@PROGRAM@@UBEXKK@Z | - | 0x00404154 | 0x00004318 | 0x00002518 | 0x000001C0 |
ntdll.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RtlFreeHeap | - | 0x00404074 | 0x00004238 | 0x00002438 | 0x000003AB |
RtlAllocateHeap | - | 0x00404078 | 0x0000423C | 0x0000243C | 0x000002AC |
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 | Dropped File | Stream |
Clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 | Dropped File | Stream |
Clean
Known to be clean.
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.hdb | Dropped File | Text |
Clean
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Roaming\9EDDE9\9BDC8A.lck | Dropped File | Stream |
Clean
Known to be clean.
|
...
|
»
c64510503435c2143bad854faba7891308b4b089d140449ceb903620fea45d6a | Downloaded File | Stream |
Clean
|
...
|
»
b14395003e5efba733d717f89486aee8222abf00b33190ea2d34e7b68d2bca73 | Downloaded File | Text |
Clean
Known to be clean.
|
...
|
»