Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

QUOTATION.exe

Status: finished
Submission Time: 2023-03-20 14:48:26 +01:00
Malicious
Trojan
Evader
Ransomware
Spyware
GuLoader, FormBook

Comments

Tags

  • exe
  • guloader

Details

  • Analysis ID:
    830630
  • API (Web) ID:
    1197726
  • Analysis Started:
    2023-03-20 14:56:35 +01:00
  • Analysis Finished:
    2023-03-20 15:33:16 +01:00
  • MD5:
    9f23ccacd955392c62b1b5d4be4ed690
  • SHA1:
    d7c9c869add707b5b41a1f11f5c82bba94eabbd7
  • SHA256:
    7b8d50ac67b2f0de5e35909025cc1a8d15f5edd18675878c7aaa31e3fe83a9fd
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
Full Report Management Report IOC Report
malicious
Score: 76
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301

Third Party Analysis Engines

Open Full Report
malicious
Score: 19/67
malicious
Score: 13/39

IPs

IP Country Detection
91.184.0.24
 Netherlands
45.194.145.38
 Seychelles
199.192.26.35
 United States
Click to see the 12 hidden entries
217.160.0.217
 Germany
45.56.79.23
 United States
154.215.156.6
 Seychelles
34.117.168.233
 United States
104.21.45.96
 United States
81.17.18.196
 Switzerland
23.83.160.9
 United States
208.91.197.91
 Virgin Islands (BRITISH)
81.17.29.148
 Switzerland
88.212.206.251
 Russian Federation
2.57.90.16
 Lithuania
162.240.73.101
 United States

Domains

Name IP Detection
www.texasgent.com
 81.17.29.148
www.ghostdyes.net
 0.0.0.0
www.finelinetackdirect.com
 0.0.0.0
Click to see the 18 hidden entries
www.eta-trader.net
 0.0.0.0
www.184411.com
 0.0.0.0
www.flaviosilva.online
 0.0.0.0
www.brightfms.com
 81.17.18.196
www.interactive-media.ru
 88.212.206.251
flaviosilva.online
 2.57.90.16
www.maxhaidt.com
 104.21.45.96
www.buymyenergy.com
 45.194.145.38
www.dexmart.xyz
 199.192.26.35
www.b-tek.media
 91.184.0.24
www.aznqmd.com
 23.83.160.9
www.funvacayflorida.com
 208.91.197.91
www.solya-shop.com
 217.160.0.217
bb.zhanghonghong.com
 154.215.156.6
eta-trader.net
 2.57.90.16
td-ccm-168-233.wixdns.net
 34.117.168.233
www.cardinialethanol.com
 45.56.79.23
www.wittofitentertainment.com
 162.240.73.101

URLs

Name Detection
http://www.dexmart.xyz/d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGm
http://www.ghostdyes.net/d91r/
http://www.brightfms.com/d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGm
Click to see the 97 hidden entries
http://www.funvacayflorida.com/d91r/
http://www.184411.com/d91r/
http://www.b-tek.media/d91r/
http://www.texasgent.com/d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGm
http://www.solya-shop.com/d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm
http://www.texasgent.com/d91r/
http://www.dexmart.xyz/d91r/
http://www.interactive-media.ru/d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm
http://www.solya-shop.com/d91r/
http://www.aznqmd.com/d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGm
http://www.cardinialethanol.com/d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm
http://www.cardinialethanol.com/d91r/
http://www.flaviosilva.online/d91r/
http://www.brightfms.com
https://android.notify.windows.com/iOS
http://www.symauth.com/rpa00
http://nsis.sf.net/NSIS_Error
http://www.nero.com
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppb
https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl2&wn_c
https://outlook.com
http://www.symauth.com/cps0(
http://www.b-tek.mediawww.dexmart.xyz
http://www.ghostdyes.net
http://www.brightfms.com/d91r/?8H7gL=Bxcfm_qbbEGm&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd
http://nsis.sf.net/NSIS_ErrorError
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://www.www.fantasticserver.yachts
https://www.webnames.ru/help/feedback?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
http://www.ghostdyes.net/d91r/8H7gL=Bxcfm_qbbEGm
http://www.b-tek.media
https://support.google.com/chrome/?p=plugin_flash
http://www.funvacayflorida.comT
http://www.dhiyasecurities.com/d91r/ldE8Xu=oYWDxG4UFF1
http://www.aznqmd.com
http://23.83.160.2:88/tz.php?ref=
http://www.cardinialethanol.com
http://www.buymyenergy.com
http://www.fantasticserver.yachtswww.dhiyasecurities.com
http://www.flaviosilva.online
https://api.msn.com/v1/news/Feed/Windows?
http://www.fantasticserver.yachts/d91r/ldE8Xu=oYWDxG4UFF1
http://browsehappy.com/
https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl_banne
https://word.office.com(
http://www.aznqmd.comwww.
http://www.flaviosilva.onlinewww.solya-shop.com
http://www.eta-trader.net/d91r/8H7gL=Bxcfm_qbbEGm
http://www.buymyenergy.comwww.184411.com
http://www.dexmart.xyz/d91r/8H7gL=Bxcfm_qbbEGm
http://schemas.microsoft.c
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
https://www.msn.com/en-us/new
https://www.webnames.ru/help/faq?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_faq&
http://www.finelinetackdirect.com/d91r/8H7gL=Bxcfm_qbbEGm
http://www.fantasticserver.yachts/d91r/
http://www.gopher.ftp://ftp.
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
http://www.buymyenergy.com/d91r/8H7gL=Bxcfm_qbbEGm
https://excel.office.com
https://deff.nelreports.net/api/report?cat=msn
https://hm.baidu.com/hm.js?c5f848a241986c827a6aea67b151df57
http://www.maxhaidt.com/d91r/8H7gL=Bxcfm_qbbEGm
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
https://api.msn.com:443/v1/news/Feed/Windows?
http://www.184411.com/d91r/8H7gL=Bxcfm_qbbEGm
http://www.interactive-media.ru/d91r/
http://www.popularartprints.orgT
https://duckduckgo.com/ac/?q=
http://www.texasgent.comwww.brightfms.com
http://www.184411.com
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
https://duckduckgo.com/chrome_newtab
https://www.wittofitentertainment.com/VeHZpcMYNF28.bin(
http://www.brightfms.comwww.eta-trader.net
http://trade.webnames.ru
http://www.finelinetackdirect.comwww.maxhaidt.com
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
http://www.eta-trader.netwww.funvacayflorida.com
http://www.solya-shop.comwww.buymyenergy.com
http://www.solya-shop.com
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
http://www.dhiyasecurities.comwww.popularartprints.org
https://www.webnames.ru/wn/img/logo-horizontal.svg
http://www.popularartprints.org/d91r/
https://wns.windows.com/
http://www.maxhaidt.comwww.aznqmd.com
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
http://www.eta-trader.net
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppat
http://www.dexmart.xyzwww.finelinetackdirect.com
https://www.webnames.ru/domains/check?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
http://www.popularartprints.org/d91r/ldE8Xu=oYWDxG4UFF1
http://www.funvacayflorida.com/?fp=dj8phrx%2FM7zn2%2BQxIl96VISg%2BlRAUkJF1tnEn7z1%2BPtQiCFpqnDhHGDoC
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Industrialization\Snoldets\Embrocates\Utaalmodiges.Taa169
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dll
 PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
Click to see the 8 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dll
 PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exe
 PE32+ executable (GUI) x86-64, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dll
 PE32+ executable (DLL) (console) x86-64, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\Dampning.Dub
 ASCII text, with very long lines (65536), with no line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dll
 PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dll
 PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
 #
C:\Users\user\AppData\Local\Temp\4995H5Jfc
 SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 5, database pages 59, cookie 0x4f, schema 4, UTF-8, version-valid-for 5
 #
C:\Users\user\AppData\Local\Temp\nsg9F21.tmp\System.dll
 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
 #