Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Sample Name: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Analysis ID: 756301
MD5: b9f70f4146b846179fa182ac868d0c15
SHA1: 97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256: ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
Infos:

Detection

GuLoader, Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe ReversingLabs: Detection: 17%
Antivirus detection for URL or domain
Source: http://157.245.36.27/~dokterpol/?page=2874 Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bekvemmeligheder Jump to behavior
Source: unknown HTTPS traffic detected: 142.250.185.238:443 -> 192.168.11.20:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49837 version: TLS 1.2
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mshtml.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
Source: Binary string: mshtml.pdbUGP source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_00406555 FindFirstFileW,FindClose, 2_2_00406555
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_0040287E FindFirstFileW, 2_2_0040287E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405A03

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49838 -> 157.245.36.27:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49838 -> 157.245.36.27:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49838 -> 157.245.36.27:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 157.245.36.27 157.245.36.27
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-8k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /~dokterpol/?page=2874 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 157.245.36.27Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A663AB80Content-Length: 178Connection: close
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204053166.0000000000626000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356841847.0000000001984000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/%%doc-0g-8k-docs.googleusercontent.com
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/)
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391291036.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393764611.0000000001C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391291036.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpWr
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363023216.000000001D4A0000.00000004.00001000.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown HTTP traffic detected: POST /~dokterpol/?page=2874 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 157.245.36.27Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A663AB80Content-Length: 178Connection: close
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-8k-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.185.238:443 -> 192.168.11.20:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49837 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_004054B0
Uses 32bit PE files
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
One or more processes crash
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040344A
Detected potential crypto function
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_004068DA 2_2_004068DA
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_00404CED 2_2_00404CED
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032ECB42 2_2_032ECB42
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D6122 2_2_032D6122
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D5B37 2_2_032D5B37
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D7306 2_2_032D7306
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D5944 2_2_032D5944
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032EF95D 2_2_032EF95D
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D17BD 2_2_032D17BD
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D61DB 2_2_032D61DB
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D3DD6 2_2_032D3DD6
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D6221 2_2_032D6221
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D7430 2_2_032D7430
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D7607 2_2_032D7607
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D5C06 2_2_032D5C06
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D5E16 2_2_032D5E16
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D727E 2_2_032D727E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D587A 2_2_032D587A
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D5A43 2_2_032D5A43
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032EE6AB 2_2_032EE6AB
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D58A1 2_2_032D58A1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D6C8B 2_2_032D6C8B
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032EC892 2_2_032EC892
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D74FA 2_2_032D74FA
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032DA6F5 2_2_032DA6F5
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D6CCB 2_2_032D6CCB
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032ECCDC 2_2_032ECCDC
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 5_2_0168101C 5_2_0168101C
Contains functionality to call native functions
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032F07A4 NtProtectVirtualMemory, 2_2_032F07A4
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032F1813 NtResumeThread, 2_2_032F1813
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 5_2_0168157A NtProtectVirtualMemory, 5_2_0168157A
Sample file is different than original file name gathered from version info
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAsOpenFile.exeL vs REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Section loaded: edgegdi.dll Jump to behavior
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File read: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Jump to behavior
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040344A
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Folkedansens Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsf145.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/6@2/3
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_00402104 CoCreateInstance, 2_2_00402104
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 2_2_00404771
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bekvemmeligheder Jump to behavior
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mshtml.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
Source: Binary string: mshtml.pdbUGP source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_10002DE0 push eax; ret 2_2_10002E0E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D0730 push eax; retf 2_2_032D0732
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D4DCE push eax; ret 2_2_032D4DD6
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D46FC push ecx; iretd 2_2_032D4705
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_10001B18
Drops PE files
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D6F6D rdtsc 2_2_032D6F6D
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_00406555 FindFirstFileW,FindClose, 2_2_00406555
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_0040287E FindFirstFileW, 2_2_0040287E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405A03
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe API call chain: ExitProcess graph end node
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW5
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_10001B18
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D6F6D rdtsc 2_2_032D6F6D
Enables debug privileges
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032EF95D mov eax, dword ptr fs:[00000030h] 2_2_032EF95D
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D58A1 mov eax, dword ptr fs:[00000030h] 2_2_032D58A1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032DA6F5 mov eax, dword ptr fs:[00000030h] 2_2_032DA6F5
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032EDAC1 mov eax, dword ptr fs:[00000030h] 2_2_032EDAC1
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_032D9D4A LdrLoadDll, 2_2_032D9D4A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040344A

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756301 Sample: REQUEST FOR OFFER 30-12-202... Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 22 googlehosted.l.googleusercontent.com 2->22 24 drive.google.com 2->24 26 doc-0g-8k-docs.googleusercontent.com 2->26 34 Snort IDS alert for network traffic 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 3 other signatures 2->40 8 REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe 4 30 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\...\System.dll, PE32 8->18 dropped 20 C:\Users\user\AppData\...\AsOpenFile.exe, PE32+ 8->20 dropped 42 Tries to detect Any.run 8->42 12 REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe 21 8->12         started        signatures6 process7 dnsIp8 28 157.245.36.27, 49838, 80 DIGITALOCEAN-ASNUS United States 12->28 30 googlehosted.l.googleusercontent.com 142.250.185.161, 443, 49837 GOOGLEUS United States 12->30 32 drive.google.com 142.250.185.238, 443, 49836 GOOGLEUS United States 12->32 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->44 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal ftp login credentials 12->48 50 2 other signatures 12->50 16 WerFault.exe 2 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.161
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
157.245.36.27
 unknown United States
14061 DIGITALOCEAN-ASNUS true
142.250.185.238
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.185.238 true
googlehosted.l.googleusercontent.com 142.250.185.161 true
doc-0g-8k-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab false
    		high
    http://157.245.36.27/~dokterpol/?page=2874 true
    • Avira URL Cloud: malware
    		 unknown