Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Sample Name:REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Analysis ID:756301
MD5:b9f70f4146b846179fa182ac868d0c15
SHA1:97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256:ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
Infos:

Detection

GuLoader, Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64native
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
    SourceRuleDescriptionAuthorStrings
    00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          No Sigma rule has matched
          Timestamp:192.168.11.20157.245.36.2749838802021641 11/30/22-00:31:37.333969
          SID:2021641
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20157.245.36.2749838802024317 11/30/22-00:31:37.333969
          SID:2024317
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20157.245.36.2749838802024312 11/30/22-00:31:37.333969
          SID:2024312
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeReversingLabs: Detection: 17%
          Source: http://157.245.36.27/~dokterpol/?page=2874Avira URL Cloud: Label: malware
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeJoe Sandbox ML: detected
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BekvemmelighederJump to behavior
          Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.11.20:49836 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49837 version: TLS 1.2
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: mshtml.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
          Source: Binary string: mshtml.pdbUGP source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr