Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Sample Name:REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Analysis ID:756301
MD5:b9f70f4146b846179fa182ac868d0c15
SHA1:97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256:ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
Infos:

Detection

GuLoader, Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.11.20157.245.36.2749838802021641 11/30/22-00:31:37.333969
          SID:2021641
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20157.245.36.2749838802024317 11/30/22-00:31:37.333969
          SID:2024317
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20157.245.36.2749838802024312 11/30/22-00:31:37.333969
          SID:2024312
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeReversingLabs: Detection: 17%
          Antivirus detection for URL or domain
          Source: http://157.245.36.27/~dokterpol/?page=2874Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeJoe Sandbox ML: detected
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BekvemmelighederJump to behavior
          Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.11.20:49836 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49837 version: TLS 1.2
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: mshtml.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
          Source: Binary string: mshtml.pdbUGP source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00406555 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_0040287E FindFirstFileW,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,

          Networking