Statement from QNB.exe

Status: finished

Submission Time: 2021-11-24 14:05:13 +01:00

Malicious

Trojan

Evader

Spyware

GuLoader, GuLoader MailPassView XpertRAT

Comments

Details

Analysis ID:
527846
API (Web) ID:
895370
Analysis Started:

2021-11-24 14:05:13 +01:00
Analysis Finished:

2021-11-24 14:29:22 +01:00
MD5:
9c8b626668e14aeb4355ea39d1520e33
SHA1:
554069b1fb3a80a02840158d31c6c2826812cb40
SHA256:
d63ed0450efe28d525954d84556394f21df1c2d882e74b4891492fefab00dd79
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 68	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 Run Condition: Suspected Instruction Hammering

IPs

IP	Country	Detection
194.85.248.156	Russian Federation
142.250.185.78	United States
172.217.168.14	United States
Click to see the 1 hidden entries
142.250.186.97	United States

Domains

Name	IP	Detection
z1s.us.to	194.85.248.156
docs.google.com	172.217.168.14
drive.google.com	142.250.185.78
Click to see the 3 hidden entries
googlehosted.l.googleusercontent.com	142.250.186.97
doc-00-5k-docs.googleusercontent.com	0.0.0.0
doc-0k-48-docs.googleusercontent.com	0.0.0.0

URLs

Name	Detection
z1s.us.to:5344
https://docs.google.com/:5
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Click to see the 37 hidden entries
https://doc-0k-48-docs.googleusercontent.com/%%doc-0k-48-docs.googleusercontent.com
https://www.google.com
https://doc-00-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9ika2j8t
https://doc-0k-48-docs.googleusercontent.com/~
http://www.google.com/support/accounts/answer/151657?hl=en
https://drive.google.com/
https://drive.google.com/T
https://doc-0k-48-docs.googleusercontent.com/v
https://doc-0k-48-docs.googleusercontent.com/3
https://drive.google.com/F
https://www.google.com/accounts/servicelogin
https://login.yahoo.com/config/login
https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l
https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download
http://www.nirsoft.net/
http://www.imvu.comata
http://www.ebuddy.com
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
https://drive.google.com/0By
https://drive.google.com/~
https://drive.google.com/J4
http://www.imvu.comr
https://doc-00-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9ika2j8t7trtq51k7nrgujctt9nrsl81/1637759700000/06007705055686197661/*/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download
http://www.imvu.com/
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external
https://doc-00-5k-docs.googleusercontent.com/
https://docs.google.com/nonceSigner?nonce=1h1o0go4qslkm&continue=https://doc-0k-48-docs.googleuserco
http://www.imvu.com
https://doc-0k-48-docs.googleusercontent.com/qr
https://docs.google.com/nonceSigner?nonce=1h1o0go4qslkm&continue=https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e%3Ddownload&hash=pckr7av56kdraffkce6aepv1b87ssmgu
https://doc-00-5k-docs.googleusercontent.com/%%doc-00-5k-docs.googleusercontent.com
https://doc-0k-48-docs.googleusercontent.com/
https://drive.google.com/M
https://doc-0k-48-docs.googleusercontent.com/Od
https://drive.google.com/J
https://doc-0k-48-docs.googleusercontent.com/docs/securesc/35sumvj0vue2ri2uv2ecasddg28mcdkj/ad6glr8l0h99hqpngtfni6a8i22nv65q/1637759775000/06007705055686197661/09438607504833105235Z/1yzh40PNS32XieWw_X1Kb4gxhZiPD-fNp?e=download&nonce=1h1o0go4qslkm&user=09438607504833105235Z&hash=0o6b323c0rq74tch8ch7someetivr76b
https://docs.google.com/b5

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\computer+user.bmp	PC bitmap, Windows 3.x format, 448 x 448 x 24	#
C:\Users\user\AppData\Local\Temp\bhvD2BB.tmp	Extensible storage engine DataBase, version 0x620, checksum 0xbfe3589f, page size 32768, DirtyShutdown, Windows version 10.0	#
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Temp\~DF3CDB9B0E0AB3B377.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Temp\~DF4E2873A32C413EC3.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Temp\~DF5493C8EC3A096669.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Temp\~DF93F550DD9A770457.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Temp\~DF9D094ABC44AE1A89.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Temp\~DFB962B4444FDFF0CF.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Temp\~DFB9E9D901A47CB813.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Temp\~DFDDED18805B00B83E.TMP	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4	data	#
C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4.pas	data	#
C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss2.txt	Little-endian UTF-16 Unicode text, with no line terminators	#
C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\nyuimqkss4.txt	Little-endian UTF-16 Unicode text, with no line terminators	#
C:\Users\user\AppData\Roaming\D7I2A8S6-B3Y1-J1N8-O887-M0I1C4O6V0D4\ut	PC bitmap, Windows 3.x format, 448 x 448 x 24	#

Statement from QNB.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

Statement from QNB.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

Search started

Statement from QNB.exe