draft_inv dec21.exe

Status: finished

Submission Time: 2021-12-01 10:18:17 +01:00

Malicious

Trojan

Evader

Spyware

GuLoader, GuLoader FormBook

Comments

Details

Analysis ID:
531747
API (Web) ID:
899269
Analysis Started:

2021-12-01 10:21:21 +01:00
Analysis Finished:

2021-12-01 10:45:52 +01:00
MD5:
89a584acaeb2f9e8baf46714eb7d3550
SHA1:
263ff0b238d57cfc30492f8801530b9986dcae38
SHA256:
59ae017767f6a56eba79abdad1343cba3643744f4668b320c30fda283abdedf2
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 72	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 Run Condition: Suspected Instruction Hammering

Third Party Analysis Engines

Open Full Report

malicious

Score: 17/65

Open Full Report

malicious

Score: 7/35

malicious

Score: 8/45

malicious

IPs

IP	Country	Detection
154.23.172.127	United States
162.241.120.147	United States
164.155.212.139	South Africa
Click to see the 17 hidden entries
203.170.80.250	Australia
81.2.194.128	Czech Republic
185.61.153.97	United Kingdom
66.29.140.185	United States
199.59.242.153	United States
185.68.16.57	Ukraine
50.118.200.120	United States
44.227.76.166	United States
185.98.5.234	Kazakhstan
3.64.163.50	United States
34.117.168.233	United States
216.250.120.206	United States
104.21.82.227	United States
34.237.47.210	United States
34.102.136.180	United States
198.54.117.217	United States
35.244.144.199	United States

Domains

Name	IP	Detection
www.growebox.com	0.0.0.0
www.3uwz9mpxk77g.biz	0.0.0.0
www.quickcoreohio.com	0.0.0.0
Click to see the 42 hidden entries
www.testwebsite0711.com	0.0.0.0
www.jobl.space	0.0.0.0
www.cmoigus.net	0.0.0.0
www.dczhd.com	0.0.0.0
www.talkingpoint.tours	0.0.0.0
www.fatima2021.com	0.0.0.0
www.littlefishth.com	0.0.0.0
www.recruitresumelibrary.com	0.0.0.0
www.abcjanitorialsolutions.com	0.0.0.0
www.receiptpor.xyz	0.0.0.0
www.braxtynmi.xyz	0.0.0.0
www.tvterradafarinha.com	0.0.0.0
www.yghdlhax.xyz	0.0.0.0
www.heyvecino.com	0.0.0.0
www.luxalbridi.com	0.0.0.0
www.photon4energy.com	0.0.0.0
www.csenmoga.com	0.0.0.0
www.dif-directory.xyz	0.0.0.0
www.smartam6.xyz	0.0.0.0
www.wordpresshostingblog.com	0.0.0.0
www.dubaicars.online	185.68.16.57
td-ccm-168-233.wixdns.net	34.117.168.233
growebox.com	81.2.194.128
www.lopsrental.lease	66.29.140.185
dif-directory.xyz	185.61.153.97
www.mariforum.com	50.118.200.120
www.inklusion.online	3.64.163.50
statuswar.info	162.241.120.147
www.mackthetruck.com	203.170.80.250
www.ayudavida.com	164.155.212.139
www.apps365.one	44.227.76.166
www.writingmomsobitwithmom.com	216.250.120.206
www.ozattaos.xyz	104.21.82.227
www.avto-click.com	185.98.5.234
dczhd.com	154.23.172.127
www.effective.store	199.59.242.153
littlefishth.com	34.102.136.180
luxalbridi.com	34.102.136.180
heyvecino.com	34.102.136.180
parkingpage.namecheap.com	198.54.117.217
www.gdav130.xyz	35.244.144.199
previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com	34.237.47.210

URLs

Name	Detection
http://www.mariforum.com/n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr
http://www.receiptpor.xyz/n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr
http://www.dubaicars.online/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs
Click to see the 57 hidden entries
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN
http://www.lopsrental.lease/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4
http://www.mackthetruck.com/n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL
http://www.apps365.one/n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p
http://www.ozattaos.xyz/n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j
http://www.fatima2021.com/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1
http://www.dczhd.com/n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN
http://www.dubaicars.online/n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr
http://www.ayudavida.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4
http://www.apps365.one/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr
http://www.effective.store/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR
http://www.inklusion.online/n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p
http://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr
http://www.growebox.com/n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr
www.ayudavida.com/n8ds/
http://www.writingmomsobitwithmom.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK
http://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c
https://statuswar.info/
http://181ue.com/sq.html?entry=
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin#
https://outlook.comUser6
http://www.foreca.com
https://statuswar.info/1
http://www.littlefishth.com/n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
https://api.msn.com:443/v1/news/Feed/Windows?
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin9
https://www.msn.com/?ocid=iehp
https://www.msn.com/de-ch/?ocid=iehpd
https://api.msn.com/
https://windows.msn.com:443/shell
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
https://api.msn.com/v1/news/Feed/Windows?
https://www.msn.com:443/en-us/feed
https://www.avto-click.com/n8ds/?gHl=36nvuDOhb
https://word.office.com
https://www.msn.com/de-ch/?ocid=iehp
http://www.gdav130.xyz/n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14
https://excel.office.comv
http://schemas.microso
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
http://www.luxalbridi.com/n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr
https://aka.ms/odirm
http://www.heyvecino.com/n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p
http://www.gdav130.xyz/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14
https://track.uc.cn/collect
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
https://statuswar.info/GHDFR/bin_rOlFDOAa61.binZ
http://schemas.micro
https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=
http://ocsp.digi
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
https://powerpoint.office.comEM8
https://statuswar.info/GHDFR/bin_rOlFDOAa61.binO

Dropped files

Name	File Type	Hashes	Detection
C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\~DF3F74DA73951D2623.TMP	Composite Document File V2 Document, Cannot read section info	#

draft_inv dec21.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

draft_inv dec21.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

draft_inv dec21.exe