top title background image
flash

QVWb1n5OTH.exe

Status: finished
Submission Time: 2021-12-01 20:08:17 +01:00
Malicious
Ransomware
Evader
Trojan
Spyware
GuLoader Lokibot

Comments

Tags

  • 32
  • exe
  • trojan

Details

  • Analysis ID:
    532182
  • API (Web) ID:
    899704
  • Analysis Started:
    2021-12-01 20:08:18 +01:00
  • Analysis Finished:
    2021-12-01 20:29:53 +01:00
  • MD5:
    f8236209c7b1928b3f1eb0a7074f6992
  • SHA1:
    7f31471385b39722a1c7a6e983ecca372e673796
  • SHA256:
    eab40778e702a859cc33abcd92e796755e95e8fdb0eeb7c5243b7c1866751bb0
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Score: 60
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
malicious
Score: 100
System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

Third Party Analysis Engines

malicious
Score: 39/65
malicious
Score: 10/35
malicious
Score: 22/45
malicious

IPs

IP Country Detection
85.209.2.33
Russian Federation

Domains

Name IP Detection
secure01-redirect.net
85.209.2.33
erubbw.bl.files.1drv.com
0.0.0.0
ervmpg.bl.files.1drv.com
0.0.0.0
Click to see the 2 hidden entries
onedrive.live.com
0.0.0.0
skydrive.live.com
0.0.0.0

URLs

Name Detection
http://secure01-redirect.net/gb13/fre.php
http://secure01-redirect.net/gb13/fre.php:j
https://onedrive.live.com/
Click to see the 24 hidden entries
https://ervmpg.bl.files.1drv.com/
https://skydrive.live.com/redir.aspx?resid=5A15FDA1AE98540B%21122&avres=Infected&averror=SUCCESS&vin
https://onedrive.live.com/?
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
http://docs.oasis-open.org/ws-sx/ws-trust/200512
https://erubbw.bl.files.1drv.com/y4mYud6ym_NJqaq22uaIor9GRHQ64LzKJki5GZymu2f7YS1D2FLOko-vkkGMGoXIJDV
https://erubbw.bl.files.1drv.com/Kf
http://schemas.xmlsoap.org/wsdl/
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21122&authkey=AD5G_ly
http://schemas.xmlsoap.org/wsdl/soap12/
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
https://onedrive.live.com/viruswarning.aspx/fabrika.exe?cid=5a15fda1ae98540b&avres=I
https://erubbw.bl.files.1drv.com/
http://schemas.xmlsoap.org/wsdl/lt
http://schemas.xmlsoap.org/ws/2005/02/trust
http://upx.sf.net
https://ervmpg.bl.files.1drv.com/y4m-APER2p5Nb5FMLd_ybyQzx60L82xlgrG-sbtfretok1410vF9H862p1fC8MWInho
https://skydrive.live.com/
http://ocsp.di
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21123&authkey=AKpY_r2
https://ervmpg.bl.files.1drv.com/y4mYPEwbzED-97xrx9n29fV7fSyD1fgGpzSF-jmJxyxzc1NPIYDEsZm2hHvKAjBl1ub
http://schemas.xmlsoap.org/ws/2004/09/policy
https://ervmpg.bl.files.1drv.com/Q
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Credentials\93CE54EBD72B5E2187F75E8118A14612_dec
data
#
C:\Users\user\AppData\Local\Temp\fabrika.exe
HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
#
C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.hdb
ISO-8859 text, with no line terminators
#
Click to see the 4 hidden entries
C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck
very short file (no magic)
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb
data
#
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
#
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
#