Malware Analysis Report

2025-08-10 19:26

Sample ID 230712-qsynladd57
Target Arrival Notice pdf.exe
SHA256 43ad88d4b9b62ac29d1872243f482198d5771dadf38903b63ba51bc344a871a5
Tags
guloader lokibot collection downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43ad88d4b9b62ac29d1872243f482198d5771dadf38903b63ba51bc344a871a5

Threat Level: Known bad

The file Arrival Notice pdf.exe was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection downloader spyware stealer trojan

Guloader,Cloudeye

Lokibot

Reads user/profile data of web browsers

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious behavior: RenamesItself

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-12 13:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 13:32

Reported

2023-07-12 13:34

Platform

win7-20230712-en

Max time kernel

147s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2340 set thread context of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Tuvaluaners160\Tachibana157\programafprvningerne.ect C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
NL 171.22.30.164:80 171.22.30.164 tcp
NL 171.22.30.164:80 171.22.30.164 tcp
NL 171.22.30.164:80 171.22.30.164 tcp
NL 171.22.30.164:80 171.22.30.164 tcp

Files

\Users\Admin\AppData\Local\Temp\nsoDDB3.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/2340-67-0x00000000033B0000-0x000000000619C000-memory.dmp

memory/2340-68-0x00000000033B0000-0x000000000619C000-memory.dmp

memory/2044-69-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2044-70-0x0000000001470000-0x000000000425C000-memory.dmp

memory/2044-71-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2044-72-0x0000000001470000-0x000000000425C000-memory.dmp

memory/2044-84-0x0000000001470000-0x000000000425C000-memory.dmp

memory/2044-87-0x0000000001470000-0x000000000425C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1014134971-2480516131-292343513-1000\0f5007522459c86e95ffcc62f32308f1_d5f11b9e-2b71-41f6-9dcc-8691edc6dc24

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1014134971-2480516131-292343513-1000\0f5007522459c86e95ffcc62f32308f1_d5f11b9e-2b71-41f6-9dcc-8691edc6dc24

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 13:32

Reported

2023-07-12 13:34

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C394D645-39A2-4EE1-BC25-2B651B221E86}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1660 set thread context of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Tuvaluaners160\Tachibana157\programafprvningerne.ect C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 218.25.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
NL 171.22.30.164:80 171.22.30.164 tcp
NL 171.22.30.164:80 171.22.30.164 tcp
US 8.8.8.8:53 164.30.22.171.in-addr.arpa udp
NL 171.22.30.164:80 171.22.30.164 tcp
NL 171.22.30.164:80 171.22.30.164 tcp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsnCCE6.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/1660-146-0x0000000004CA0000-0x0000000007A8C000-memory.dmp

memory/1660-147-0x0000000004CA0000-0x0000000007A8C000-memory.dmp

memory/4328-148-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4328-149-0x0000000001660000-0x000000000444C000-memory.dmp

memory/4328-150-0x0000000001660000-0x000000000444C000-memory.dmp

memory/4328-154-0x0000000001660000-0x000000000444C000-memory.dmp

memory/4328-155-0x0000000001660000-0x000000000444C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1722984668-1829624581-3022101259-1000\0f5007522459c86e95ffcc62f32308f1_a0bc95ba-226b-43bc-9413-1a52b12558b5

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1722984668-1829624581-3022101259-1000\0f5007522459c86e95ffcc62f32308f1_a0bc95ba-226b-43bc-9413-1a52b12558b5

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b