Malware Analysis Report

2025-08-10 19:27

Sample ID 230714-pebq8sed7w
Target Quotation request (UTCB) 2306EU - 0605RO·pdf.exe
SHA256 8d180e30ba451e9e192aac78165e9562713c465ed8837efad56db0c15f0e323c
Tags
guloader lokibot collection discovery downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d180e30ba451e9e192aac78165e9562713c465ed8837efad56db0c15f0e323c

Threat Level: Known bad

The file Quotation request (UTCB) 2306EU - 0605RO·pdf.exe was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection discovery downloader spyware stealer trojan

Lokibot

Guloader,Cloudeye

Loads dropped DLL

Checks QEMU agent file

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

NSIS installer

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 12:14

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 12:14

Reported

2023-07-14 12:16

Platform

win7-20230712-en

Max time kernel

148s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.238:443 drive.google.com tcp
US 8.8.8.8:53 doc-0c-4o-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-0c-4o-docs.googleusercontent.com tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 138.68.56.139:80 138.68.56.139 tcp

Files

\Users\Admin\AppData\Local\Temp\nsy8632.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/2584-64-0x0000000077250000-0x00000000773F9000-memory.dmp

memory/2584-65-0x0000000077440000-0x0000000077516000-memory.dmp

memory/2584-66-0x0000000074BF0000-0x0000000074BF6000-memory.dmp

memory/2956-67-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2956-68-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2956-69-0x0000000077250000-0x00000000773F9000-memory.dmp

memory/2956-92-0x0000000001470000-0x0000000006A95000-memory.dmp

memory/2956-93-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2956-94-0x0000000001470000-0x0000000006A95000-memory.dmp

memory/2956-95-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2956-100-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2956-101-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2956-116-0x0000000000400000-0x0000000001462000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4159544280-4273523227-683900707-1000\0f5007522459c86e95ffcc62f32308f1_e736eb29-4310-49a0-93f5-e68114db9bc9

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/2956-118-0x0000000000400000-0x0000000001462000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 12:14

Reported

2023-07-14 12:16

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation request (UTCB) 2306EU - 0605RO·pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.238:443 drive.google.com tcp
US 8.8.8.8:53 doc-0c-4o-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-0c-4o-docs.googleusercontent.com tcp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 139.56.68.138.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 138.68.56.139:80 138.68.56.139 tcp
US 138.68.56.139:80 138.68.56.139 tcp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsyB632.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/3256-142-0x0000000077CF1000-0x0000000077E11000-memory.dmp

memory/3256-143-0x0000000074940000-0x0000000074946000-memory.dmp

memory/4592-144-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-145-0x0000000077CF1000-0x0000000077E11000-memory.dmp

memory/4592-146-0x0000000077D78000-0x0000000077D79000-memory.dmp

memory/4592-159-0x0000000001660000-0x0000000006C85000-memory.dmp

memory/4592-160-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-161-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-162-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-163-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-164-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-165-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-167-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-171-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-172-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-166-0x0000000001660000-0x0000000006C85000-memory.dmp

memory/4592-173-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-174-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-175-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-178-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-179-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-180-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-181-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-182-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-183-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-184-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-185-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-186-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-187-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-188-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-190-0x0000000000400000-0x0000000001654000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3011986978-2180659500-3669311805-1000\0f5007522459c86e95ffcc62f32308f1_ecc70296-7405-4ae7-81c8-95373cc69196

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3011986978-2180659500-3669311805-1000\0f5007522459c86e95ffcc62f32308f1_ecc70296-7405-4ae7-81c8-95373cc69196

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/4592-207-0x0000000077CF1000-0x0000000077E11000-memory.dmp

memory/4592-208-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-210-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-211-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-212-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-213-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-214-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4592-215-0x0000000000400000-0x0000000001654000-memory.dmp