daveCrpted.vbs

Status: finished

Submission Time: 2022-05-27 21:14:09 +02:00

Malicious

Trojan

Evader

FormBook

Comments

Details

Analysis ID:
635407
API (Web) ID:
1002914
Analysis Started:

2022-05-27 21:14:10 +02:00
Analysis Finished:

2022-05-27 21:31:39 +02:00
MD5:
dc70eefa088f688d1cd4c4cf2c6674ca
SHA1:
c358867a468d9722b3c40f0bcd0cbe2534756545
SHA256:
1ec2c2c0a29c16146400c52880e887cfae57223b2b621c0f433ef9b619af5343
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 8/93

malicious

Score: 5/40

malicious

IPs

IP	Country	Detection
20.106.232.4	United States
2.56.57.22	Netherlands

Domains

Name	IP	Detection
www.hibikaiteki.com	118.27.122.216
www.nancykmorrison.store	172.67.160.125

URLs

Name	Detection
http://20.6.
http://2.56.57.22/ts
http://2.56.57.22x
Click to see the 17 hidden entries
http://20.106.232.4
http://20.106.232.48
https://contoso.com/Icon
http://20.106.232.4/dll/26-05-2022-StartUp.pdf
https://contoso.com/License
https://contoso.com/
http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf
http://20.106.232.4/dll/26-05-2022-StartUp.pdfPk
http://pesterbdd.com/images/Pester.png
http://2.5
http://2.56.57.22
http://2.56.57.22/tsdfguhijk.txt
https://nuget.org/nuget.exe
http://www.apache.org/licenses/LICENSE-2.0.html
http://nuget.org/NuGet.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester

Dropped files

Name	File Type	Hashes
C:\ProgramData\Done.vbs	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxmjsncm.0lo.psm1	very short file (no magic)	#
C:\Users\user\Documents\20220527\PowerShell_transcript.783875.zMIa0yAZ.20220527211523.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
Click to see the 25 hidden entries
C:\Users\user\Documents\20220527\PowerShell_transcript.783875.hz5nZdhI.20220527211619.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20220527\PowerShell_transcript.783875.bfCcr7J2.20220527211526.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20220527\PowerShell_transcript.783875._396rmPr.20220527211537.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20220527\PowerShell_transcript.783875.QizwF1Bj.20220527211550.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20220527\PowerShell_transcript.783875.6BQNrnBR.20220527211548.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20220527\PowerShell_transcript.783875.1eplhr3P.20220527211616.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Apr 11 22:35:26 2018, mtime=Sat May 28 03:15:32 2 (…)	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BCYMZUG86WIB33RE6HLM.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\203a5f290b65cc8e.customDestinations-ms (copy)	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdtgx0ab.jx5.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sy35pvwd.ng5.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfeyzexk.3oy.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_laq4ftm4.4mp.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iplajpvg.nby.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzbo1jkc.hpz.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnxlvzx1.xhq.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu4y3ysi.wmb.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5saywipd.men.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dgawbhw.o05.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14hqbqjj.gxr.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_113xeubt.0rn.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04g23aso.ckf.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\ProgramData\Done.vbs:Zone.Identifier	ASCII text, with CRLF line terminators	#

daveCrpted.vbs

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

daveCrpted.vbs Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

daveCrpted.vbs