Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

NUEVA ORDEN DE COMPRA 80107.wsf

Status: finished
Submission Time: 2022-05-27 21:14:09 +02:00
Malicious
Trojan
Evader
FormBook

Comments

Tags

  • Formbook
  • wsf
  • Xloader

Details

  • Analysis ID:
    635408
  • API (Web) ID:
    1002915
  • Analysis Started:
    2022-05-27 21:14:16 +02:00
  • Analysis Finished:
    2022-05-27 21:31:51 +02:00
  • MD5:
    f9c710eee0ec4b46dfb370e5e2280c36
  • SHA1:
    c5b21cdd87ec4c5f8349747ecab5963b40556081
  • SHA256:
    02cda7e8e87599f480515b611d57653429825d45dbfd2bcee0b9f1ea8e845fc6
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

IPs

IP Country Detection
2.56.57.22
 Netherlands
20.106.232.4
 United States
199.34.228.47
 United States
Click to see the 3 hidden entries
54.203.72.218
 United States
45.128.51.66
 Netherlands
91.195.240.103
 Germany

Domains

Name IP Detection
www.salazarcomunicacion.com
 103.167.196.150
www.sushifactoryamphawa.com
 199.34.228.47
www.mgav21.xyz
 45.128.51.66
Click to see the 7 hidden entries
a-0019.standard.a-msedge.net
 204.79.197.222
www.nexusbalance.com
 91.195.240.103
part-0032.t-0009.fbs1-t-msedge.net
 13.107.219.60
a-9999.a-msedge.net
 204.79.197.254
www.choicearticleto-readtoday.info
 54.203.72.218
site-cdn.onenote.net
 0.0.0.0
www.createurs-de-bijoux.com
 0.0.0.0

URLs

Name Detection
http://www.bikebrewandflights.com/s4ig/www.hibikaiteki.com
http://www.caui.top/s4ig/
http://www.acesso-livre-mercado.comReferer:
Click to see the 95 hidden entries
http://2.56.57.22/daveCrpted.jpg
http://www.shref94.comReferer:
https://contoso.com/
http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf
http://www.nexusbalance.comReferer:
http://www.createurs-de-bijoux.comReferer:
http://www.bikebrewandflights.com/s4ig/
http://www.caui.top
http://2.56.57.22/tsdfguhijk.txt
http://www.hibikaiteki.com/s4ig/
http://www.deadsdradqueer.com
www.hibikaiteki.com/s4ig/
http://www.40dgj.xyzReferer:
https://contoso.com/License
http://www.nexusbalance.com/s4ig/www.choicearticleto-readtoday.info
http://www.prostitutkitambovasuck.info/s4ig/
http://www.acesso-livre-mercado.com
http://www.createurs-de-bijoux.com/s4ig/
http://www.choicearticleto-readtoday.info/s4ig/
http://www.giaohanggiaretetkiemhcm.com
http://www.choicearticleto-readtoday.info
http://20.106.232.4
http://2.56.57.22/ts
http://www.bikebrewandflights.com
http://www.choicearticleto-readtoday.info/s4ig/?0tx=EE1KxreShStuWGRfOzXQivmJYb01nsHN4Y+USZVKUNF8o5M6FFhEbiUBXOrRFrwbnBV3ymr95w==&CTM8q=6lUH4xyXELQ8-0r
http://2.56.57.22/daveCrpted
http://www.40dgj.xyz/s4ig/
http://www.shref94.com
http://www.prostitutkitambovasuck.infoReferer:
http://www.prostitutkitambovasuck.info
http://www.mentication.com
http://www.hibikaiteki.comReferer:
http://www.mgav21.xyz
http://www.deadsdradqueer.comReferer:
http://www.giaohanggiaretetkiemhcm.com/s4ig/
http://www.sushifactoryamphawa.com/s4ig/www.mgav21.xyz
http://20.106.232.4/dll/26-05-2022-StartUp.pdf
http://www.sushifactoryamphawa.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG+zKIyPgsbPq7aByYUb53Y7vFTrhhhVYwgCqKyQGNMMvVk3uDgUSApaDProA7A9idTtJxA==
http://www.mentication.com/s4ig/
http://www.giaohanggiaretetkiemhcm.com/s4ig/www.mentication.com
http://20.6.
http://www.choicearticleto-readtoday.info/s4ig/www.sushifactoryamphawa.com
http://www.createurs-de-bijoux.com/s4ig/www.fairble.com
https://www.mgydez.site/s4ig/?0tx=dCXC
http://www.hibikaiteki.com/s4ig/www.caui.top
http://www.mgav21.xyz/s4ig/?0tx=dCXC+2ZT0QRaPMB/1bkCzyFCQOsWt/uhEcdMypxrEdi7eXd+jvTokAesL3IOP6QRIKOYlLryUQ==&CTM8q=6lUH4xyXELQ8-0r
http://www.caui.topReferer:
https://go.micro
http://www.40dgj.xyz/s4ig/www.bikebrewandflights.com
http://pesterbdd.com/images/Pester.png
http://www.createurs-de-bijoux.com
http://www.nexusbalance.com/s4ig/
http://www.40dgj.xyz
http://www.fairble.com/s4ig/
http://2.56.57.22/daveCrpt
http://www.mentication.com/s4ig/www.prostitutkitambovasuck.info
http://www.giaohanggiaretetkiemhcm.comReferer:
http://www.deadsdradqueer.com/s4ig/www.acesso-livre-mercado.com
http://www.fairble.comReferer:
http://www.hibikaiteki.com
http://www.nexusbalance.com
http://2.56.57.22/daveCrpted.jpg0y
http://www.mentication.comReferer:
http://www.shref94.com/s4ig/www.deadsdradqueer.com
http://www.fairble.com/s4ig/www.shref94.com
http://www.acesso-livre-mercado.com/s4ig/
http://www.bikebrewandflights.comReferer:
http://www.acesso-livre-mercado.com/s4ig/www.40dgj.xyz
http://www.choicearticleto-readtoday.infoReferer:
http://2.56.57.22x
http://www.mgav21.xyz/s4ig/
http://www.caui.top/s4ig/www.giaohanggiaretetkiemhcm.com
http://www.fairble.com
http://www.sushifactoryamphawa.com
http://www.deadsdradqueer.com/s4ig/
http://2.5
http://www.prostitutkitambovasuck.info/s4ig/TL
http://www.mgav21.xyz/s4ig/www.createurs-de-bijoux.com
http://www.mgav21.xyzReferer:
http://2.56.57.22
https://contoso.com/Icon
http://www.sushifactoryamphawa.comReferer:
https://www.sushifactoryamphawa.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG
https://www.sushifactoryamphawa.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG
http://www.sushifactoryamphawa.com/s4ig/
http://www.nexusbalance.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=cD7SGqgsMdn1qG9AyDMlGxGbikkTJ3e+SLNAYG8XHeGes8xhGajuA9PSV6Vq4uulpQsNka3DRA==
http://20.106.232.48
http://www.shref94.com/s4ig/
https://nuget.org/nuget.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://img.sedoparking.com
https://www.sedo.com/services/parking.php3
http://nuget.org/NuGet.exe
https://github.com/Pester/Pester
http://www.apache.org/licenses/LICENSE-2.0.html

Dropped files

Name File Type Hashes Detection
C:\Windows\Temp\Done.vbs
 Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
 #
C:\ProgramData\Done.vbs
 Non-ISO extended-ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi3ekm1h.hmy.ps1
 very short file (no magic)
 #
Click to see the 21 hidden entries
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.zvvmzKz8.20220527211546.txt
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.niV_xjXk.20220527211529.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.nOp+0WJ9.20220527211551.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.g8PVW+ZW.20220527211543.txt
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.E1mPwf08.20220527211605.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.5h_PkwvK.20220527211608.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk
 MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Apr 11 22:35:26 2018, mtime=Sat May 28 03:15:50 2 (…)
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GKHBRLNPJU0ODJT48OSA.temp
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\203a5f290b65cc8e.customDestinations-ms (copy)
 data
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqfb03wu.q5o.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qct2mbdi.gzd.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbmitrze.fya.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0pwlqea.rls.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmtexydj.af0.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egrwuhbw.ty3.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5kpxlgc.rz4.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ci2jssrm.icg.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pqmaeda.zwf.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fuzbet0.1gd.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0i4inhxi.qyz.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #