We are hiring! Windows Kernel Developer (Remote), apply here!
flash

BPL_1000572_007.bat.exe

Status: finished
Submission Time: 2022-09-23 07:54:14 +02:00
Malicious
Trojan
Spyware
Evader
DarkCloud

Comments

Tags

  • exe

Details

  • Analysis ID:
    708242
  • API (Web) ID:
    1075700
  • Analysis Started:
    2022-09-23 07:58:49 +02:00
  • Analysis Finished:
    2022-09-23 08:09:58 +02:00
  • MD5:
    4ff4a281a08a0681597794a3024fb584
  • SHA1:
    d3a70362b238b82db1ef1aefef920afedf717880
  • SHA256:
    a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
185.252.178.63
Germany
162.55.60.2
United States

Domains

Name IP Detection
showip.net
162.55.60.2

URLs

Name Detection
http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp
http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.png
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Click to see the 27 hidden entries
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://www.nuget.org/packages/Newtonsoft.Json.Bson
https://www.newtonsoft.com/jsonschema
https://www.openstreetmap.org/copyright
http://schema.org
https://search.yahoo.com?fr=crmas_sfp
https://ac.ecosia.org/autocomplete?q=
https://api.telegram.org/bot4(SpawnProcess)
http://james.newtonking.com/projects/json
http://showip.net/
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
https://showip.net/?checkip=
http://showip.netxhttp://www.mediacollege.com/internet/utilities/show-ip.shtml__vbaLsetFixstr__vbaFi
http://upx.sf.net
https://www.newtonsoft.com/json
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
https://search.yahoo.com?fr=crmas_sfpf
https://unpkg.com/leaflet
http://185.252.178.63
https://showip.net/
https://api.telegram.org/bot
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://185.252.178.63/loader/uploads/inf_Hpgwbzkt.bmp)Acugwsmmzufefycomfxvihl
https://duckduckgo.com/ac/?q=
https://duckduckgo.com/chrome_newtab
http://185.252.178.63/loader/uploads/Arwiw_Xnqfdlpv.pngP/r/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BPL_1000572_007.bat.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 13 hidden entries
C:\Users\user\AppData\Roaming\note\pdf.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\note\pdf.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wthdlxoyqvnqsfcf_ec9af89a7aba5095a1b9163a261854dde92db_1f43b382_1621c52a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A92.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Sep 23 15:01:48 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA781.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A5.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4mju5by.ked.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w45iylbi.unn.ps1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\A1EB3E3549D5FF0555D7\LoghemosideroticdJPxvxBPhxRvFDWcDVPhPZaUIGIDQLVJwWmvfjYBsLDUhypometropia
SQLite 3.x database, last written using SQLite version 3038005
#
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
#
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
#