Lx6.exe

Status: finished

Submission Time: 2022-10-11 15:00:11 +02:00

Malicious

Spreader

E-Banking Trojan

Trojan

Spyware

Exploiter

Evader

Ursnif

Comments

Details

Analysis ID:
720586
API (Web) ID:
1087993
Analysis Started:

2022-10-11 15:00:24 +02:00
Analysis Finished:

2022-10-11 15:18:52 +02:00
MD5:
3b892bea0f8cbe0b61ee380743567d1d
SHA1:
90522132e3a97e966e5270a8e105cc33f0d6c4e5
SHA256:
6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 46/72

malicious

Score: 28/42

malicious

IPs

IP	Country	Detection
194.76.225.60	Germany
194.76.225.61	Germany
204.79.197.203	United States

Domains

Name	IP	Detection
a-0003.a-msedge.net	204.79.197.203
apnfy.msn.com	0.0.0.0
tel12.msn.com	0.0.0.0
Click to see the 3 hidden entries
www.msn.com	0.0.0.0
1.0.0.127.in-addr.arpa	0.0.0.0
8.8.8.8.in-addr.arpa	0.0.0.0

URLs

Name	Detection
http://194.76.225.61/doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif
http://194.76.225.61/doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr
http://194.76.225.61/doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif
Click to see the 47 hidden entries
http://194.76.225.60/doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr
http://194.76.225.61/doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr
http://194.76.225.60/doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr
https://github.com/Pester/Pester
http://pesterbdd.com/images/Pester.png
https://www.tippsundtricks.co/lifehacks/dose-offnen/?utm_campaign=DECH-Dose&utm_source=MSN&u
https://www.msn.com/de-ch/shopping
http://www.apache.org/licenses/LICENSE-2.0.html
https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu
https://www.msn.com/de-ch/news/other/bundesratswahl-alle-augen-richten-sich-nach-bern/ar-AA12LMZu?oc
https://www.tippsundtricks.co/saubermachen/reinige-dusche-spulmaschinentab/?utm_campaign=DECH-spulit
https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi
https://contoso.com/Icon
https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u
https://www.msn.com/de-ch/news/other/bewaffnete-m%c3%a4nner-%c3%bcberfallen-luzerner-bar/ar-AA12NkUo
http://www.msn.com/de-ch
http://www.msn.com/
http://ipinfo.io/ip
https://www.msn.com/de-ch/news/other/wie-deine-abgeschnittenen-haare-seen-s%c3%a4ubern-k%c3%b6nnen/a
http://constitution.org/usdeclar.txt
http://www.msn.com/de-ch/
http://ogp.me/ns#
https://www.msn.com/de-ch/sport/other/fcz-bleibt-letzter-lugano-schl%c3%a4gt-basel-servette-und-luze
http://ns.micro/1
https://contoso.com/
http://constitution.org/usdeclar.txtC:
http://curlmyip.net1g71lXXnduT6klnGfile://c:
https://contoso.com/License
http://https://file://USER.ID%lu.exe/upd
http://ns.adobe.cmg
https://deff.nelreports.net/api/report?cat=msn
http://ogp.me/ns/fb#
http://ns.adobp/E
https://outlook.com/
https://www.msn.com/de-ch/finanzen/nachrichten/angebotsmieten-in-allen-kantonen-gestiegen/ar-AA12OUn
http://curlmyip.net1g
http://curlmyip.net
https://nuget.org/nuget.exe
https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22M
http://ns.adobe.ux
https://www.tippsundtricks.co/sonstiges/diese-96-jahre-alte-dame-will-ihr-haus-verkaufen-wenn-du-dir
https://www.msn.com/de-ch/sport/other/z%c3%bcrich-und-winterthur-zeigten-wo-sie-stehen/ar-AA12LPId?o
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://www.msn.com/de-ch/nachrichten/schweiz/ja-er-will-r%c3%b6sti-gibt-seine-kandidatur-bekannt/ar
http://www.autoitscript.com/autoit3/J
http://nuget.org/NuGet.exe
https://www.msn.com/de-ch/news/other/r%c3%a4uber-muss-nach-%c3%bcberfallserie-mehr-als-drei-jahre-in

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators	#
C:\Users\user\AppData\Local\Temp\msihj3zd.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 35 hidden entries
C:\Users\user\AppData\Local\Temp\iyr5jfx4.out	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs	Unicode text, UTF-8 (with BOM) text	#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators	#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.out	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs	Unicode text, UTF-8 (with BOM) text	#
C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators	#
C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs	Unicode text, UTF-8 (with BOM) text	#
C:\Users\user\AppData\Local\Temp\msihj3zd.out	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\vupj0yhs.0.cs	Unicode text, UTF-8 (with BOM) text	#
C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators	#
C:\Users\user\AppData\Local\Temp\vupj0yhs.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\Microsoft\MarkClass	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O5JBBM3G0ZBJCNQGHQJ3.temp	data	#
\Device\ConDrv	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx	data	#
C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx	data	#
C:\Users\user\AppData\Local\Temp\9AF9.bin1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\9F2A.bin	Zip archive data, at least v2.0 to extract, compression method=deflate	#
C:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\RES501C.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:05:19 2022, 1st section name ".debug$S"	#
C:\Users\user\AppData\Local\Temp\RESA4F5.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:17 2022, 1st section name ".debug$S"	#
C:\Users\user\AppData\Local\Temp\RESB08E.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:20 2022, 1st section name ".debug$S"	#
C:\Users\user\AppData\Local\Temp\RESFA7A.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:04:57 2022, 1st section name ".debug$S"	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akfsyqoz.ont.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0v3avdz.ytr.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pigzubgt.i2t.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yf122sov.tys.psm1	very short file (no magic)	#

Lx6.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Lx6.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

Lx6.exe