flash

Lx6.exe

Status: finished
Submission Time: 2022-10-11 15:00:11 +02:00
Malicious
Spreader
E-Banking Trojan
Trojan
Spyware
Exploiter
Evader
Ursnif

Comments

Tags

  • 18521247133
  • 1947622560
  • 912135074
  • exe
  • Gozi
  • Opendir
  • tel12-msn-com

Details

  • Analysis ID:
    720586
  • API (Web) ID:
    1087993
  • Analysis Started:
    2022-10-11 15:00:24 +02:00
  • Analysis Finished:
    2022-10-11 15:18:52 +02:00
  • MD5:
    3b892bea0f8cbe0b61ee380743567d1d
  • SHA1:
    90522132e3a97e966e5270a8e105cc33f0d6c4e5
  • SHA256:
    6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
46/72

malicious
28/42

malicious

IPs

IP Country Detection
194.76.225.60
Germany
194.76.225.61
Germany
204.79.197.203
United States

Domains

Name IP Detection
a-0003.a-msedge.net
204.79.197.203
apnfy.msn.com
0.0.0.0
tel12.msn.com
0.0.0.0
Click to see the 3 hidden entries
www.msn.com
0.0.0.0
1.0.0.127.in-addr.arpa
0.0.0.0
8.8.8.8.in-addr.arpa
0.0.0.0

URLs

Name Detection
http://194.76.225.61/doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif
http://194.76.225.61/doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr
http://194.76.225.61/doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif
Click to see the 47 hidden entries
http://194.76.225.60/doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr
http://194.76.225.61/doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr
http://194.76.225.60/doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr
https://github.com/Pester/Pester
http://pesterbdd.com/images/Pester.png
https://www.tippsundtricks.co/lifehacks/dose-offnen/?utm_campaign=DECH-Dose&utm_source=MSN&u
https://www.msn.com/de-ch/shopping
http://www.apache.org/licenses/LICENSE-2.0.html
https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu
https://www.msn.com/de-ch/news/other/bundesratswahl-alle-augen-richten-sich-nach-bern/ar-AA12LMZu?oc
https://www.tippsundtricks.co/saubermachen/reinige-dusche-spulmaschinentab/?utm_campaign=DECH-spulit
https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi
https://contoso.com/Icon
https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u
https://www.msn.com/de-ch/news/other/bewaffnete-m%c3%a4nner-%c3%bcberfallen-luzerner-bar/ar-AA12NkUo
http://www.msn.com/de-ch
http://www.msn.com/
http://ipinfo.io/ip
https://www.msn.com/de-ch/news/other/wie-deine-abgeschnittenen-haare-seen-s%c3%a4ubern-k%c3%b6nnen/a
http://constitution.org/usdeclar.txt
http://www.msn.com/de-ch/
http://ogp.me/ns#
https://www.msn.com/de-ch/sport/other/fcz-bleibt-letzter-lugano-schl%c3%a4gt-basel-servette-und-luze
http://ns.micro/1
https://contoso.com/
http://constitution.org/usdeclar.txtC:
http://curlmyip.net1g71lXXnduT6klnGfile://c:
https://contoso.com/License
http://https://file://USER.ID%lu.exe/upd
http://ns.adobe.cmg
https://deff.nelreports.net/api/report?cat=msn
http://ogp.me/ns/fb#
http://ns.adobp/E
https://outlook.com/
https://www.msn.com/de-ch/finanzen/nachrichten/angebotsmieten-in-allen-kantonen-gestiegen/ar-AA12OUn
http://curlmyip.net1g
http://curlmyip.net
https://nuget.org/nuget.exe
https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22M
http://ns.adobe.ux
https://www.tippsundtricks.co/sonstiges/diese-96-jahre-alte-dame-will-ihr-haus-verkaufen-wenn-du-dir
https://www.msn.com/de-ch/sport/other/z%c3%bcrich-und-winterthur-zeigten-wo-sie-stehen/ar-AA12LPId?o
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://www.msn.com/de-ch/nachrichten/schweiz/ja-er-will-r%c3%b6sti-gibt-seine-kandidatur-bekannt/ar
http://www.autoitscript.com/autoit3/J
http://nuget.org/NuGet.exe
https://www.msn.com/de-ch/news/other/r%c3%a4uber-muss-nach-%c3%bcberfallserie-mehr-als-drei-jahre-in

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
#
C:\Users\user\AppData\Local\Temp\msihj3zd.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 35 hidden entries
C:\Users\user\AppData\Local\Temp\iyr5jfx4.out
Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs
Unicode text, UTF-8 (with BOM) text
#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\jxpjpfgv.out
Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs
Unicode text, UTF-8 (with BOM) text
#
C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
#
C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs
Unicode text, UTF-8 (with BOM) text
#
C:\Users\user\AppData\Local\Temp\msihj3zd.out
Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\vupj0yhs.0.cs
Unicode text, UTF-8 (with BOM) text
#
C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
#
C:\Users\user\AppData\Local\Temp\vupj0yhs.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\MarkClass
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O5JBBM3G0ZBJCNQGHQJ3.temp
data
#
\Device\ConDrv
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx
data
#
C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx
data
#
C:\Users\user\AppData\Local\Temp\9AF9.bin1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\9F2A.bin
Zip archive data, at least v2.0 to extract, compression method=deflate
#
C:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\RES501C.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:05:19 2022, 1st section name ".debug$S"
#
C:\Users\user\AppData\Local\Temp\RESA4F5.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:17 2022, 1st section name ".debug$S"
#
C:\Users\user\AppData\Local\Temp\RESB08E.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:20 2022, 1st section name ".debug$S"
#
C:\Users\user\AppData\Local\Temp\RESFA7A.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:04:57 2022, 1st section name ".debug$S"
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akfsyqoz.ont.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0v3avdz.ytr.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pigzubgt.i2t.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yf122sov.tys.psm1
very short file (no magic)
#