EJ6FBXJ9Dg.exe

Status: finished

Submission Time: 2022-10-13 08:47:09 +02:00

Malicious

Trojan

Spyware

Exploiter

Evader

Ursnif, Raccoon Stealer v2

Comments

Details

Analysis ID:
722131
API (Web) ID:
1089532
Analysis Started:

2022-10-13 08:47:09 +02:00
Analysis Finished:

2022-10-13 08:57:31 +02:00
MD5:
5949348fedecc598cdbce7072639231f
SHA1:
a9a614ecb4871b57da47b32ce572c46493de6897
SHA256:
2fffec7d345d16c2480ea2f3f2e046e220488486c81cf7e1c14adfab890ec0b1
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 47/72

Open Full Report

malicious

Score: 5/10

malicious

IPs

IP	Country	Detection
188.127.227.51	Russian Federation
45.8.158.104	Russian Federation
31.31.198.19	Russian Federation

Domains

Name	IP	Detection
qpdownloads.com	31.31.198.19
trackingg-protectioon.cdn1.mozilla.net	0.0.0.0

URLs

Name	Detection
http://188.127.227.51/49d6ec0cd113efb59453fa49c7f2abcd
http://188.127.227.51/
https://nuget.org/nuget.exe
Click to see the 33 hidden entries
https://www.vign.
https://ac.ecosia.org/autocomplete?q=
https://search.yahoo.com?fr=crmas_sfp
http://45.8.158.104/uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyD
http://constitution.org/usdeclar.txt
http://45.8.158.104/uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qfwxbX9aDBL1/IeT5piixzi8h4SRl9u/8_2B0Atg2/EH_2BuWU2tSI81tfObAy/vUlIlX4Ry5a2Lkg_2BA/WrsB69Jk6Nr0AfUnViCZgr/xOQsHH2r7bRf4/GbUKvAO_/2B_2BNCAwjUDjs1PnMfwFho/BSlcplWuk_/2ByFg1B7Jha7Qhk7w/kMamT9D_2B57/Uw_2B3UVmpC/BA7AL3JebG7W65/8MiRPWVyAeG2AtQC9YkgU/qP7k.pct
https://contoso.com/
http://45.8.158.104/uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyDXRc_2B/ixVyFqQK/k126u_2B_2Ba_2BruFx1_2F/jniVE8w7fc/bk1R9cvUDCNSr3LVX/6pZVXtyVf482/WFP0247XYM7/A2gUdzKCCOqwfV/Gv8pnlgo2_2FOJ3S2ifKR/bqy_2FBRKHq_2Fpg/Vdjwqlx7uWisr2l/fEIsbd32W_2FSgiOj7/dytSGoyJO/SSfkZcDtemeWWSjAjk_2/FpEHeBUMQUi3yJQSNuD/_2FtYwM7I7Bk/pKYwZ.pct
http://qpdownloads.com/10103.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://trackingg-protectioon.cdn1.mozilla.net/uploaded/1nOLBbA4MMg8uH2db9T/AXce5fVRPsPAKOJdUYw5Yz/f6
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
http://45.8.158.104/uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/g
https://mozilla.org0
http://www.sqlite.org/copyright.html.
http://45.8.158.104/uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/gkKIfJKu9W/RfGqkB9ODhAT7t3c5/NgU9QmTJW10x/ljH6Rbwk6Te/NQKogNebUNXkBe/OP8YU_2BPfX7w7JRWnzlY/DYJ2tPBGUU9yVi7O/2UHx3wnrI8usjfi/mEy_2FvxgACU_2BVfF/k_2BhGhcG/DY4c1ymhU_2BCF0kWEYq/M0_2B_2F16h_2BgoOGF/9_2FtG_2F6BZfr3nq2A72O/TaGtamWcSmCx5/BKV7x7CGne61RjWS63/G.pct
https://contoso.com/License
https://duckduckgo.com/chrome_newtab
http://nuget.org/NuGet.exe
http://www.mozilla.com/en-US/blocklist/
https://duckduckgo.com/ac/?q=
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
http://constitution.org/usdeclar.txtC:
http://45.8.158.104/uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qf
https://contoso.com/Icon
https://search.yahoo.com?fr=crmas_sfpf
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://https://file://USER.ID%lu.exe/upd
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
https://github.com/Pester/Pester

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\LocalLow\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\XHSRZM23.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\mkr2iq4u.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators	#
C:\Users\user\AppData\Local\Temp\jv54rgf4.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\LocalLow\sqlite3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtb51wp4.4ti.ps1	very short file (no magic)	#
C:\Users\user\AppData\LocalLow\2If3OY9WA2aU	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3	#
C:\Users\user\AppData\Local\Temp\mkr2iq4u.out	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators	#
C:\Users\user\AppData\LocalLow\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\mkr2iq4u.0.cs	C++ source, Unicode text, UTF-8 (with BOM) text	#
C:\Users\user\AppData\Local\Temp\jv54rgf4.out	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators	#
C:\Users\user\AppData\Local\Temp\jv54rgf4.0.cs	C++ source, Unicode text, UTF-8 (with BOM) text	#
C:\Users\user\AppData\LocalLow\sF9O6f0cCdbK	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_isg504bu.mfz.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\RESFF35.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Thu Oct 13 06:49:56 2022, 1st section name ".debug$S"	#
C:\Users\user\AppData\Local\Temp\RESF206.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Thu Oct 13 06:49:52 2022, 1st section name ".debug$S"	#
C:\Users\user\AppData\Local\Temp\CSCC9AB450BCFA441ED9B999D6FD5DE3822.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSC20F2306B39284E32B5AB6E9725E2189D.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\LocalLow\y3enbS6322L5	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3	#
C:\Users\user\AppData\LocalLow\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\LocalLow\pU97tg112OjD	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10	#

EJ6FBXJ9Dg.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

EJ6FBXJ9Dg.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

EJ6FBXJ9Dg.exe