flash

EJ6FBXJ9Dg.exe

Status: finished
Submission Time: 2022-10-13 08:47:09 +02:00
Malicious
Trojan
Spyware
Exploiter
Evader
Ursnif, Raccoon Stealer v2

Comments

Tags

  • exe
  • RecordBreaker

Details

  • Analysis ID:
    722131
  • API (Web) ID:
    1089532
  • Analysis Started:
    2022-10-13 08:47:09 +02:00
  • Analysis Finished:
    2022-10-13 08:57:31 +02:00
  • MD5:
    5949348fedecc598cdbce7072639231f
  • SHA1:
    a9a614ecb4871b57da47b32ce572c46493de6897
  • SHA256:
    2fffec7d345d16c2480ea2f3f2e046e220488486c81cf7e1c14adfab890ec0b1
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
47/72

malicious
5/10

malicious

malicious

IPs

IP Country Detection
188.127.227.51
Russian Federation
45.8.158.104
Russian Federation
31.31.198.19
Russian Federation

Domains

Name IP Detection
qpdownloads.com
31.31.198.19
trackingg-protectioon.cdn1.mozilla.net
0.0.0.0

URLs

Name Detection
http://188.127.227.51/49d6ec0cd113efb59453fa49c7f2abcd
http://188.127.227.51/
https://nuget.org/nuget.exe
Click to see the 33 hidden entries
https://www.vign.
https://ac.ecosia.org/autocomplete?q=
https://search.yahoo.com?fr=crmas_sfp
http://45.8.158.104/uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyD
http://constitution.org/usdeclar.txt
http://45.8.158.104/uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qfwxbX9aDBL1/IeT5piixzi8h4SRl9u/8_2B0Atg2/EH_2BuWU2tSI81tfObAy/vUlIlX4Ry5a2Lkg_2BA/WrsB69Jk6Nr0AfUnViCZgr/xOQsHH2r7bRf4/GbUKvAO_/2B_2BNCAwjUDjs1PnMfwFho/BSlcplWuk_/2ByFg1B7Jha7Qhk7w/kMamT9D_2B57/Uw_2B3UVmpC/BA7AL3JebG7W65/8MiRPWVyAeG2AtQC9YkgU/qP7k.pct
https://contoso.com/
http://45.8.158.104/uploaded/Xac7t2mitXIgCMsf9BuB/MO0_2Fwxiby6n8I6o_2/FDgHHlLSuOuDkfbPQtCcKd/YlwrlyDXRc_2B/ixVyFqQK/k126u_2B_2Ba_2BruFx1_2F/jniVE8w7fc/bk1R9cvUDCNSr3LVX/6pZVXtyVf482/WFP0247XYM7/A2gUdzKCCOqwfV/Gv8pnlgo2_2FOJ3S2ifKR/bqy_2FBRKHq_2Fpg/Vdjwqlx7uWisr2l/fEIsbd32W_2FSgiOj7/dytSGoyJO/SSfkZcDtemeWWSjAjk_2/FpEHeBUMQUi3yJQSNuD/_2FtYwM7I7Bk/pKYwZ.pct
http://qpdownloads.com/10103.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://trackingg-protectioon.cdn1.mozilla.net/uploaded/1nOLBbA4MMg8uH2db9T/AXce5fVRPsPAKOJdUYw5Yz/f6
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
http://45.8.158.104/uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/g
https://mozilla.org0
http://www.sqlite.org/copyright.html.
http://45.8.158.104/uploaded/7PEROc7T_2Fgr3AlFhC44I/HihA8yGOnHHyC/7qKpRjMK/_2BISfbG8Z1hpAn69C67v7h/gkKIfJKu9W/RfGqkB9ODhAT7t3c5/NgU9QmTJW10x/ljH6Rbwk6Te/NQKogNebUNXkBe/OP8YU_2BPfX7w7JRWnzlY/DYJ2tPBGUU9yVi7O/2UHx3wnrI8usjfi/mEy_2FvxgACU_2BVfF/k_2BhGhcG/DY4c1ymhU_2BCF0kWEYq/M0_2B_2F16h_2BgoOGF/9_2FtG_2F6BZfr3nq2A72O/TaGtamWcSmCx5/BKV7x7CGne61RjWS63/G.pct
https://contoso.com/License
https://duckduckgo.com/chrome_newtab
http://nuget.org/NuGet.exe
http://www.mozilla.com/en-US/blocklist/
https://duckduckgo.com/ac/?q=
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
http://constitution.org/usdeclar.txtC:
http://45.8.158.104/uploaded/zbAczskpRoi/wpOTNz2ovPWOn_/2B_2FrKEtFFbUGtGX6UpM/aPAjWjIABTFmZnGA/TX3qf
https://contoso.com/Icon
https://search.yahoo.com?fr=crmas_sfpf
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://https://file://USER.ID%lu.exe/upd
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
https://github.com/Pester/Pester

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\LocalLow\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\XHSRZM23.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\mkr2iq4u.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\mkr2iq4u.cmdline
Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
#
C:\Users\user\AppData\Local\Temp\jv54rgf4.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\LocalLow\sqlite3.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\LocalLow\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\LocalLow\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\LocalLow\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtb51wp4.4ti.ps1
very short file (no magic)
#
C:\Users\user\AppData\LocalLow\2If3OY9WA2aU
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
#
C:\Users\user\AppData\Local\Temp\mkr2iq4u.out
Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
#
C:\Users\user\AppData\LocalLow\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\mkr2iq4u.0.cs
C++ source, Unicode text, UTF-8 (with BOM) text
#
C:\Users\user\AppData\Local\Temp\jv54rgf4.out
Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\jv54rgf4.cmdline
Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
#
C:\Users\user\AppData\Local\Temp\jv54rgf4.0.cs
C++ source, Unicode text, UTF-8 (with BOM) text
#
C:\Users\user\AppData\LocalLow\sF9O6f0cCdbK
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_isg504bu.mfz.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\RESFF35.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Thu Oct 13 06:49:56 2022, 1st section name ".debug$S"
#
C:\Users\user\AppData\Local\Temp\RESF206.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Thu Oct 13 06:49:52 2022, 1st section name ".debug$S"
#
C:\Users\user\AppData\Local\Temp\CSCC9AB450BCFA441ED9B999D6FD5DE3822.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSC20F2306B39284E32B5AB6E9725E2189D.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\LocalLow\y3enbS6322L5
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
#
C:\Users\user\AppData\LocalLow\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\LocalLow\pU97tg112OjD
SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
#