flash

Lakeringernes (1).exe

Status: finished
Submission Time: 2022-11-28 10:06:17 +01:00
Malicious
Trojan
Evader
Spyware
FormBook, GuLoader

Comments

Tags

  • exe
  • signed

Details

  • Analysis ID:
    755081
  • API (Web) ID:
    1122365
  • Analysis Started:
    2022-11-28 10:08:54 +01:00
  • Analysis Finished:
    2022-11-28 10:36:31 +01:00
  • MD5:
    d70de507cc0d22e43ebcf8b61a273ea5
  • SHA1:
    9818fba05573d67b834c90a3208faddea3446545
  • SHA256:
    4dbcd711f2263775f0a1083e0541a07247736ba2fdaabf000654756f8c3dae67
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
68/100

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

malicious
100/100

malicious
25/72

malicious
20/26

malicious

IPs

IP Country Detection
156.254.172.36
Seychelles
154.213.44.213
Seychelles
154.204.24.45
Seychelles
Click to see the 13 hidden entries
162.0.238.93
Canada
96.43.100.185
United States
104.21.23.41
United States
156.230.149.244
Seychelles
3.64.163.50
United States
23.106.120.176
Singapore
66.29.151.40
United States
50.87.192.144
United States
103.63.2.175
Hong Kong
168.76.162.220
South Africa
104.21.48.6
United States
142.250.185.161
United States
142.250.184.206
United States

Domains

Name IP Detection
www.gouldent.site
66.29.151.40
www.caglaakdag.xyz
0.0.0.0
www.sabzi.lol
0.0.0.0
Click to see the 19 hidden entries
www.xn--29-oj9ik7b890b.net
0.0.0.0
www.techrocker.com
0.0.0.0
www.automotiveparts-store.com
0.0.0.0
www.aceadora.shop
104.21.23.41
www.planetthermo.net
154.213.44.213
www.rsvstudio.com
156.254.172.36
www.mangal20.com
156.230.149.244
www.plentywindshield.com
96.43.100.185
www.livinghopedoula.com
168.76.162.220
techrocker.com
23.106.120.176
www.005404.com
103.63.2.175
automotiveparts-store.com
162.0.238.93
www.youlian.fund
154.204.24.45
www.haveusstampsale.shop
104.21.48.6
xn--29-oj9ik7b890b.net
50.87.192.144
www.avatarworker.com
3.64.163.50
drive.google.com
142.250.184.206
googlehosted.l.googleusercontent.com
142.250.185.161
doc-00-7s-docs.googleusercontent.com
0.0.0.0

URLs

Name Detection
http://www.techrocker.com/i036/
http://www.youlian.fund/i036/?k0GP1N2=LMIqSMdQ3q0mQ0O8E4Be7P+zrPM6Gg4aprrhhSoZXI8N9fokAeXZtK7CAx7jxtppbBVDda4uu0E3KjN/+XSSDpZJ6husVXmnlg==&Rzu=hV1Pon
http://www.aceadora.shop/i036/
Click to see the 97 hidden entries
http://www.aceadora.shop/i036/?k0GP1N2=KIxzD5HsRZBgKJlqtD/Z5Gj6Z8qoplCrxdfuDjJNx/1c9AJO6VXMMK+63l9AWb1/ssE5X6NYSlv5byLnNWr+FpxZxtTvuFnXWw==&Rzu=hV1Pon
http://www.techrocker.com/i036/?k0GP1N2=Nt7we/gwvJafOenmPtqMdMQq0A5S+F0mCo2A/o6NNSBEDFrZxTdugE3hHqQHgmQnwi6pFnnhcgi6C1+qKckarzI1zqVfAVRktw==&Rzu=hV1Pon
http://www.gouldent.site/i036/
http://www.rsvstudio.com/i036/?k0GP1N2=ronhS2NZk+RpAH8xyVeuvsbzfj1G+JCO7SbBJB6VTjQ5GvCPMYygorm2sXuQ6whLqX4zWjebsFwcRWcR3e6VRFoMUbeOjCqRvg==&Rzu=hV1Pon
http://www.mangal20.com/i036/?k0GP1N2=Ypm+0+Vc/krk+syJRkmS/ZXdqh86ue5y1szx5SRmlweqmqT2L40Pqi55gxfwp+7cpcP0UgmrVUc/vOiRo42zU0SjFnllzv841Q==&Rzu=hV1Pon
http://www.haveusstampsale.shop/i036/
http://www.rsvstudio.com/i036/
http://www.livinghopedoula.com/i036/
http://www.mangal20.com/i036/
http://www.planetthermo.net/i036/
http://www.xn--29-oj9ik7b890b.net/i036/?k0GP1N2=BZwpaihTGJGWcZJSAe2sxznsnPej0JxCYfoQvgCgbuMQP061bK/C39YT663oVlO5elykthEFB/Dcn8VFPsLzIGidWMmSTKgllQ==&Rzu=hV1Pon
http://www.automotiveparts-store.com/i036/
www.techrocker.com/i036/
http://www.xn--29-oj9ik7b890b.net/i036/
http://www.livinghopedoula.com/i036/?k0GP1N2=gK12bHhqEy0e4Uj/ImUnYxfT+EkUqBjjVPatb5GnWKdwUy9sF2E4a2NySHYDGj5+R015BuqmsIpMnBRMM6PNmRTNIYpZBhLGAQ==&Rzu=hV1Pon
http://www.haveusstampsale.shop/i036/?k0GP1N2=DDTM8NTjTGQKNl9ZmiWQMqmzY5hUHu6DmELfmDs1vEv26+wpTDEFgWjPjGJv2unzSeE04u298BAHHYXe+vHUgcxZ13bZmjQmZA==&Rzu=hV1Pon
http://www.005404.com/i036/
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
https://drive.google.com/Czw
http://45.122.138.45/favicon.ico
http://push.zhanzhang.baidu.com/push.js
https://api.msn.com/?
https://powerpoint.office.comCallr
https://www.msn.com/en-us/news/politics/democratic-support-for-suprem0
https://www.aceadora.shop/i036/?k0GP1N2=KIxzD5HsRZBgKJlqtD/Z5Gj6Z8qoplCrxdfuDjJNx/1c9AJO6VXMMK
http://schemas.micro
http://crl.certum.pl/ctnca2.crl0l
https://excel.office.como
http://xn--299aa717y.xn--3e0b707e/
https://wordpress.org
http://crl.certum.pl/ctsca2021.crl0o
http://www.plentywindshield.com/i036/?k0GP1N2=VaB2QWBCteskeZJAX4Hj3Mdw7Sfdvkj
https://ac.ecosia.org/autocomplete?q=
http://xn--299aa717y.xn--3e0b707e/wp-includes/blocks/navigation/view-modal.min.js?ver=45f05135277abf
http://www.foreca.com
https://zz.bdstatic.com/linksubmit/push.js
https://api.w.org/
https://aka.ms/odirmDRIVE=C
http://www.litespeedtech.com/error-page
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
https://crash-reports.mozilla.com/submit?id=
http://repository.certum.pl/ctnca.cer09
http://subca.ocsp-certum.com05
http://mangal20.com/i036/?k0GP1N2=Ypm
https://www.msn.com/en-us/news/politics/graham-tries-t
http://xn--299aa717y.xn--3e0b707e/xmlrpc.php?rsd
https://android.notify.windows.com/iOSe/
http://xn--299aa717y.xn--3e0b707e/wp-includes/blocks/navigation/view.min.js?ver=c24330f635f5cb9d5e0e
http://repository.certum.pl/ctnca2.cer09
https://android.notify.windows.com/iOS
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
http://subca.ocsp-certum.com01
http://subca.ocsp-certum.com02
https://js.users.51.la/21461531.js
https://wns.windows.com/
https://outlook.comx86)
https://uk.search.yahoo.com/sugg/chrom
https://drive.google.com/
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
http://repository.certum.pl/ctsca2021.cer0
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
http://xn--299aa717y.xn--3e0b707e
https://word.office.comle
http://www.gopher.ftp://ftp.
http://www.certum.pl/CPS0
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
https://excel.office.com
https://deff.nelreports.net/api/report?cat=msn
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppam
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
http://xn--299aa717y.xn--3e0b707e/wp-json/
http://www.avatarworker.com/
https://api.msn.com:443/v1/news/Feed/Windows?
https://duckduckgo.com/ac/?q=
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
https://api.msn.com/v1/news/Feed/Windows?
https://www.automotiveparts-store.com/i036/?k0GP1N2=30w/opVeBRN2BD0
https://duckduckgo.com/chrome_newtab
http://nsis.sf.net/NSIS_Error
http://xn--299aa717y.xn--3e0b707e/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
https://doc-00-7s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/fgrm3mfa
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
https://outlook.comriH
http://www.plentywindshield.com/
http://nsis.sf.net/NSIS_ErrorError
http://xn--299aa717y.xn--3e0b707e/wp-content/themes/twentytwentytwo/style.css?ver=1.3
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
https://doc-00-7s-docs.googleusercontent.com/
http://xn--299aa717y.xn--3e0b707e/comments/feed/
http://microsoft.co
http://xn--299aa717y.xn--3e0b707e/feed/
http://crl.certum.pl/ctnca.crl0k
http://www.microsoft.c-
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
https://word.office.com
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\752cuCH8
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 5, database pages 59, cookie 0x4f, schema 4, UTF-8, version-valid-for 5
#
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Graviton\Kvle\Materialiseringerne\Antenneanlgget\Custom3.ini
Generic INItialization configuration [Effect2]
#
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Graviton\Kvle\Materialiseringerne\Antenneanlgget\Invirility.Hus
data
#
Click to see the 3 hidden entries
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\histopathologist.Clo
data
#
C:\Users\user\AppData\Local\Temp\Dybfrossen.ini
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\nsbCBD1.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#