adam.cefai-596971.xls

Status: finished

Submission Time: 2020-04-06 13:22:37 +02:00

Malicious

E-Banking Trojan

Trojan

Exploiter

Evader

Ursnif

Comments

Details

Analysis ID:
220459
API (Web) ID:
337699
Analysis Started:

2020-04-06 13:22:38 +02:00
Analysis Finished:

2020-04-06 13:30:13 +02:00
MD5:
5f474866fcad7e2c9417c7edf87583f6
SHA1:
ed22bfd990150a705ea1076732516f1686b6cc5c
SHA256:
f9247ffb2c27b307868d9e3e9254b778d52151fb1b4c38d640ca21c792d0d79c
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: unknown

Third Party Analysis Engines

Open Full Report

malicious

Score: 33/72

Open Full Report

malicious

Score: 18/40

malicious

Score: 27/31

IPs

IP	Country	Detection
89.46.109.62	Italy

Domains

Name	IP	Detection
www.istitutobpascalweb.it	89.46.109.62
istitutobpascalweb.it	89.46.109.62
prlottonews.xyz	0.0.0.0

URLs

Name	Detection
https://prlottonews.xyz/index.htmTravelLog
https://prlottonews.xyz/index.htmps://prlottonews.xyz/index.htm
https://prlottonews.xyz
Click to see the 9 hidden entries
https://prlottonews.xyz/index.htmRoot
https://prlottonews.xyz/index.htm
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://ocsp.sectigo.com0
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://sectigo.com/CPS0B
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
https://sectigo.com/CPS0C

Dropped files

Name	File Type	Hashes
C:\RPJbYuR\pvrDGVq\rCLGjyS.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\www3CBA.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
Click to see the 50 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\renoovohostinglilnuxadvanced[1].htm	HTML document, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\CabD63C.tmp	Microsoft Cabinet archive data, 57416 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\TarD63D.tmp	data	#
C:\Users\user\AppData\Local\Temp\www3CA5.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\www3CC5.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\~DF27DD540F782D6F16.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF3E113C30650559FC.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF649C1DC52CF32FB6.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF7A0CCEF6F93F2223.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF7E4030C76C18C97C.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF7F511D59CEF8A3AB.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF86079C3C71C7961D.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFD7783B11BA30656D.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFE6433CB274058931.TMP	data	#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Aug 7 11:48:48 2017, mtime=Mon Aug 7 11:48:48 2017, atime=Wed May 31 02:32:40 2017, length (…)	#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ASCII text, with CRLF line terminators	#
C:\Users\user\Favorites\Links\Suggested Sites.url	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5DFDC003-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 57416 bytes, 1 file	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	data	#
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30AB1151-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E3A19D1-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DFDC001-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E78C4B1-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{30AB1153-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{30AB115E-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4E3A19D3-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6E78C4B3-77F9-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\favicon[1].ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#

adam.cefai-596971.xls

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

adam.cefai-596971.xls Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

adam.cefai-596971.xls