flash

adam.cefai-596971.xls

Status: finished
Submission Time: 06.04.2020 13:22:37
Malicious
E-Banking Trojan
Trojan
Exploiter
Evader
Ursnif

Comments

Tags

Details

  • Analysis ID:
    220459
  • API (Web) ID:
    337699
  • Analysis Started:
    06.04.2020 13:22:38
  • Analysis Finished:
    06.04.2020 13:30:13
  • MD5:
    5f474866fcad7e2c9417c7edf87583f6
  • SHA1:
    ed22bfd990150a705ea1076732516f1686b6cc5c
  • SHA256:
    f9247ffb2c27b307868d9e3e9254b778d52151fb1b4c38d640ca21c792d0d79c
  • Technologies:
Full Report Engine Info Verdict Score Reports

malicious

System: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)

malicious
100/100

malicious
33/72

malicious
18/40

malicious
27/31

IPs

IP Country Detection
89.46.109.62
Italy

Domains

Name IP Detection
www.istitutobpascalweb.it
89.46.109.62
istitutobpascalweb.it
89.46.109.62
prlottonews.xyz
0.0.0.0

URLs

Name Detection
https://prlottonews.xyz/index.htmTravelLog
https://prlottonews.xyz/index.htmps://prlottonews.xyz/index.htm
https://prlottonews.xyz
Click to see the 9 hidden entries
https://prlottonews.xyz/index.htmRoot
https://prlottonews.xyz/index.htm
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://ocsp.sectigo.com0
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://sectigo.com/CPS0B
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
https://sectigo.com/CPS0C

Dropped files

Name File Type Hashes Detection
C:\RPJbYuR\pvrDGVq\rCLGjyS.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 57416 bytes, 1 file
#
Click to see the 50 hidden entries
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
PNG image data, 16 x 16, 4-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
data
#
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
Composite Document File V2 Document, Cannot read section info
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30AB1151-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E3A19D1-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DFDC001-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E78C4B1-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{30AB1153-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{30AB115E-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4E3A19D3-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5DFDC003-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6E78C4B3-77F9-11EA-B813-B2C276BF9C88}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MBQMF2X\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\favicon[1].ico
PNG image data, 16 x 16, 4-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKVNDE8Y\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\renoovohostinglilnuxadvanced[1].htm
HTML document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\CabD63C.tmp
Microsoft Cabinet archive data, 57416 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\TarD63D.tmp
data
#
C:\Users\user\AppData\Local\Temp\www3CA5.tmp
MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\www3CBA.tmp
MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\www3CC5.tmp
MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\~DF27DD540F782D6F16.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF3E113C30650559FC.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF649C1DC52CF32FB6.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF7A0CCEF6F93F2223.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF7E4030C76C18C97C.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF7F511D59CEF8A3AB.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF86079C3C71C7961D.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFD7783B11BA30656D.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFE6433CB274058931.TMP
data
#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Aug 7 11:48:48 2017, mtime=Mon Aug 7 11:48:48 2017, atime=Wed May 31 02:32:40 2017, length (…)
#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
ASCII text, with CRLF line terminators
#
C:\Users\user\Favorites\Links\Suggested Sites.url
MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
#