Test_spam.xls

Status: finished

Submission Time: 2020-05-21 07:53:14 +02:00

Malicious

E-Banking Trojan

Trojan

Exploiter

Evader

Hidden Macro 4.0 Ursnif

Comments

Details

Analysis ID:
232009
API (Web) ID:
360290
Analysis Started:

2020-05-21 07:53:15 +02:00
Analysis Finished:

2020-05-21 08:01:18 +02:00
MD5:
d64dfd3bbf9e3d7784a83a11e253dedc
SHA1:
307b1fe7b9632b86fedb3075346268b72b0662e7
SHA256:
ec762ef169fdab5fcb002d635ea7e4cc5e575ee73f50dedf2e864883f6071527
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: unknown

Third Party Analysis Engines

malicious

IPs

IP	Country	Detection
202.47.1.59	Australia
91.211.246.48	Lithuania

Domains

Name	IP	Detection
bespokemerchandises.com	202.47.1.59
worldwidebars.xyz	91.211.246.48

URLs

Name	Detection
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://worldwidebars.xyz6
https://worldwidebars.xyz
Click to see the 22 hidden entries
http://cps.root-x1.letsencrypt.org0
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
http://crl.entrust.net/2048ca.crl0
https://secure.comodo.com/CPS0
http://ocsp.entrust.net0D
https://worldwidebars.xyz/index.htmxyz/index.htm
https://worldwidebars.xyz/index.htmRoot
http://cert.int-x3.letsencrypt.org/0
https://sectigo.com/CPS0B
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
https://worldwidebars.xyz/index.htm
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://www.diginotar.nl/cps/pkioverheid0
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
https://worldwidebars.xyz/index.ht
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://ocsp.int-x3.letsencrypt.org0/
http://ocsp.entrust.net03
http://cps.letsencrypt.org0
http://ocsp.sectigo.com0
http://crl.entrust.net/server1.crl0
https://sectigo.com/CPS0

Dropped files

Name	File Type	Hashes
C:\LttgTtQ\drYpcgG\BwkGvmB.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\Desktop\~$Test_spam.xls	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\374B7Ai1[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 75 hidden entries
C:\Users\user\AppData\Local\Temp\TarFEC5.tmp	data	#
C:\Users\user\AppData\Local\Temp\www536A.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\F3F30000	data	#
C:\Users\user\AppData\Local\Temp\CabFEC4.tmp	Microsoft Cabinet archive data, 57243 bytes, 1 file	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZMFKJH42\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\http_404[2]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\httpErrorPagesScripts[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\~DFA21454485C882D9C.TMP	data	#
C:\Users\user\Favorites\Links\Suggested Sites.url	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\Desktop\55F30000	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Test_spam.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 28 13:45:45 2020, mtime=Thu May 21 04:55:25 2020, atime=Thu May 21 04:55:25 2020, length=750430, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Jan 28 13:33:37 2020, mtime=Thu May 21 04:55:25 2020, atime=Thu May 21 04:55:25 2020, length=12288, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Aug 7 11:48:48 2017, mtime=Mon Aug 7 11:48:48 2017, atime=Wed May 31 02:32:40 2017, length (…)	#
C:\Users\user\AppData\Local\Temp\~DFEECD7278DBC2243D.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFAE526A3A41A83060.TMP	data	#
C:\Users\user\AppData\Local\Temp\www535F.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\~DF4EFA18E5DA79C34C.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF4ED6F6533819B27F.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF3203796BAE214E59.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF06BF3EB0A933A2DA.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF06865E5D1696E570.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF065374345AEBF165.TMP	data	#
C:\Users\user\AppData\Local\Temp\www5375.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DEC5BE01-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EE87DD03-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DEC5BE03-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CEFD8243-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B3E5923E-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B3E59233-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE87DD01-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEFD8241-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3E59231-9B27-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 57243 bytes, 1 file	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\ErrorPageTemplate[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4H0PHGM\errorPageStrings[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0RG3V0B\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BALWKT9\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#

Test_spam.xls

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Test_spam.xls Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

Test_spam.xls