tFCIkIeZjG_469174.xls

Status: finished

Submission Time: 2020-05-26 01:29:32 +02:00

Malicious

E-Banking Trojan

Trojan

Exploiter

Evader

Hidden Macro 4.0 Ursnif

Comments

Details

Analysis ID:
232885
API (Web) ID:
361987
Analysis Started:

2020-05-26 01:29:33 +02:00
Analysis Finished:

2020-05-26 01:37:28 +02:00
MD5:
96453bf92b04c50bd6318dff5dab1408
SHA1:
137e4d66cad6092c9059294fd0cadb7940469428
SHA256:
8a69d755566a82a4447e1661c05b90fb501a624b8a97ffd3e792631ca36bdee8
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: unknown

IPs

IP	Country	Detection
202.47.1.59	Australia
185.80.130.227	Lithuania

Domains

Name	IP	Detection
bluesebrangkali.xyz	185.80.130.227
theartistry.co	202.47.1.59

URLs

Name	Detection
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
http://crl.micros
http://cps.root-x1.letsencrypt.org0
Click to see the 24 hidden entries
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
http://crl.entrust.net/2048ca.crl0
https://secure.comodo.com/CPS0
http://ocsp.entrust.net0D
https://bluesebrangkali.xyz/index.htm
https://bluesebrangkali.xyzt
http://cert.int-x3.letsencrypt.org/0
https://sectigo.com/CPS0B
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
https://bluesebrangkali.xyz/index.htmRoot
https://bluesebrangkali.xyz/index.htmelLog
https://sectigo.com/CPS0
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://www.diginotar.nl/cps/pkioverheid0
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://ocsp.int-x3.letsencrypt.org0/
http://www.xnview.comJ
http://ocsp.entrust.net03
https://bluesebrangkali.xyz/index.htmi.xyz/index.htm
https://bluesebrangkali.xyz
http://cps.letsencrypt.org0
http://ocsp.sectigo.com0
http://crl.entrust.net/server1.crl0

Dropped files

Name	File Type	Hashes
C:\YHGtfHd\pElDosT\OJxSJzN.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\Desktop\~$tFCIkIeZjG_469174.xls	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\378rep92[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 75 hidden entries
C:\Users\user\AppData\Local\Temp\www498E.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\TarF8F1.tmp	data	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\CabF8E6.tmp	Microsoft Cabinet archive data, 57243 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\2EE30000	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM6I9G30\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Temp\~DFE19723BC6563843C.TMP	data	#
C:\Users\user\Favorites\Links\Suggested Sites.url	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\Desktop\9FE30000	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\tFCIkIeZjG_469174.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 28 13:45:43 2020, mtime=Mon May 25 22:31:24 2020, atime=Mon May 25 22:31:24 2020, length=597971, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Jan 28 13:33:37 2020, mtime=Mon May 25 22:31:24 2020, atime=Mon May 25 22:31:24 2020, length=8192, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Aug 7 11:48:48 2017, mtime=Mon Aug 7 11:48:48 2017, atime=Wed May 31 02:32:40 2017, length (…)	#
C:\Users\user\AppData\Local\Temp\~DFE1BAD62EBF1407CC.TMP	data	#
C:\Users\user\AppData\Local\Temp\www4999.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\~DFDEDAEF3E5BC3DE87.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF7F0A206FDF222C85.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF7D1BD1B4903D48B8.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF6DB5AC014C94014D.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF5C8FE1FEFF2E1239.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF292AE2B74FF0EC8D.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF1DBEC54C7A125F27.TMP	data	#
C:\Users\user\AppData\Local\Temp\www49A4.tmp	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0DADCAD3-9EE0-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE6463A3-9EDF-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1B90A1E-9EDF-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1B90A13-9EDF-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1D5F1AC3-9EE0-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FE6463A1-9EDF-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1B90A11-9EDF-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1D5F1AC1-9EE0-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0DADCAD1-9EE0-11EA-B813-B2C276BF9C88}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	Composite Document File V2 Document, Cannot read section info	#
C:\Users\user\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RH03E12C\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\http_404[2]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\httpErrorPagesScripts[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\errorPageStrings[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 57243 bytes, 1 file	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\ErrorPageTemplate[2]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FRMLSWKJ\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLY6AAYW\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#

tFCIkIeZjG_469174.xls

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

tFCIkIeZjG_469174.xls Options

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

Search started

tFCIkIeZjG_469174.xls