flash

sample.exe

Status: finished
Submission Time: 04.06.2020 09:51:00
Malicious
Ransomware
Trojan
Spyware
Evader
FormBook GuLoader

Comments

Tags

Details

  • Analysis ID:
    235598
  • API (Web) ID:
    367286
  • Analysis Started:
    04.06.2020 09:51:00
  • Analysis Finished:
    04.06.2020 10:12:19
  • MD5:
    178d06da82a097ab37a7423726fb2819
  • SHA1:
    31540af8d936241bd20d41599e17c80090906e2d
  • SHA256:
    59b75c1a0a646cabb9c69e981dc95985d9feb3ee1e3f7c3c0ace8165037ed006
  • Technologies:
Full Report Engine Info Verdict Score Reports

System: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)

malicious
100/100

malicious
32/72

malicious

IPs

IP Country Detection
217.70.142.74
Germany
35.210.18.60
United States
154.94.90.4
Seychelles
Click to see the 2 hidden entries
162.213.249.180
United States
198.49.23.145
United States

Domains

Name IP Detection
www.shxzauto.com
154.94.90.4
www.ciscoaslabs.com
35.210.18.60
www.mansiobok3.info
162.213.249.180
Click to see the 16 hidden entries
www.pg-farm.com
217.70.142.74
www.3-333i000000x01-virus.net
0.0.0.0
www.funuldigital.com
0.0.0.0
www.hothotshortie.com
0.0.0.0
www.onenationrescue.info
0.0.0.0
www.weifangruanjiankaifa.com
0.0.0.0
www.wangrunjs.com
0.0.0.0
www.talleralbamotors.com
0.0.0.0
www.fekrforoush.com
0.0.0.0
www.hot-items-on-the-web.com
0.0.0.0
www.myaccesscomm.com
0.0.0.0
www.lowbrowpizzaandbeer.com
0.0.0.0
www.bolbjergs.com
0.0.0.0
ext-cust.squarespace.com
198.49.23.145
6pjara.am.files.1drv.com
0.0.0.0
onedrive.live.com
0.0.0.0

URLs

Name Detection
http://www.lowbrowpizzaandbeer.com/la8/?tB=6jXfCnlmBUyhP3MDei5dHW3QfFih/L7qzkUFbpiiQQ7cTGHkRqoPnobMGZmVRVyeMjEViA==&8pBXn=3f3DUfw
http://www.mansiobok3.info/la8/
http://www.shxzauto.com/la8/?tB=dTsJqfyDncR79ChDcZ7dTVXKjVLU/POLqVYwrsJvBb27JhZOGg1DiQs5qfVZyDNRUwezEA==&8pBXn=3f3DUfw
Click to see the 92 hidden entries
http://www.lowbrowpizzaandbeer.com/la8/
http://www.mansiobok3.info/la8/?tB=BCnuU+BrzKZHMhRMQrUb+8TCvCHQh5V6jbGtAJ4/7cjQ+AxSy2ru3Enl57uSRAreLq2AIw==&8pBXn=3f3DUfw
http://www.wangrunjs.comReferer:
http://www.ciscoaslabs.com
http://www.lowbrowpizzaandbeer.comReferer:
https://onedrive.live.com/t
https://onedrive.live.com/download?cid=B3B98222C3EF96E0&resid=B3B98222C3EF96E0%21184&authkey=AHHJ6Y6
http://www.wangrunjs.com
http://ocsp.entrust.net03
http://www.ciscoaslabs.com/la8/www.shxzauto.com
http://www.hothotshortie.com/la8/www.fekrforoush.com
https://onedrive.live.com/l
http://www.lowbrowpizzaandbeer.com
http://crl.use
http://www.mozilla.com0
http://www.3-333i000000x01-virus.netReferer:
http://www.pg-farm.com
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.diginotar.nl/cps/pkioverheid0
http://www.pg-farm.com/la8/www.wangrunjs.com
http://www.weifangruanjiankaifa.comReferer:
http://www.wangrunjs.com/la8/
http://www.talleralbamotors.com/la8/
http://www.shxzauto.com/statics/busy.html
https://onedrive.live.com/
http://www.hothotshortie.com
http://www.weifangruanjiankaifa.com/la8/
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://www.myaccesscomm.com/la8/
http://www.myaccesscomm.com/la8/www.pg-farm.com
http://www.fekrforoush.com/la8/www.lowbrowpizzaandbeer.com
http://www.shxzauto.com
http://www.funuldigital.com/la8/www.3-333i000000x01-virus.net
http://www.hot-items-on-the-web.comReferer:
http://www.%s.comPA
http://www.hot-items-on-the-web.com/la8/www.talleralbamotors.com
https://6pjara.am.files.1drv.com/n
http://www.pg-farm.com/la8/
http://www.talleralbamotors.comReferer:
http://ocsp.entrust.net0D
http://www.ciscoaslabs.com/la8/
https://onedrive.live.com/lT
http://www.bolbjergs.com/la8/www.myaccesscomm.com
https://6pjara.am.files.1drv.com/t
http://www.funuldigital.comReferer:
http://www.hot-items-on-the-web.com/la8/
http://www.funuldigital.com
http://www.onenationrescue.info/la8/
http://www.shxzauto.com/la8/www.mansiobok3.info
http://wellformedweb.org/CommentAPI/
http://www.3-333i000000x01-virus.net/la8/
http://www.bolbjergs.com/la8/
https://crash-reports.mozilla.com/submit?id=
http://crl.entrust.net/server1.crl0
http://www.talleralbamotors.com/la8/www.hothotshortie.com
http://www.fekrforoush.com
http://www.funuldigital.com/la8/
http://ocsp.thawte.com0
http://www.onenationrescue.info
http://www.shxzauto.com/la8/
http://www.onenationrescue.infoReferer:
http://www.pg-farm.comReferer:
http://www.hothotshortie.comReferer:
http://www.wangrunjs.com/la8/www.ciscoaslabs.com
http://www.fekrforoush.comReferer:
http://www.mansiobok3.info
http://www.onenationrescue.info/la8/www.bolbjergs.com
https://6pjara.am.files.1drv.com/y4mgfnu1PJWJr064ZL9YlIV3jl40tm0q28BBvNE2xZCPCi78baeQwIGk3HYt-PyWvAL
https://6pjara.am.files.1drv.com/Aj
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://www.3-333i000000x01-virus.net
http://www.talleralbamotors.com
http://www.hothotshortie.com/la8/
https://6pjara.am.files.1drv.com/y4mPTQhil0be4D-3ONzJ5ItuDGkvQHeM9XjnTIeZQgPsrIrD1WuxieuSeUoUkeeqzAP
http://www.bolbjergs.comReferer:
http://www.bolbjergs.com
http://www.mansiobok3.infoReferer:
http://www.shxzauto.comReferer:
http://www.hot-items-on-the-web.com
http://www.weifangruanjiankaifa.com
http://www.myaccesscomm.com
http://www.3-333i000000x01-virus.net/la8/www.onenationrescue.info
http://www.myaccesscomm.comReferer:
http://www.mansiobok3.info/la8/www.weifangruanjiankaifa.com
https://secure.comodo.com/CPS0
http://www.ciscoaslabs.comReferer:
http://www.weifangruanjiankaifa.com/la8/www.hot-items-on-the-web.com
http://crl.entrust.net/2048ca.crl0
https://6pjara.am.files.1drv.com/
http://crl3.dig
https://6pjara.am.files.1drv.com/y4mwehRl38LwSse3IDMRjmotpTH5T3c42gDrwt-LN9unXWz0E3C09_0dxoZFaiJ7gTJ
http://www.fekrforoush.com/la8/

Dropped files

Name File Type Hashes Detection
C:\Program Files\Av0hhbt\igfxjjoh.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\Av0hhbt\igfxjjoh.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 8 hidden entries
C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.vbs
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\K56R799Q\K56logrf.ini
data
#
C:\Users\user\AppData\Roaming\K56R799Q\K56logri.ini
data
#
C:\Users\user\AppData\Roaming\K56R799Q\K56logrv.ini
data
#
C:\Users\user\AppData\Roaming\K56R799Q\K56logim.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\H93Q4923.txt
ASCII text
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\NA61OU32.txt
ASCII text
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\POIFNZ7E.txt
ASCII text
#