presentation#_37412.vbs

Status: finished

Submission Time: 2020-06-26 23:50:44 +02:00

Malicious

E-Banking Trojan

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
241818
API (Web) ID:
379359
Analysis Started:

2020-06-26 23:50:45 +02:00
Analysis Finished:

2020-06-27 00:03:55 +02:00
MD5:
570cab3ed56a9c69bc3e5b85a838b42d
SHA1:
c2952cbb31ee98c5c1a676e1820a3c73345083a0
SHA256:
3a34c90fa6f4c879311dee500a97fb07aa8f62e338d6d4c539132d1d0234079e
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 34/71

malicious

Score: 9/31

IPs

IP	Country	Detection
47.91.16.227	United States
88.99.66.31	Germany

Domains

Name	IP	Detection
cdn.arsis.at	47.91.16.227
iplogger.org	88.99.66.31

URLs

Name	Detection
http://cdn.arsis.at/api1/fChp9yiHW0ak/6ABbAAPF_2F/sjRfWmm9SslHuL/vpPBqdgGo8ccadC7H8SEb/TyF50aVGXLisG
http://cdn.arsis.at/api1/_2F96u8_2FZ/EYqJKh1Ngny4Aq/V0ul_2B76vnCVgW_2BqZ4/cDPG7kFHmk7kQIHq/JoxfaxV7R_2Fd7I/tnK3agfpuItkWAnPuA/dTuek80Cc/KvMdPwABD3Kn3O3OwtSs/M_2B3MLZIuycdj8mumK/ovhvgf9t0CcgYKlpSoBYua/HF019VRVgFuML/wgzWgbg_/2FRwBU9h9t8xGP6bof3vAn2/zCJPwfq9y_/2BOoZvpPaHbZehCqv/TRxfbbxVx4uT/kAE4h04qgbv/XcecdXWkl_0A_0/DMSryQuP_2FL8iIgmB8N3/2IZE_2B0AAK2R4_2/FqWKohYA6wCFg0iY/4
http://cdn.arsis.at/api1/VfEKz1myZT5CMk/JOes7VaLoziq9XEq9yMZE/Ba9NeCvDKLL4t9st/yORMw_2FTCcLRY8/BzDrIQtbvxF_2F0_2F/OVSDW7RBL/Dxljl0actuIXiOkMOoSM/2Qafjj9UlnA3ZaICs68/7EN_2FcPSfGOLHDINjVaJR/sybj_2Ftqj40O/4RGPbIGT/sfpQnOxbHaeV7mdWnBN3AD_/2FobBWIIAR/sk29IONIISriBXyH7/2f5pVe8tkTwV/lBj2fxrAO8p/K_2FY4L_2FXf4m/wlEEUx_0A_0DqlkLJjiAg/aGAXF3hcbI9xBiuN/12U6Bk4vRfS5EgX/x_2FRQj1ePtWOFjlux/v0lz6VR5u/80e
Click to see the 35 hidden entries
http://cdn.arsis.at/94
http://cdn.arsis.at/api1/ta2Qq0A3gKXgVovgJ1vKE/2_2FIM5p4Bhjg2LU/9edjLALRM8XV0bd/EyiWajrrUFrzXstZzR/X5JA_2BNG/f0MaBSPiZYuijFYV3d53/wETgzQuVs_2FWTIXLMJ/hvgag_2F12fktY7jOyaMf0/3_2FlmdwLyJxE/zSa1yEYb/XKeNDoxCDyqk8Olu8mj9eJX/3S6kYUJWq_/2FXbrGXbZDgMotMCG/dkV8VOu9NUhi/XgOBreGJwLg/5dfFXqWaOC8nxu/OGC_2B67dC2JTVeMrj_0A/_0DbaO3HDeBZ0ORB/BQpoR_2BWMJuybU/_2BNlcKL4rYN68MIv0wNf/U0
http://cdn.arsis.at/api1/Ug_2F2owyboNkho_2FX6zYf/TG0yRZwcso/0EN7jvHdt8GXOrD5i/f7MJwifZ8NFl/_2BNunOLL
http://cdn.arsis.at/c
http://cdn.arsis.at/api1/t_2F85h_2BV3B/NMYjNdpj/i1iFpV_2Bb9OyoUqqqAWvfq/LLH83lyf4X/x7Pl6xfUL9W5rzfyv
http://cdn.arsis.at/api1/6BJOMr_2F2mWiWhoKa8o/TrGoFIqXORKGmqprvx7/DK2BHjMRsRkrWw00PZjCD6/vawx6Qbf5Fx
http://cdn.arsis.at/30
http://cdn.arsis.at/5a
http://cdn.arsis.at/api1/bRUh_2FTU7Td9/J9yUDA5X/iJdgaW430yZSF9ALQtRhOha/xU8trLRIHq/HgEgaot9sP6AhTTvX/a7CCwZkYlH1u/uRPEwB4UXra/kq0zKEvZgXjal_/2FVOdvPPSSFGTIi5tnbP5/b7lVZ0jXl9iPJ_2B/PEsK8WfPvGvaBmY/SS_2FYMGW5rKc1zGLb/f8aHDli2r/6EUirEkRNu3oV6saGeAX/6H5E_2BxrCjEYl_2FjJ/FwRUh6qG_2Bq2bL5rMzDfJ/_2FwqbWmIl8CO/gXnipnG_/0A_0DilEQZZnd5d8BIQSOwd/aD5kEmT_2F/7SKwJZbjx_2BOyaFO/l3frHpNu4AqO/4pDy5xEzMqrTU/jr
http://cdn.arsis.at/api1/LvWjLqQuHaorWVNmMKI/DQrwspSTHdBmfbZjDEDnMT/w8OLRjdNxfZLi/0VMOJW4L/4VEZwtmaaecJiFQDDU9AxxA/lZz_2F6Ckw/dyrt7HLASmy1bES1Y/H4_2F2POr7rj/2fyvlyu5KnS/_2FsmP21OrtZ0a/_2Fmth21SON4fYsYb0fgx/gfKnX7At4EtQGFlu/ZnYiGcJ9HU2cPgj/v2iynhzxnKmI5hlVE_/2BRdaNchO/4MzLEiw7d3i_2Fks_2Fm/iko7ULom70d7l_2Bt3I/3_0A_0DroxJQWtj1zj_2Bz/Mu1_2FMUShnRH/CGbCtMgi/tX0QLauh0WBr1BnWVazbpR6/yFVmVSNjiLA/0I
http://cdn.arsis.at/api1/Fa9ob1foUnZ_2/BW6huOxv/CDMhgwnJqXW6AgiAlr9FjeK/xFie_2B9T6/LT0Flq93MpmEdfkHt/A_2B0Iz3v4ec/XxIhny6rJmu/24tNrC1kK93VGf/r2G3rVVIQShujPhxvIddD/jstM_2FKNv5L6jEE/eucjvfRJW6Oxnqz/cY8BpyUwMju4gY7_2F/Jw3_2Fbh1/jzqcgzuwflm_2BsBaAs1/gSaQoOT823PenSD3H57/oCWhTD_2FfZ4xFVdMpkULg/3KlrnCl_2F8zm/5LhWECQ1/C_0A_0DIqpkeRhN2pG6zYgn/lH7mkQBzu2/ffQ3ePzBIVvyWd3rD/EKRddtNPrs6Y/jP67W_2FT/YxiNsc
http://cdn.arsis.at/api1/Ug_2F2owyboNkho_2FX6zYf/TG0yRZwcso/0EN7jvHdt8GXOrD5i/f7MJwifZ8NFl/_2BNunOLLc9/mY_2FRIoZgU5q_/2FbcssWrrkQ3pMLopuJAa/9mLR7UPg8YUqPiCg/uGcPXmGYPNSjk0i/lrAKAgat7xt_2FpK7Y/iKyKsypUe/elGVw7jmHLdxlAuI1mKU/gFSRHpDLknhkXJx1h_2/FrTMlo_2Bfetl5l1dIx8yk/Xq5BUzTOiKHIj/C27FO5JC/_2FvO4fIjLpddHu1Ton32a_/0A_0Ds3qQ_/2FsvHNJXy_2B4QiDb/awxnDMBYqPLW/hO4Cka0gFH_/2FV7_2FsWR_2F6/5FgsyNtQikJ/YEtE4qza
http://cdn.arsis.at/api1/VfEKz1myZT5CMk/JOes7VaLoziq9XEq9yMZE/Ba9NeCvDKLL4t9st/yORMw_2FTCcLRY8/BzDrI
http://cdn.arsis.at/api1/xMnR5ox2/HibF9TCkaiQ9zRG9XWa6Q1W/MwxEI81Ufw/6uvPMIe97QDpSVXVM/4Kg_2BAxaFKA/Ek383uH2GWA/92VTawcNdUa_2B/V_2Fa5fbybfPlCP80wBRl/ImPv6gr5fF03HUuW/jYiUFtc7ghX5M3P/iGzwPojaiuL6VUfOww/mHIycGZRX/4jW8pep0rI8_2BxGm9Im/nEJrkn0mB3B6dvxbCig/XJAiSm272HLUztkK9BARsT/iZz0GPpeqW0LF/SRb9YytG/iBAc_0A_0D8XQKm4XzZFJkh/vBm_2Fb9Mp/_2FOc1a_2FcjHoPvZ/bMMA5LFBpDpQ/ZagB5mNfanwfAamIK/G5sZz
http://cdn.arsis.at/Z
http://cdn.arsis.at/ll
http://cdn.arsis.at/api1/eiJx38jDZO1T9katY/FAn0rp_2F_2F/s3c0dKNBI6L/VIcMwnMN_2Bfx0/HxwIf0db8pYH_2FXhQJpB/vUspi4PdjLvh8B_2/BqXEi7LM02fNKv6/rY3HNJvfdxX8w8EMD_/2FG3R85B8/6K4aHG_2FG7Pe7x9FUIS/fkJcDd933T57Chj6zxR/OAnawtrsuLeoffPm_2FwF3/M_2FTQe9OGlAo/HLRake9d/j787QcUcT37ghMVZglv746H/oa4I5gZjG8/1PBxV_2FB5Uz9Qbc6/Jv26Iq9_0A_0/D45ufjYREL6/8nwYUh5dCv49iy/uxj2WulVX1b/KoqPrdBg/uAFk
http://cdn.arsis.at/
http://cdn.arsis.at/Q
http://cdn.arsis.at/api1/SqnBotTkU3xwIkuv/_2FrBF0IGkL232t/iOPfGi8ZPTDjUOVp6h/9NxHd3hRM/HMwq73epX3ULcOdfaIgK/XDXeLAij2X0SrHQoMF1/7y_2BMMRFPW3fzbYL3Xab4/njCWt1cQ6oAWg/dJHeJ9WM/GhWrai85KO2if7o_2BUVLpw/FyvPNep9lX/51w4OJeWciabLYOhk/16dbnZmpLa1n/OIA3igMd7nK/oVOGuR3XNQwZ_2/BJ44DHJT8kTBg3CNUK6yn/qYb23k5AqlNt_0A_/0DzIg9tW0Mp5prL/Mson7gnJCeIdugpZIl/XYWHQiiQ8/KoNXoD1
http://www.wikipedia.com/
http://www.live.com/
http://cdn.a
http://www.reddit.com/
http://cps.root-x1.letsencrypt.org0
http://www.youtube.com/
http://cert.int-x3.letsencrypt.org/0
https://iplogger.org/1bP467
http://www.twitter.com/
http://www.amazon.com/
https://iplogger.org/
http://ocsp.int-x3.letsencrypt.org0/
http://cps.letsencrypt.org0
https://iplogger.org/1bD467
http://www.nytimes.com/

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\afterbirth.rs	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\conspiratorial.zip	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\contraption.ps	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\ingest.xcf	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\marrowbone.mpg	ASCII text, with very long lines, with no line terminators	#

presentation#_37412.vbs

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

presentation#_37412.vbs Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

presentation#_37412.vbs