flash

presentation#_37412.vbs

Status: finished
Submission Time: 27.06.2020 00:11:22
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

Details

  • Analysis ID:
    241820
  • API (Web) ID:
    379363
  • Analysis Started:
    27.06.2020 00:11:27
  • Analysis Finished:
    27.06.2020 00:25:22
  • MD5:
    570cab3ed56a9c69bc3e5b85a838b42d
  • SHA1:
    c2952cbb31ee98c5c1a676e1820a3c73345083a0
  • SHA256:
    3a34c90fa6f4c879311dee500a97fb07aa8f62e338d6d4c539132d1d0234079e
  • Technologies:
Full Report Engine Info Verdict Score Reports

System: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113

malicious
100/100

malicious
34/71

malicious
9/31

IPs

IP Country Detection
47.91.16.227
United States
88.99.66.31
Germany

Domains

Name IP Detection
cdn.arsis.at
47.91.16.227
iplogger.org
88.99.66.31

URLs

Name Detection
http://cdn.arsis.at:80
http://cdn.arsis.at/api1/lwuPdaPTuR8eBoC4/vShoRm2q4eT6Z_2/FektbbX6qERojD5NoC/2mLIdLmoY/oe6KE72ImARbZ5oCqbs6/Lwf_2BO_2BClBMiqgVk/pAkfbSOeJOtBvl6q4oBZar/oTeemGXcYXXbV/gQCork8K/PGwwbCLbwwBrx4MGLhetRqf/awAA9AORwN/NwalqmVsuGtIFrf43/4iu0JhYu4Ypb/uPS1r_2F8fS/kqoc1brRdsTl0d/Jkj7x2MVaN4ElQ8mXyfRH/Fk3sg85NGYC_2F_0/A_0Du5xjKeRBQix/F7HPUi34CmIGAWeN3E/adxdxfc7q/PmeVTflERZvWbwtC5T6q/eDpD6tQpU_2/F
http://cdn.arsis.at/api1/oa2e_2BE33qN2CXW/pY3NQ0ERzVODRWs/mGF_2Bh_2FQ8UAs_2B/dmXEgMeDj/YIhhtR2FvaZsU
Click to see the 47 hidden entries
http://cdn.arsis.at/api1/K_2Fwx7y/hHrkFzZv_2F6ZhYlYVIr_2F/QjmQ_2BXN_/2FY0tw7yPFNXVzSRk/vXMPRx_2FiTP/KAYs03yXUSA/78_2BIvac3M9xf/gOKMMBfisKfKGT2wqZS_2/FVFiBIbNv59rEeD0/FwXavbpomflq0j2/5PzKOyQJirSIUOxfki/D97_2BiTS/gwNK0KkvrmNO28sHZG2c/9MhMC5SFUkAEP7Var1N/a7UOKt_2BFgcgff8LX4kV1/ktl33OnliAPCj/NVja5NFX/waxycTcBRhl2Hs10_0A_0Dw/Xd75Dsh7PT/dEUZxmF5QYn7fPm_2/BBgzUldgHjIk/nRwtHVVsY3E/9tz7n_2FU_2Fvc/YtBqefcT/9
http://cdn.arsis.at/
http://cdn.arsis.at:80k_0
http://cdn.arsis.at/api1/hpOzlRBOkEC27Z0j_2F/yPpp5RyE9Oknv8tQCuASeH/trIy518RQtUv_/2Bm4JbFO/Rd35PF8E_
http://cdn.arsis.at/6D
http://cdn.arsis.at/6
http://cdn.arsis.at/api1/pdyEn910Mk_2/FlHr99fDD7T/WHdO77PE1muwJ0/8kfHrIZPdGcT4oog1UBSr/AqzVHXjqi4NvF
http://cdn.arsis.at/8
http://cdn.arsis.at/api1/U9X_2FV7skQVXG/AkibNGmVcWeLOUu1NV2vR/znU9uFLGumsMqOtC/VdGFNi5gBPjslAM/rWOr8EW_2BkvCPK1Hw/p672PK1XD/aCGYZfmE1q_2B6jezsYA/OM9ZLl_2BVu8w_2BTa3/3dpNUTZcLuLVCPEatVfaTL/jsEf7fsIUvVTX/7DW55a_2/BC4Ihtx3ynaQjizPZBNALgB/coZVHKLuu_/2Bks4B2iRpAFd1HHw/oq8UE97h623t/OlLFG6ZOT_2/BJHA7pijakYhSB/289aru_0A_0Dq1BQViLhr/hSUyS99lYkHGIAcC/hdBywOIGygqdGV0/k_2BPWHst5oL1tJlTu/WflE7HAYUT_/2FY
http://cdn.arsis.at/D
http://cdn.arsis.at/api1/DJ2eFEKZq8U1lqR/jnLxdpvy51PH6egcCU/PxGNe1PTx/6VSQ7fd_2FKiMlsO5XFz/sDQpWNzmv
http://cdn.arsis.at/api1/nbRK2bOJqNjMQUn7cAc/ZtXYBikVEBXtiMHu43F11z/Hes96tl0nIGsN/I29TXIEJ/NG22gXxi5ad64_2Bb7AbWi6/E10eWBjriy/r3KN8ij9tt6lwulPY/U90OieOShLtn/cNYlb8YGZbB/FZkmdAPAztWeDj/6YE4BUwiDFTViOyZAwXFo/XUVOCOEsfjU6UshZ/6d1L_2FvwAUzyXJ/kK5UrgWah_2B7aJ_2F/6OfHgFnB9/yl41_2FlUkqN1VwewA_2/BLLIdF9duXNdLsy_2F_/0A_0DFwEmBetd8KjHZkKVT/FCDbeMArToL9v/iNMyjJzS/k0t8RawFbTCRFwbzFHegLNQ/0A6DnmN
http://cdn.arsis.at/api1/TYj_2FO_2/BU8kshK5XeYQxND6w_2B/jLmQETo2668oAj2dmC9/YBPu9aAHCztoZXswZm0lBg/6
http://cdn.arsis.at/43
http://cdn.arsis.at/api1/nJP22pCdr/onbL4xTCAKdpOCZd67XZ/zeOWNEBCaVEDnuXDqyy/gKOpKX5US0b_2F8AZso0n8/i
http://cdn.arsis.at/T
http://cdn.arsis.at:80Loopback
http://cdn.arsis.at/api1/63cqJkXTc/Vqe7Q4brl_2BNBYghoAM/IbjbSbZ6OWFPWJU4eFk/i9OzLjrRPsZ04QFQbQC_2B/VOH4giw7_2FIB/U_2BWvsv/rMyW7evM1w55vvWRMX3cwGE/wH_2FP4AhB/oDrgV_2BAYF5UwC9o/pNhqnE594wSn/h29QE1nKzuS/9dxRDzEM6oqEHL/Edv79y1a5qKbX_2BHBK5t/1xoUQNIBu6BNtcgr/Q5BTpGBCNQ4I20o/f2alh1sl1TT6UWcyQA/XbCgqPT63/V7sIPYe5v_0A_0DOt8Nq/Y419LLPihxkcLdWx4mK/Kfz13ZE0iujvASTsRg4RXt/hcEPixmDSi97C/vLug1nqG/E
http://cdn.arsis.at/api1/VUc8DYHbTd/nxhSvhN_2BaqluyCR/yfgw0tuiJI_2/BCBTjHmGW3W/UUBVj78yPgrw9z/2II2J1
http://cdn.arsis.at/api1/pMBjT60J3QzW/2S7BpnCRJGv/_2BCJz1WD6LvVO/UYuC86ONCTcRMSPsRQ1V5/rn4oIkAX1j9ku
http://cdn.arsis.at/d
http://cdn.arsis.at/api1/gOZMU9g3v951UKb7VFZ/_2B9w6D2_2BAKjKwj1OMKB/LmOUki6WnUfaj/qDANQy75/yiUGsEjezb5tCJWMSO0mW1L/brqa34Abmn/787vJq3XJSZ_2Fgse/6OtFr4YRp8Vk/pYPcEgtHP7k/jzE4uDew8Yxz2a/Q_2FnhDufgpAYh4iUdWb3/IisyxGACqWtkYOOz/zQGHX964RUk2e8A/kCCDAw8NlHMiu3RJFE/fmntpLMOZ/rbdv4YBCI9ljFv4QDv6J/b1oY5_2FkU2CRS_0A_0/DUEUyWKmwF_2FmEVGT5N26/KlkiDqfzJVKs3/VGFuLmj7/D0sHDwUolgKmZhQeCMz8tcK/HZIwE
http://cdn.arsis.at/api1/TYj_2FO_2/BU8kshK5XeYQxND6w_2B/jLmQETo2668oAj2dmC9/YBPu9aAHCztoZXswZm0lBg/6L0AcOv6ShQ1r/KQ_2FaMs/jAuvF60FcQLA0upbnzCKnUJ/uYvbVKw0EZ/zh6sG0_2BvpTyBI7N/7YDth10NGL94/Ix9EjzqcOnN/WjboP74x1QSNuW/nIscXMzwjEDA7aylrmhSP/fQJ6XwJ_2F5syT_2/Bf_2BEvqm1fp_2F/Re9ocgG0M0KpMnCyT2/51mXqEItE/B6GbtR0DGDea8_0A_0Db/8Qa3J93z4jdlAqFxOlB/Tlvh5REuutwiOSmzA3u62M/xmDuF
http://cdn.arsis.at/api1/HZN0oiBpETLMs1/04ZwqrTlF2fiYUjJgUB7b/aXddKpKd7SogQKI0/f9Kg1_2FaZA46nk/y24wB
http://cdn.arsis.at/api1/pdyEn910Mk_2/FlHr99fDD7T/WHdO77PE1muwJ0/8kfHrIZPdGcT4oog1UBSr/AqzVHXjqi4NvFUfS/_2FlNckthmqu48M/L1AF8KXZamHkA2WPyz/AfyRwDoSo/HWUTLCevnIv3wkjNbvm2/aTDoXysABYr1kv9NWHn/bsal5lrXO2csgC9Wz4j2dq/0o3mmqezVaf1y/bRZr4G48/Y1jkZLcrccXgO3783qN22Fi/lkg0jO4neS/YVfREVCSaXcybZYYr/J_2FzmcPYd_0/A_0Dldu9Dz6/_2FhI1zb6jZcU0/XD1vw_2FUlh8V_2B_2F5q/iwCMO7McPeEUhYyt/uSXuIYI8jVh0gezuM/3
http://cdn.arsis.at/cc
http://cdn.arsis.at/api1/DJ2eFEKZq8U1lqR/jnLxdpvy51PH6egcCU/PxGNe1PTx/6VSQ7fd_2FKiMlsO5XFz/sDQpWNzmvSOXCBwOVci/JozPfEoiJZL81KVz1hDGRP/HammlNeHI2XYb/hHexYQzI/z1psBiJLOalRoGOut2uqiGq/0tlTGCv4_2/B9GF0Ada_2B_2FaRp/JcsDMVRYhPf0/7qhLk0u_2Bg/NQFMvbqMOZ_2Bs/4Y7IX8fV_2BHcDyBZC46y/prmx2JwgmRaejQE7/s3FKt4XQ5F_2FCz/Nbcd4_0A_0DIiy9nzR/mAp_2Bh6J/NKiiIO87y0UziJaoICT_/2BY9inU5TN/QJXKg
http://cdn.arsis.at/api1/nJP22pCdr/onbL4xTCAKdpOCZd67XZ/zeOWNEBCaVEDnuXDqyy/gKOpKX5US0b_2F8AZso0n8/iG20JBDG0sJ8v/qtmVdrih/AJNlZVV7oVPLLsnljuzkLLx/rsX_2BLJDZ/FqJfc6scmj61_2FpE/XUbFsru364Kc/JGYks_2B9P7/T3vnqWm2Z8yi21/Vq3rVRJMevwYXV6yj14UP/gPoKjZtxxcD08d0H/tUFdxtCLsQ2pdbK/JDmBM7N_2BObt1xnhK/wQIk8S_2F/csqbtIt_0A_0DGvYmTY_/2BRANjpi6Pto0V4GEDN/_2FgjuRjT81NNO76_2FsHD/mSIZ_2FFOwEfn/SZ7d6OAOu7Tf/9ky
http://cdn.arsis.at/api1/lwuPdaPTuR8eBoC4/vShoRm2q4eT6Z_2/FektbbX6qERojD5NoC/2mLIdLmoY/oe6KE72ImARbZ
http://cdn.arsis.at/api1/Khi8SzUqGScVMrQK_2Fslt/YcubLI_2BV6FG/4vHBny_2/FGClhdu4iicvamBa4WU_2FX/M7RDRe3yfN/4Hpd8KTp_2FSKCbui/BeUPWJnqSuGf/RIDfmKqgvH3/rfYjbrMMBg0aJI/8h5qeEqEGoRS_2BOgndJx/3cw1dNqlaclTf1uH/y9R1HTalKIM2ReY/vu1QvjvnsHs57_2B_2/BGIxx0LBG/XG1_2B5WXkayEfLV2NW5/fPy7kLr31a09IpR6doq/Yo4ZFhAJ_2BhebGK0cMpth/2s_0A_0DH859g/XzvlzFCy/BXozBz6IlKDDewkpZyXE70C/ff1_2BHl6F/o9TI2CRnyF56_2BSV/_2BdXgS1/qb_2F
http://cdn.arsis.at:80C
https://iplogger.org/1bD467
https://iplogger.org/Z
https://iplogger.org/
http://www.amazon.com/
http://www.twitter.com/
https://iplogger.org/1bP467
http://cert.int-x3.letsencrypt.org/0
http://www.reddit.com/
http://cps.root-x1.letsencrypt.org0
http://www.nytimes.com/
http://cps.letsencrypt.org0
http://ocsp.int-x3.letsencrypt.org0/
https://iplogger.org/1bP467Y
http://www.youtube.com/
http://www.wikipedia.com/
http://www.live.com/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\afterbirth.rs
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\conspiratorial.zip
Zip archive data, at least v2.0 to extract
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\contraption.ps
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\ingest.xcf
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\marrowbone.mpg
ASCII text, with very long lines, with no line terminators
#