flash

AD1-2001128L_pdf.exe

Status: finished
Submission Time: 24.09.2020 17:43:28
Malicious
Trojan
Spyware
Evader
AgentTesla

Comments

Tags

  • exe

Details

  • Analysis ID:
    289645
  • API (Web) ID:
    474396
  • Analysis Started:
    24.09.2020 17:43:29
  • Analysis Finished:
    24.09.2020 17:56:42
  • MD5:
    96d876ae080f2c2dd8a50aa87242677b
  • SHA1:
    5511d275fcafe004a2a224fced066cbc5a6ec188
  • SHA256:
    517b5eca452c05abda24f22a9dbfdefafd6cfa01cc119928f20ddeb7d1756145
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
27/71

malicious
19/48

URLs

Name Detection
http://127.0.0.1:HTTP/1.1
http://DynDns.comDynDNS
http://kBuuqg.com
Click to see the 5 hidden entries
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
https://api.telegram.org/bot%telegramapi%/
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://api.ipify.orgGETMozilla/5.0

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AD1-2001128L_pdf.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\tmpA92C.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\wOuaOllUmPxWNz.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 45 hidden entries
C:\Users\user\AppData\Roaming\wOuaOllUmPxWNz.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1f3an5m1.gru.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3uszmqxt.d20.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ufiiqzn.wsv.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vymyqaw.abp.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52bciha4.lpn.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ufty3mq.lx3.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbns0mih.uda.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_by2apbvr.ikj.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bya4m1y3.vq3.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwiszryq.qfa.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gytj2stj.lnr.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hb3kvdgc.5qo.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_icqlsfri.x25.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikc5v2if.acm.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrr50qmm.hof.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kauwuszt.t2g.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m13tx1ci.m31.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfxeps0i.juf.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmujoo0i.ey0.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n40fzuyv.xyp.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ng3b2f1p.oa5.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njjw0bna.arf.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny0nekla.xg2.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5pr0odl.riw.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlpkafvt.jdz.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sigft1vw.2rd.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkj4qtuh.dye.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycrjuvsm.hsm.ps1
very short file (no magic)
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.3OmhGk5X.20200924174433.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.7uveDYVY.20200924174436.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.8sm3GBWx.20200924174448.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.9spG040b.20200924174442.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.BN+EM4AH.20200924174431.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.GEMztyzz.20200924174418.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.LmZjd0fc.20200924174431.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.cuTkBO2b.20200924174435.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.cyZ6zjRQ.20200924174440.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.g6VJzh8z.20200924174429.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.l43OPd6P.20200924174443.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.r7ZgNcM2.20200924174436.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.rlh6vZhq.20200924174449.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20200924\PowerShell_transcript.367706.y7t2LHqy.20200924174425.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#