AD1-2001328L_pdf.exe

Status: finished

Submission Time: 2020-09-24 19:05:43 +02:00

Malicious

Trojan

Spyware

Evader

AgentTesla

Comments

Details

Analysis ID:
289673
API (Web) ID:
474452
Analysis Started:

2020-09-24 19:05:44 +02:00
Analysis Finished:

2020-09-24 19:18:16 +02:00
MD5:
c2ab834e47610c082360d87f4d613c2c
SHA1:
6ac56cf22e21f35068a1652af02ee12b115d7341
SHA256:
cc0362a0c84cc29c65b62af19019e3a810d69ffc46e5e40b08aedbe333659cd7
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 14/71

malicious

Score: 5/48

IPs

IP	Country	Detection
54.225.169.28	United States

Domains

Name	IP	Detection
mail.iigcest.com	166.62.27.57
elb097307-934924932.us-east-1.elb.amazonaws.com	54.225.169.28
api.ipify.org	0.0.0.0

URLs

Name	Detection
https://bfUxMsZIcTG7TPQ2.com
https://api.ipify.org/
http://127.0.0.1:HTTP/1.1
Click to see the 11 hidden entries
https://api.ipify.org
http://DynDns.comDynDNS
http://DTSbUF.com
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
https://api.telegram.org/bot%telegramapi%/
https://bfUxMsZIcTG7TPQ2.comx;
https://secure.comodo.com/CPS0
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://api.ipify.org/(
https://api.ipify.orgGETMozilla/5.0

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AD1-2001328L_pdf.exe.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\tmpC834.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\mIgAtoOzUFz.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 45 hidden entries
C:\Users\user\AppData\Roaming\mIgAtoOzUFz.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.OrZJ1_bj.20200924190630.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0g3qsag.rjm.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wg5hublx.zqh.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wn04ncpb.tsr.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdoxpkta.isv.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjhaudzo.p3l.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrxcmzh2.olw.ps1	very short file (no magic)	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.+smRMhJP.20200924190650.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.NUlbuJtR.20200924190648.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2se5yei.q1g.psm1	very short file (no magic)	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.SQHDZSgB.20200924190639.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.WkJr6323.20200924190640.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.ewfFwhF+.20200924190635.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.hCrHY31O.20200924190642.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.jR2FVHiw.20200924190636.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.kqoX9azr.20200924190649.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.lEfsVZ_3.20200924190642.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.mJXalwj0.20200924190650.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.munMEtkN.20200924190644.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.ypo5h2HA.20200924190638.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20200924\PowerShell_transcript.980108.zTRzUGLe.20200924190645.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he20yprj.0gr.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0balhkul.c5z.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ok41nhw.jbh.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pnrbilp.yuz.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25ozgbs2.41y.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2m42qx1f.xh0.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw53x1hy.1bn.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bm1k1qrp.0lv.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edp4gtkf.tct.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eeorxttj.j04.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssmwnz4v.0is.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ievl3zr5.u2b.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jokrdbf1.ais.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jru0r2jb.cao.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkhvv1hr.sq4.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5cpnc33.vy3.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pet1xy0s.2sx.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qx1bv1ix.k5b.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_riao3v3i.ecc.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvjahfcy.e10.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shgdsrf1.sov.ps1	very short file (no magic)	#

AD1-2001328L_pdf.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

AD1-2001328L_pdf.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

AD1-2001328L_pdf.exe