flash

PO-ORDER-PURCHASE.exe

Status: finished
Submission Time: 18.10.2020 08:38:12
Malicious
Trojan
Spyware
Evader
MassLogger RAT

Comments

Tags

  • exe
  • MassLogger

Details

  • Analysis ID:
    299746
  • API (Web) ID:
    494592
  • Analysis Started:
    18.10.2020 08:40:12
  • Analysis Finished:
    18.10.2020 08:51:53
  • MD5:
    6e414a88ff5cc027cf2f92bf792a0477
  • SHA1:
    fe913bee96cf2b7b84ab4d89042b0c0de3874116
  • SHA256:
    0eb0f9b84a81bca9c130063eaf0e62836511b67b793d3fd35321062d209759fa
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
19/71

malicious
11/29

IPs

IP Country Detection
54.235.182.194
United States
54.225.66.103
United States

Domains

Name IP Detection
elb097307-934924932.us-east-1.elb.amazonaws.com
54.225.66.103
api.ipify.org
0.0.0.0

URLs

Name Detection
http://api.ipify.org/
http://api.ipify.org/P
http://api.ipify.org/p
Click to see the 8 hidden entries
https://www.youtube.com/watch?v=Qxk6cu21JSg
http://api.ipify.org/Pz
http://api.ipify.orgD
http://elb097307-934924932.us-east-1.elb.amazonaws.com
http://api.ipify8
http://api.ipify8:/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://api.ipify.org

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videodiswire\vidoediswire.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
Click to see the 3 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1avu0qo.rtm.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrj3iywu.0t3.psm1
very short file (no magic)
#
C:\Users\user\Documents\20201018\PowerShell_transcript.141700.+s+lYK3s.20201018084139.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#