9EJxhyQLyzPG.vbs

Status: finished

Submission Time: 2020-10-30 15:23:52 +01:00

Malicious

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
307627
API (Web) ID:
517048
Analysis Started:

2020-10-30 15:23:53 +01:00
Analysis Finished:

2020-10-30 15:32:34 +01:00
MD5:
7e16dd647b03898b860b9beb29ab80fa
SHA1:
0b9027bbd52741b48df06d4a104ca5d0097ec1a8
SHA256:
c7c2720522dbd3ce877cf2a345b4a164eb9e82b2111589044ec8634f4e29122a
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 11/61

malicious

Score: 7/29

IPs

IP	Country	Detection
47.241.19.44	United States

Domains

Name	IP	Detection
chat.allager.at	87.106.18.141
resolver1.opendns.com	208.67.222.222
api3.lepini.at	47.241.19.44
Click to see the 1 hidden entries
api10.laptok.at	47.241.19.44

URLs

Name	Detection
http://api10.laptok.at/api1/49WlfTmkbdmf/IgfDzRHtiA8/VMFb9gXw7WHJ0c/LGXtnCyscX8ImPYBqCmiX/t_2BhuDDhl8YbL5J/UxrZ47v_2FFmrEQ/pATE4RWsjAfKF_2FDx/PDJxazV0X/q6OFWaRWmLWoyh85cZ_2/BKBd52R3HpQcMWG5aKe/_2Basb4CNeL5dN3KPugmma/wNn37foZGrLxD/aPew0_2F/51mugpL4OEmQHHnGWPl8nQp/Fi3GH56ZH1/blOmBam2DhrY3OM3Q/ri_2B_2F9S4K/QKOaEsdN_0A/_0DE63s2Hn196w/yi94t4R6GVzqyrRZDahcy/3rwI_2FIqorkL4LW/ilDZu1oniWlOa/OVGiIii1/g
http://api3.lepini.at/api1/jYX4B8SXc6/uT73hyllolBnPkOaM/9enwycCqiook/Se0FvUFwOUe/dCiCtVa731mqhK/LdHmTxK3yqNS7G_2FBeNL/tq2kjfB1xhux03a9/cK6JaEz2n5_2BWP/SupiCx9Ip_2FSdjPH7/Artvy8mPU/VZs3piyZKOvz0alB6ZBu/iGGhtXMW8mdz4li_2BY/BVhpmtbmOUYpoXjNa642hE/I0PMFZBaRASTD/MActJWV8/krdj0biD0Nm2vg3obAspveG/UD07Uc7mvP/_2Bc_0A_0Dkga6Wm6/TEEZ1ns3luwp/3XSQ3Cff3aS/pysq_2BbkGms9m7up/WH
http://api10.laptok.at/favicon.ico
Click to see the 4 hidden entries
http://api10.laptok.at/api1/PYek_2FHl5LejZz/DgAxGwEsl4IK7ChabO/TTzXqeJmk/dkMAgSq5zDZQqjmX94k9/r1s_2FEDLgLYSHhIMcl/fnpJ_2FYGsJ_2Bg7n2o8aD/J6rUIfTN5zF5e/D0sgmwtP/DGyueXNhXE_2F_2BUTXXQrm/AEUvB0QiNI/sewQwewyIgGJhqc1A/1kwNsLZZRkWG/S0chCDt10kM/PfB_2FqwGgilXM/JsoalaFEQRVnM3iXtoH0I/Cmr2aoOfWjZC1ZSU/9aZeXypIFPN98Fe/sIp_0A_0DLXO0mmZ24/JncmjlWLU/8mgFlAIGI9sdtO2CQuxM/De77IbpNitvzkZVzbPN/QyT3yRQX4k/y
http://api10.laptok.at/api1/1c7TglI3YuwZQ/RL2vnqM5/_2BZdWd22v_2BnN8esNfcNY/sOPZpnoR9C/v29r8FDYmNwH4rQSZ/vYKdfHe4Bz1f/33ASXKhcDBV/4N9pWqHIMig_2F/ZTtenIMM7e7GA7NU5WYlN/gNL3z0CJ074u4rPo/_2Fazy0_2BAg9M9/mIYZkbszlYXmltUHoG/Wi8rwiqUH/68CfZtQXtxuBVMAJy20p/MxWCwPPVNG_2F72ev63/H8dDd_2FGarmdHWrzQBe0_/2B8sZz7lF8ENh/OHpwj6R_/0A_0DWZRpRqSTsEOr_2FOg9/PEI3kT2gYE/2slSs2o9MEnXMo7kh/m_2FmglcuZvd/LUAkhntOpY_2FS/fjA
http://api3.lepini.at/api1/BUKeMIrvocA6l7_2B5w/2527P_2FuloHcQ5wmbNZlv/3fQ8EHpNoESM6/63GZhOjz/Cw_2Brbe83t0jJDd_2Fv_2B/Q2lSP40wUU/S9wrZQa9q6kb15FDB/CJ2U1NOHr6_2/BtZKVapAIo4/j1zmJaknHOBEvu/PQUmopLs4XqsLhddl7r42/1d5Gy1cpZ9o5sEw_/2BbEmxhX_2BP6RA/JyXK2hFnPbGZJga7oI/jvb7SNWwj/dVHJMQesMhh_2Fmoqx_2/BGPoOtWovGHAKNNcmjL/WcRmb_0A_0DZDN4RVKRfy_/2FWam7vwM_2Fw/545QjJkq/PNQhFNHaMFDeWf/Jp4o9
http://api3.lepini.at/api1/N4HqVf1mJ/F1_2FbB4tF73kJHWBBes/1NcbGwcuPTKerXwIIWX/B3ZopELst8dwbFwwxC90kM/vDjZpT5hGVk1K/E_2F_2BF/Ip3hTmPlKvf9xeMqzbur3EY/lyP6wlzu0W/iXLhqxBHRiViW1Gnl/ABXGNoU1olif/EEb9cQ06gzD/7BVkQy94dNo9mo/_2B9YCsDzqgxXVH2Ze0x3/CBx6Q1aLxG0Q9Pau/ybIshIpli8i4Wux/fLBdZ1awcTPg4XVzIE/nBdwF7Byh/nXd_0A_0D9po9BkwzQrz/cBffG3RVqSvPLcCDeAs/G77A59tRLpiDs/0FZg

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\osoo4tua\osoo4tua.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\seventieth.sh	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\vh2yiy1w\vh2yiy1w.0.cs	UTF-8 Unicode (with BOM) text	#
Click to see the 32 hidden entries
C:\Users\user\AppData\Local\Temp\osoo4tua\osoo4tua.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\osoo4tua\osoo4tua.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\osoo4tua\osoo4tua.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\suave.3g2	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\town.zip	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\vh2yiy1w\CSC477826E18C7E46F5A1EE13270DEE24.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\osoo4tua\CSCBD98C60812E74EF3B85DE6578AF6EAA2.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\vh2yiy1w\vh2yiy1w.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\vh2yiy1w\vh2yiy1w.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\vh2yiy1w\vh2yiy1w.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\~DF0998090759C8E50E.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF9D2B0E87C8C0E108.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFBFD0F5127213EF84.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFCDBF793FECC8B493.TMP	data	#
C:\Users\user\Documents\20201030\PowerShell_transcript.494126.5XI1dPrw.20201030152623.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E4665ACE-1AFE-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E4665AD0-1AFE-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EB1894AE-1AFE-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\g[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\y[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\fjA[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\Cochrane.dds	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\Diana.tif	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E4665ACC-1AFE-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Temp\RES287B.tmp	data	#
C:\Users\user\AppData\Local\Temp\RES352D.tmp	data	#
C:\Users\user\AppData\Local\Temp\Tektronix.deb	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21eifijr.cc2.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wch4h5tb.bp2.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\mirror.tbz2	ASCII text, with no line terminators	#

9EJxhyQLyzPG.vbs

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

9EJxhyQLyzPG.vbs Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

9EJxhyQLyzPG.vbs