flash

03QKtPTOQpA1.vbs

Status: finished
Submission Time: 19.11.2020 17:51:49
Malicious
Trojan
Evader
Ursnif

Comments

Tags

Details

  • Analysis ID:
    320696
  • API (Web) ID:
    543202
  • Analysis Started:
    19.11.2020 17:51:50
  • Analysis Finished:
    19.11.2020 18:00:13
  • MD5:
    5f099ccc65e49652f3a9fe965fe645a7
  • SHA1:
    8022bd0d5592a26d33e6b548e6dec4cefd6f2b42
  • SHA256:
    cbcc86acc68fb34f65d2e8c54d3bf2f4382207c1ff0f3df811d4f70f2570c2d9
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
8/61

malicious
22/48

malicious

IPs

IP Country Detection
47.241.19.44
United States

Domains

Name IP Detection
c56.lepini.at
47.241.19.44
resolver1.opendns.com
208.67.222.222
api3.lepini.at
47.241.19.44
Click to see the 1 hidden entries
api10.laptok.at
47.241.19.44

URLs

Name Detection
http://https://file://USER.ID%lu.exe/upd
http://c56.lepini.at/jvassets/xI/t64.dat
http://api10.laptok.at/api1/NQKVg1EX9vgAXlWeTogm8sw/KMs5PwysQZ/cojQHZarHMV1BniSf/VzSw0JIs9Bqc/GdYPEAPlCi9/U4jjD2a4CS_2FU/dC0GrKVpGM0ZFOvINZ6jD/ueWB9DhdhuwI602_/2F_2BDRgBH52KzA/R70rcm_2BBFE73EKDB/UgZnJrMd9/XdCECe3cEDs1hxsxeW3J/_2BO2VI2jc566llQDTY/mInMlZbERYbJJFf6fIu8AY/F8oYlj5E8_2Fs/YNDW7QNF/0aIuOOdmT7cZZ0t7_0A_0Dp/zTNXNmHZpd/QcqtnlYoMHMz5q6eF/Z9Lh_2BjXm2s/9nsr68w0fo1/eUArOBxqat12urNmY/9X
Click to see the 31 hidden entries
https://go.microsoft.coo
http://api10.laptok.at/api1/5n9IlOq0UoaIiqJutHI/D8yrlktSfAfuBtE_2B67r3/YMaKxGmmtsngC/Pgql_2Fb/xrdkjP4byiL9hsAO1_2Fihb/XdfK1Lk3DT/bmrlm5gkVoRymSshi/HK_2BnaGI_2F/WFCn5RsbN_2/FcPK7Rw6mQuxj2/EvfynwuMlwC6wRrP5JXFk/nbpUfNul3ZXKq6CX/vRjkxUYDMdipvSF/UGNmN_2FwufHTed5qT/soTnqcGUs/fFwOGyz0Kh1dqOmh2Dq6/3aNd7ElOG2dDh0HUOH_/0A_0DXGPOu4hdy_2BL5VXq/nfcdYU5oyVvtc/kLQ3jwT5/tkDQrSKfzj415XI0nz2QktQ/bWUQqR9q/5
http://nuget.org/NuGet.exe
http://www.apache.org/licenses/LICENSE-2.0
http://www.nytimes.com/
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
http://api3.lepini.at/api1/3grfvd4OoBzJgy_2FJP/fcgVgSwDbfF_2Fp1EPxNjh/Yx9NXIO9hDc5K/GXeDmbgi/sQe3IxSedH5lwc5BpPUS1HN/H28DCja7eD/YbhFCX_2FUuLjKCFc/NXz8mfbtFSE5/_2BZvWEooE_/2FzJ2tfbJnReR3/HC711qTLN9fWJTotOrHs0/VwJEMg6D5XGTPwZ7/fJEEgZtSQMraSHd/RCdkB_2FkaU5EH8D_2/Bz12_2Fv5/VqlWvNV_2F5_2Fcm3Qmt/iqe06OVX6NXRArviyeW/i_2Bh_2Fc_0A_0DqCRayYr/twGQAU2x_2BlV/qfukHrrE/iRMpzIh5gSS0aqoG6IHU9ce/p4y8hPN2N_2BsZEJld/Zys
http://api10.laptok.at/api1/T_2Bqbx6rKzt7VnD47NE/iobQaP3nhZ3U2q5_2BH/9heoQF3GAFB5dJEAV4Hg3r/KxW64aVD
http://api10.laptok.at/api1/5n9IlOq0UoaIiqJutHI/D8yrlktSfAfuBtE_2B67r3/YMaKxGmmtsngC/Pgql_2Fb/xrdkjP
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://www.amazon.com/
http://api10.laptok.at/favicon.ico
http://www.twitter.com/
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txt
http://api10.laptok.at/api1/T_2Bqbx6rKzt7VnD47NE/iobQaP3nhZ3U2q5_2BH/9heoQF3GAFB5dJEAV4Hg3r/KxW64aVDJ_2Bf/RT8RncEo/5GwqZP0haMx2zwLLYeJrXUm/DImJgAx5GP/ZV4E4rFgiyJcoMcj8/D8DBrAYx1U01/TFWytDHFeyT/c5Q0ZIc4JwhAYJ/BpujRyd4ZtFqSGFEkz78T/M5tMTx6RXb07WKsW/4umaaIECwLuuyUN/F_2F7DjEOzR7IZ4RJH/a1FhUie35/bXjPRrXLPQ4t_0A_0DNs/hJiRy_2FuX13r0Wg426/jDcEWv3RZYE02pm77rAx84/UlvLPNmOrwLKi/GzVyv0B7Ob/oQzM
http://www.youtube.com/
https://contoso.com/
https://nuget.org/nuget.exe
http://api3.lepini.at/api1/cWMMldHUNNJEupqwPHm/B9i4efC_2Fc2so_2BCUHLQ/EZnaZBpx9TTAG/jsT3bFi3/kx3xXf23DJYShYzY3eA3_2F/1W2x9cmi_2/FaMoHOpg7SPkt9b_2/BTbiYUZqwjQi/FoR9Taz1WaU/DXM7JWcA_2Fx63/mL4zTuWD7RPPiM4xKsTMl/l_2F2TCyXSnly1WP/w78hgLseuFr5g_2/F_2BLwg4UXKkyq9_2B/yJ0SBCkug/u_2BVm0i0IX_2BGOgAfE/oRPonbLnwKHZBDqHRCI/R0A4Gj448_0A_0DlC80JG_/2FQ63Z3TUGph3/FA2KYD9G/4xJwSmXKMt4bwI_2/B07hOhL
http://api10.laptok.at/api1/NQKVg1EX9vgAXlWeTogm8sw/KMs5PwysQZ/cojQHZarHMV1BniSf/VzSw0JIs9Bqc/GdYPEA
https://oneget.orgX
http://www.wikipedia.com/
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
http://www.live.com/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.reddit.com/
https://oneget.org

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\Ammerman.zip
Zip archive data, at least v2.0 to extract
#
C:\Users\user\AppData\Local\Temp\earmark.avchd
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
Click to see the 42 hidden entries
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2637FBFE-2AD3-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{431477FD-2AD3-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2637FC00-2AD3-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{431477FF-2AD3-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{43147801-2AD3-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\9X[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\oQzM[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\5[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\0d0gelxn\CSCF2137F9B31E74386891BA25B7F15B166.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\FCC.cxx
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RES1E0.tmp
data
#
C:\Users\user\AppData\Local\Temp\Tolstoy.3gp
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lq5c340j.glg.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0l1roud.yrr.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\bowerbird.m3u
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\ynra40it\CSC8D53D7F284854536B8305B22FC194AF5.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\~DF0DC159FD027E99B4.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF4F9D1209361EBE41.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF628F76BDD717A0C8.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF8FB77C9DC42E2DD9.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFA7833B6014B4E164.TMP
data
#
C:\Users\user\Documents\20201119\PowerShell_transcript.721680.CGTQL96q.20201119175419.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#