03QKtPTOQpA1.vbs

Status: finished

Submission Time: 2020-11-19 17:51:49 +01:00

Malicious

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
320696
API (Web) ID:
543202
Analysis Started:

2020-11-19 17:51:50 +01:00
Analysis Finished:

2020-11-19 18:00:13 +01:00
MD5:
5f099ccc65e49652f3a9fe965fe645a7
SHA1:
8022bd0d5592a26d33e6b548e6dec4cefd6f2b42
SHA256:
cbcc86acc68fb34f65d2e8c54d3bf2f4382207c1ff0f3df811d4f70f2570c2d9
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 8/61

malicious

Score: 22/48

malicious

IPs

IP	Country	Detection
47.241.19.44	United States

Domains

Name	IP	Detection
c56.lepini.at	47.241.19.44
resolver1.opendns.com	208.67.222.222
api3.lepini.at	47.241.19.44
Click to see the 1 hidden entries
api10.laptok.at	47.241.19.44

URLs

Name	Detection
http://https://file://USER.ID%lu.exe/upd
http://c56.lepini.at/jvassets/xI/t64.dat
http://api10.laptok.at/api1/NQKVg1EX9vgAXlWeTogm8sw/KMs5PwysQZ/cojQHZarHMV1BniSf/VzSw0JIs9Bqc/GdYPEA
Click to see the 31 hidden entries
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txt
http://api10.laptok.at/api1/T_2Bqbx6rKzt7VnD47NE/iobQaP3nhZ3U2q5_2BH/9heoQF3GAFB5dJEAV4Hg3r/KxW64aVDJ_2Bf/RT8RncEo/5GwqZP0haMx2zwLLYeJrXUm/DImJgAx5GP/ZV4E4rFgiyJcoMcj8/D8DBrAYx1U01/TFWytDHFeyT/c5Q0ZIc4JwhAYJ/BpujRyd4ZtFqSGFEkz78T/M5tMTx6RXb07WKsW/4umaaIECwLuuyUN/F_2F7DjEOzR7IZ4RJH/a1FhUie35/bXjPRrXLPQ4t_0A_0DNs/hJiRy_2FuX13r0Wg426/jDcEWv3RZYE02pm77rAx84/UlvLPNmOrwLKi/GzVyv0B7Ob/oQzM
http://www.youtube.com/
https://contoso.com/
https://nuget.org/nuget.exe
http://api3.lepini.at/api1/cWMMldHUNNJEupqwPHm/B9i4efC_2Fc2so_2BCUHLQ/EZnaZBpx9TTAG/jsT3bFi3/kx3xXf23DJYShYzY3eA3_2F/1W2x9cmi_2/FaMoHOpg7SPkt9b_2/BTbiYUZqwjQi/FoR9Taz1WaU/DXM7JWcA_2Fx63/mL4zTuWD7RPPiM4xKsTMl/l_2F2TCyXSnly1WP/w78hgLseuFr5g_2/F_2BLwg4UXKkyq9_2B/yJ0SBCkug/u_2BVm0i0IX_2BGOgAfE/oRPonbLnwKHZBDqHRCI/R0A4Gj448_0A_0DlC80JG_/2FQ63Z3TUGph3/FA2KYD9G/4xJwSmXKMt4bwI_2/B07hOhL
http://www.twitter.com/
https://oneget.orgX
http://www.wikipedia.com/
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
http://www.live.com/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.reddit.com/
https://oneget.org
http://api10.laptok.at/api1/NQKVg1EX9vgAXlWeTogm8sw/KMs5PwysQZ/cojQHZarHMV1BniSf/VzSw0JIs9Bqc/GdYPEAPlCi9/U4jjD2a4CS_2FU/dC0GrKVpGM0ZFOvINZ6jD/ueWB9DhdhuwI602_/2F_2BDRgBH52KzA/R70rcm_2BBFE73EKDB/UgZnJrMd9/XdCECe3cEDs1hxsxeW3J/_2BO2VI2jc566llQDTY/mInMlZbERYbJJFf6fIu8AY/F8oYlj5E8_2Fs/YNDW7QNF/0aIuOOdmT7cZZ0t7_0A_0Dp/zTNXNmHZpd/QcqtnlYoMHMz5q6eF/Z9Lh_2BjXm2s/9nsr68w0fo1/eUArOBxqat12urNmY/9X
http://api10.laptok.at/favicon.ico
http://www.amazon.com/
https://contoso.com/Icon
https://contoso.com/License
http://constitution.org/usdeclar.txtC:
http://api10.laptok.at/api1/5n9IlOq0UoaIiqJutHI/D8yrlktSfAfuBtE_2B67r3/YMaKxGmmtsngC/Pgql_2Fb/xrdkjP
http://api10.laptok.at/api1/T_2Bqbx6rKzt7VnD47NE/iobQaP3nhZ3U2q5_2BH/9heoQF3GAFB5dJEAV4Hg3r/KxW64aVD
http://api3.lepini.at/api1/3grfvd4OoBzJgy_2FJP/fcgVgSwDbfF_2Fp1EPxNjh/Yx9NXIO9hDc5K/GXeDmbgi/sQe3IxSedH5lwc5BpPUS1HN/H28DCja7eD/YbhFCX_2FUuLjKCFc/NXz8mfbtFSE5/_2BZvWEooE_/2FzJ2tfbJnReR3/HC711qTLN9fWJTotOrHs0/VwJEMg6D5XGTPwZ7/fJEEgZtSQMraSHd/RCdkB_2FkaU5EH8D_2/Bz12_2Fv5/VqlWvNV_2F5_2Fcm3Qmt/iqe06OVX6NXRArviyeW/i_2Bh_2Fc_0A_0DqCRayYr/twGQAU2x_2BlV/qfukHrrE/iRMpzIh5gSS0aqoG6IHU9ce/p4y8hPN2N_2BsZEJld/Zys
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://www.nytimes.com/
http://www.apache.org/licenses/LICENSE-2.0
http://nuget.org/NuGet.exe
http://api10.laptok.at/api1/5n9IlOq0UoaIiqJutHI/D8yrlktSfAfuBtE_2B67r3/YMaKxGmmtsngC/Pgql_2Fb/xrdkjP4byiL9hsAO1_2Fihb/XdfK1Lk3DT/bmrlm5gkVoRymSshi/HK_2BnaGI_2F/WFCn5RsbN_2/FcPK7Rw6mQuxj2/EvfynwuMlwC6wRrP5JXFk/nbpUfNul3ZXKq6CX/vRjkxUYDMdipvSF/UGNmN_2FwufHTed5qT/soTnqcGUs/fFwOGyz0Kh1dqOmh2Dq6/3aNd7ElOG2dDh0HUOH_/0A_0DXGPOu4hdy_2BL5VXq/nfcdYU5oyVvtc/kLQ3jwT5/tkDQrSKfzj415XI0nz2QktQ/bWUQqR9q/5
https://go.microsoft.coo

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\Ammerman.zip	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
Click to see the 42 hidden entries
C:\Users\user\AppData\Local\Temp\earmark.avchd	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\ynra40it\CSC8D53D7F284854536B8305B22FC194AF5.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\FCC.cxx	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\RES1E0.tmp	data	#
C:\Users\user\AppData\Local\Temp\Tolstoy.3gp	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lq5c340j.glg.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0l1roud.yrr.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\bowerbird.m3u	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\ynra40it\ynra40it.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\~DF0DC159FD027E99B4.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF4F9D1209361EBE41.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF628F76BDD717A0C8.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF8FB77C9DC42E2DD9.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFA7833B6014B4E164.TMP	data	#
C:\Users\user\Documents\20201119\PowerShell_transcript.721680.CGTQL96q.20201119175419.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{431477FD-2AD3-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2637FC00-2AD3-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{431477FF-2AD3-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{43147801-2AD3-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\0d0gelxn\CSCF2137F9B31E74386891BA25B7F15B166.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\9X[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\oQzM[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\5[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\0d0gelxn\0d0gelxn.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2637FBFE-2AD3-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#

03QKtPTOQpA1.vbs

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

03QKtPTOQpA1.vbs Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

03QKtPTOQpA1.vbs