a7APrVP2o2vA.vbs

Status: finished

Submission Time: 2020-11-20 05:20:09 +01:00

Malicious

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
320914
API (Web) ID:
543636
Analysis Started:

2020-11-20 05:20:10 +01:00
Analysis Finished:

2020-11-20 05:30:41 +01:00
MD5:
34088bd5124b06eec3371c1879f73cf5
SHA1:
bcd7d1067588adcacefaa342af8b0ef8a899bd6f
SHA256:
10a87c4636ca9178acba76c3303c9e6d9ea99efee1b10864b934abc05bdd6b89
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 10/82

malicious

Score: 22/48

malicious

IPs

IP	Country	Detection
47.241.19.44	United States

Domains

Name	IP	Detection
c56.lepini.at	47.241.19.44
resolver1.opendns.com	208.67.222.222
api3.lepini.at	47.241.19.44
Click to see the 1 hidden entries
api10.laptok.at	47.241.19.44

URLs

Name	Detection
http://https://file://USER.ID%lu.exe/upd
http://c56.lepini.at/jvassets/xI/t64.dat
http://api10.laptok.at/api1/WcqsDWYRDWX9VzX2/6cY_2FMHhq53Bfb/KoBaiBSx8Ilxkeptxy/r8f3nvVNB/Uxnn1Syzni
Click to see the 31 hidden entries
http://constitution.org/usdeclar.txt
http://api10.laptok.at/api1/gQZiH3BmbQ7_2Fm1_2FzRJz/mA58vy7crp/h_2FMdFAmZvkx3oav/jpQlDfvKkUcF/z_2Fv3xe_2B/RtljYzmseysp8M/J9LXCgQX_2FGwaxrM5sll/oxrubqlcpnG3kk6w/rpyvZ2CBr362h4G/DNuto7rxaoKv5pC1dJ/zEIjo7pZv/h5CPg1ZPJuExR0S2nVAn/7CdYizrq7KKmXhFDsWl/GsSN38SYzqX3qIhrq9a2Rm/vOwx2SjF7KMgu/_2FPoQPm/rFHqhPu3IMku5cmhub_0A_0/DrC2MjXzKK/jj9C8RumHF7pnVY_2/FAD8yOK_2BFT/MxX5y2lsWM/V6y
http://www.youtube.com/
https://contoso.com/
https://nuget.org/nuget.exe
https://oneget.orgX
http://api10.laptok.at/api1/HepzZx2kCuDwmeOQzvnl/pYC9yZFBIyaKECxGK0e/aRjir2j_2FD0Cs2y6LC1fn/UI6Iu_2F
http://www.wikipedia.com/
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
http://www.live.com/
http://api10.laptok.at/api1/WcqsDWYRDWX9VzX2/6cY_2FMHhq53Bfb/KoBaiBSx8Ilxkeptxy/r8f3nvVNB/Uxnn1SyznitKnjOi8hCe/ohSe08DDAeFHGbAN_2F/0Spr_2FCjhgaXo0BixRxlK/gRR6Am8dlGdUj/bXxlH1YY/oAmZLTvZixjJMYkbcvNceUF/TE7QVGk6pc/MryulOKAB6hK5uuEq/Ip0vKVpaDGvV/oHnOmnuADTL/DZ7XRbtQiU_2BP/uUPkwFUayXFIpo3sPb5cI/f7KYlOClbx19_0A_/0DuyZdVLuLk6jXr/RUPYRyzRPa2TXuqypX/gKjtwBKzB/hGbhX_2Bp7clI1KXeu9F/UHr0GT1Kn/m
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.reddit.com/
http://api10.laptok.at/api1/HepzZx2kCuDwmeOQzvnl/pYC9yZFBIyaKECxGK0e/aRjir2j_2FD0Cs2y6LC1fn/UI6Iu_2FTpGMx/iwNkVdtq/4RAm36fJE_2BBIz2mpTpCMm/XnYyDK_2Fz/MiJoJBmpDAaTWVp1B/daSoJy_2FyS5/PuWvoglkSmx/qz2BTPi06QBrho/noUwfa_2FU_2BYCqTU3gC/NlevHPEUQyxG_2F5/4RKnQYuO3c2ETpt/rfleViaqwq1snPaMMc/vec7JAn9w/6IG6FBznQA00j0qPOZSG/_0A_0DZMwSFDBhuNf54/7SFAeYx_2BlJe9QVm8Vh5X/7k9AL4BWBHPhI/R_2Bii7A/8kTBHJT5wlqrWOd/j
https://oneget.org
http://nuget.org/NuGet.exe
http://api10.laptok.at/api1/Ode7pmXhCEdXxTRBf_/2FHH_2FBp/_2BnsalNz0lmkH5x1mmt/xHl6WQifJFf5CBgok3I/bn3XVAGXUeWigiJUOcLQWD/c2roXTQ2nkZbG/M_2FMDPg/RMcD_2FfR_2FfjyYlINFV_2/BaGZ2rH4vj/6jogYZYijMsSboygs/SvxVVPCKWphR/VUg4AeMl2sx/6_2FAxA2ms8rKx/ICLWxB1ZuqvjIAU92vsk7/bigoAHVM9eJoWAJe/2u2_2FVoWlqH3Ft/Wqo08LsOYeWuLlPepq/yBPc_0A_0/DpBN_2Bc1hK_2BzOEfhW/86UE6S6NpYhT5yFlxam/wY_2BlPzb_2BfGYwkL90Le/XnKUFDbHepNQE/sCy
https://github.com/Pester/Pester
http://www.twitter.com/
http://api10.laptok.at/favicon.ico
http://www.amazon.com/
https://contoso.com/Icon
http://api10.laptok.at/api1/gQZiH3BmbQ7_2Fm1_2FzRJz/mA58vy7crp/h_2FMdFAmZvkx3oav/jpQlDfvKkUcF/z_2Fv3
https://contoso.com/License
http://constitution.org/usdeclar.txtC:
http://api10.laptok.at/api1/Ode7pmXhCEdXxTRBf_/2FHH_2FBp/_2BnsalNz0lmkH5x1mmt/xHl6WQifJFf5CBgok3I/bn
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://api3.lepini.at/api1/2J2umGNGC/23hMLk5OVrtn68e78dJf/A_2BrU_2BFCQd0JFavS/qD2No9mVoRgWsYVU2X4Wu2/pEjb5SeCskpwt/IXhbUQJx/zzmlUYI8DaBanXCstcTmGoB/WeXH1fwB8Y/187mYAeGvaiuSex_2/FTLNj7tdJIe6/YE0SgCn8_2F/fF4EyQT8w4xR2m/lXR3QJqthlRtLFew3tvGl/J3GUehnz3UM16JtW/TvUL9ADr_2B7EOv/URICsZ4sy6Q8zqqVqE/ilstOMsUZ/7eeWf_0A_0DnFsRVTw6I/_2BdV_2BZExw_2BTW5f/RRfX0aScxLxGFVZlSBOLEu/x9Y
http://www.nytimes.com/
http://www.apache.org/licenses/LICENSE-2.0

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\Ammerman.zip	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.0.cs	UTF-8 Unicode (with BOM) text	#
Click to see the 52 hidden entries
C:\Users\user\AppData\Local\Temp\earmark.avchd	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\bowerbird.m3u	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\3cg2gow2\CSCC7D6D6B9E2E2482A90484ECDA4303A65.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\FCC.cxx	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\RESEF81.tmp	data	#
C:\Users\user\AppData\Local\Temp\Tolstoy.3gp	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4e01b4v0.lgo.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbgrc3b0.yd2.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\pjhhilfe\CSC3FCB40168F8F43A79C916E3E14812F23.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\~DF1B3A3B6AB333EE87.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF355482E4E7DEE5A3.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF59F7FE070035D0FB.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF897443D483D7C528.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFA0DC02764BBFFD70.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFC1B22A1CB1C1EB4D.TMP	data	#
C:\Users\user\Documents\20201120\PowerShell_transcript.715575.I4F9bCTu.20201120052227.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{638D4EEF-2B33-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{48F8DB8E-2B33-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{638D4EF1-2B33-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{638D4EF3-2B33-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{638D4EF5-2B33-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48F8DB8C-2B33-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\sCy[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\m[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\j[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#

a7APrVP2o2vA.vbs

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

a7APrVP2o2vA.vbs Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

a7APrVP2o2vA.vbs