31.exe

Status: finished

Submission Time: 2020-11-24 09:24:20 +01:00

Malicious

Ransomware

Trojan

Adware

Spyware

Evader

Ursnif AgentTesla FormBook Wadhrama

Comments

Details

Analysis ID:
321991
API (Web) ID:
545793
Analysis Started:

2020-11-24 09:24:22 +01:00
Analysis Finished:

2020-11-24 09:43:49 +01:00
MD5:
af8e86c5d4198549f6375df9378f983c
SHA1:
7ab5ed449b891bd4899fba62d027a2cc26a05e6f
SHA256:
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 52/70

Open Full Report

malicious

Score: 32/38

malicious

Score: 46/48

malicious

IPs

IP	Country	Detection
195.201.225.248	Germany
104.20.22.46	United States

Domains

Name	IP	Detection
shawcn1.sytes.net	0.0.0.0
nodejs.org	104.20.22.46
smtp.yandex.ru	77.88.21.158
Click to see the 13 hidden entries
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com	3.223.115.185
runeurotoolz.hopto.org	0.0.0.0
telete.in	195.201.225.248
sensomaticloadcell.com	148.66.138.171
www.bestmedicationstore.com	0.0.0.0
ffvgdsv.ug	0.0.0.0
www.fisioservice.com	0.0.0.0
smtp.ecojett.co	0.0.0.0
smtp.yandex.com	0.0.0.0
tdaztq.by.files.1drv.com	0.0.0.0
onedrive.live.com	0.0.0.0
www.sensomaticloadcell.com	0.0.0.0
sibelikinciel.xyz	0.0.0.0

URLs

Name	Detection
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
http://thi.uloz.to/a/9/1/a91a3952080abe8277b7e881d9651ff5.640x360.jpg
Click to see the 28 hidden entries
http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma2_001.jpg
http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma1_001.jpg
http://i.imgur.com/tbnq3.jpg
http://upload.wikimedia.org/wikipedia/commons/0/0d/Penis_ultra06.jpg
http://www.dermnet.com/dn2/allJPG3/Lichen-Sclerosus-Penis-37.jpg
http://i845.photobucket.com/albums/ab17/mtgman123/Herpes-On-Penis-6_zpsfd9dc212.jpg
http://www.meatspin.com
http://www.photosez.com/images/challenges/answers/1853/f41ee1953a2d72b1d9fdda355e3405d9_00000000-000
https://sectigo.com/CPS0B
http://upload.wikimedia.org/wikipedia/commons/2/2c/Normal_erect_penis.JPG
http://www.pegym.com/wp-content/uploads/2013/05/HappyPenis1.jpg
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
http://upload.wikimedia.org/wikipedia/commons/c/cd/Human_Penis.png
http://b.vimeocdn.com/ts/433/181/433181005_640.jpg
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
http://25.media.tumblr.com/75120c9da3c7b904df34a194c3e2743a/tumblr_mi5079TNHE1qktt95o1_500.jpg
http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma3_001.jpg
http://www.pegym.com/forums/members/vikingman-albums-my-penis-before-i-start-jp90-picture17193-still
http://i.imgur.com/MXfKOl.jpg
https://sibelikinciel.xyz
http://www.xnview.comJ
http://thebigredapple.net/wp-content/uploads/2009/07/scott_reeder_american_dick.jpg
http://ocsp.sectigo.com0
http://upload.wikimedia.org/wikipedia/commons/1/14/Erect_penis3.png
https://sectigo.com/CPS0
http://xaf.xanga.com/54be253506d37284803879/z227269259.jpg
http://origin-ars.els-cdn.com/content/image/1-s2.0-S019096220501488X-gr5.jpg
http://www.genitalsurgerybelgrade.com/admin/uploads/Outcome_after_penile_reconstruction.jpg

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Roaming\21.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\13.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\14.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 97 hidden entries
C:\Users\user\AppData\Roaming\15.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\16.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\17.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\18.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\19.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\2.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\20.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Roaming\22.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\27.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\3.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\31.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\6.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\7.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\8.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\feeed.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\11.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\10.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\1.jar	Java archive data (JAR)	#
C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\12.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-access.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\CONTRIBUTING.md	UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\LICENSE	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\configure	Bourne-Again shell script, ASCII text executable, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-5.md	UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-4.md	UTF-8 Unicode text, with very long lines, with CR, LF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-3.md	UTF-8 Unicode text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-2.md	UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\changelogs\CHANGELOG-1.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npx.cmd	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npx-cli.js	a /usr/bin/env node script, ASCII text executable, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npx	POSIX shell script, ASCII text executable, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npm.cmd	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npm-cli.js	a /usr/bin/env node script, UTF-8 Unicode text executable, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\npm	POSIX shell script, ASCII text executable, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\node-gyp-bin\node-gyp.cmd	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\bin\node-gyp-bin\node-gyp	a /usr/bin/env sh script, ASCII text executable, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-help.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-config.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-help-search.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-fund.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-explore.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-edit.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-doctor.md	UTF-8 Unicode text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-docs.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-dist-tag.md	UTF-8 Unicode text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-deprecate.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-dedupe.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-adduser.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-completion.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-ci.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-cache.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-bundle.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-build.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-bugs.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-bin.md	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-audit.md	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\24.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\3D Objects\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Roaming\30.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Roaming\29.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\28.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Roaming\26.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\25.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\4.exe	PE32 executable (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\23.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\LICENSE	UTF-8 Unicode text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\AUTHORS	UTF-8 Unicode text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.travis.yml	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.npmignore	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.mailmap	UTF-8 Unicode text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\.licensee.json	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_etw_provider.man	ASCII text, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node.exe	PE32+ executable (console) x86-64, for MS Windows	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\install_tools.bat	DOS batch file, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\node_modules\npm\CHANGELOG.md	UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
C:\Users\user\qnodejs-node-v13.13.0-win-x64.tmp130965438539\node-v13.13.0-win-x64\CHANGELOG.md	HTML document, ASCII text, with CRLF line terminators	#
C:\$Recycle.Bin\S-1-5-18\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	#
C:\Users\user\AppData\Roaming\9.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO	data	#
C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\5.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	#

31.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

31.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

31.exe