Source: imedpub_8.xls |
ReversingLabs: Detection: 16% |
Source: http://maxtdeveloper.com/okw9yx/ |
Avira URL Cloud: Label: malware |
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/ |
Avira URL Cloud: Label: malware |
Source: http://it-o.biz/bitrix/xoDdDe/PE3 |
Avira URL Cloud: Label: malware |
Source: http://www.inablr.com/elenctic/f |
Avira URL Cloud: Label: malware |
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3 |
Avira URL Cloud: Label: malware |
Source: http://hostfeeling.com/wp-admin/ |
Avira URL Cloud: Label: malware |
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3 |
Avira URL Cloud: Label: malware |
Source: https://property-eg.com/mlzkir/97v/ |
Avira URL Cloud: Label: malware |
Source: http://91.240.118.172/gg/ff/fe.png |
Avira URL Cloud: Label: malware |
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3 |
Avira URL Cloud: Label: malware |
Source: http://bimesarayenovin.ir/wp-adm |
Avira URL Cloud: Label: malware |
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/ |
Avira URL Cloud: Label: malware |
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/ |
Avira URL Cloud: Label: malware |
Source: http://hostfeeling.com |
Avira URL Cloud: Label: malware |
Source: http://daisy.sukoburu-secure.com |
Avira URL Cloud: Label: malware |
Source: http://jurnalpjf.lan.go.id/assets/iM/ |
Avira URL Cloud: Label: malware |
Source: http://activetraining.sytes.net/ |
Avira URL Cloud: Label: malware |
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3 |
Avira URL Cloud: Label: malware |
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3 |
Avira URL Cloud: Label: malware |
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3 |
Avira URL Cloud: Label: malware |
Source: https://property-eg.com/mlzkir/97v/PE3 |
Avira URL Cloud: Label: malware |
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/ |
Avira URL Cloud: Label: malware |
Source: https://property-eg.com/mlzkir/9 |
Avira URL Cloud: Label: malware |
Source: http://activetraining.sytes.net/libraries/8s/PE3 |
Avira URL Cloud: Label: malware |
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/ |
Avira URL Cloud: Label: malware |
Source: http://it-o.biz/bitrix/xoDdDe/ |
Avira URL Cloud: Label: malware |
Source: https://gudangtasorichina.com/wp-content/GG01c/ |
Avira URL Cloud: Label: malware |
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/ |
Avira URL Cloud: Label: malware |
Source: http://activetraining.sytes.net/libraries/8s/ |
Avira URL Cloud: Label: malware |
Source: http://gardeningfilm.com/wp-cont |
Avira URL Cloud: Label: malware |
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3 |
Avira URL Cloud: Label: malware |
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3 |
Avira URL Cloud: Label: malware |
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/ |
Avira URL Cloud: Label: malware |
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3 |
Avira URL Cloud: Label: malware |
Source: http://91.240.118.172/gg/ff/fe.html |
Avira URL Cloud: Label: malware |
Source: C:\ProgramData\JooSee.dll |
Joe Sandbox ML: detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: |
Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\cmd.exe |
Source: global traffic |
DNS query: name: hostfeeling.com |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80 |
Source: Traffic |
Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80 |
Source: Joe Sandbox View |
ASN Name: GLOBALLAYERNL GLOBALLAYERNL |
Source: global traffic |
HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 164.90.147.135 164.90.147.135 |
Source: Joe Sandbox View |
IP Address: 164.90.147.135 164.90.147.135 |
Source: Joe Sandbox View |
IP Address: 91.240.118.172 91.240.118.172 |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 19:58:55 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44affaa0ef=1643399935; expires=Fri, 28-Jan-2022 19:59:55 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 19:58:55 GMTExpires: Fri, 28 Jan 2022 19:58:55 GMTContent-Disposition: attachment; filename="Fw6A4ZWhOBNhoQZNE5.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 0 |