OCC-221220-TBU1XAT7X4.xls

Status: finished

Submission Time: 2020-12-23 14:47:47 +01:00

Malicious

E-Banking Trojan

Trojan

Exploiter

Evader

Hidden Macro 4.0 Ursnif

Comments

Details

Analysis ID:
333660
API (Web) ID:
569197
Analysis Started:

2020-12-23 14:47:49 +01:00
Analysis Finished:

2020-12-23 14:54:40 +01:00
MD5:
c4356a3b949b77bce8be5ecf2def64db
SHA1:
e5de9340e03e98e6e0b8f6630cfd40295a6c9881
SHA256:
7389677e946cac4226da9b84eca90b94b59d46cf2bf4541ea58d96d39e6669d5
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

malicious

IPs

IP	Country	Detection
47.254.169.221	United States
45.142.212.128	Russian Federation

Domains

Name	IP	Detection
companieshouseonlinedownload.com	47.254.169.221
hospader.xyz	45.142.212.128

URLs

Name	Detection
https://hospader.xyz/index.htmRoot
http://www.%s.comPA
https://hospader.xyz
Click to see the 20 hidden entries
http://computername/printers/printername/.printer
http://companieshouseonlinedownload.com/ox9.png
https://hospader.xyz/index.htmndex.htm
http://www.iis.fhg.de/audioPA
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
http://wellformedweb.org/CommentAPI/
https://hospader.xyz/index.htm
http://www.icra.org/vocabulary/.
http://treyresearch.net
https://hospader.xyz/index.htm1
https://hospader.xyz/index.htma;
https://hospader.xyz/favicon.ico
http://investor.msn.com/
http://www.hotmail.com/oe
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.msnbc.com/news/ticker.txt
http://investor.msn.com
http://www.windows.com/pctv.

Dropped files

Name	File Type	Hashes
C:\Users\user\cnvmb.rty	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ox9[1].png	PE32 executable (DLL) (console) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\favicon[1].ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	#
Click to see the 24 hidden entries
C:\Users\user\Desktop\CDDE0000	Applesoft BASIC program data, first line number 16	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\OCC-221220-TBU1XAT7X4.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Dec 23 21:48:42 2020, atime=Wed Dec 23 21:48:42 2020, length=325120, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Dec 23 21:48:42 2020, atime=Wed Dec 23 21:48:42 2020, length=12288, window=hide	#
C:\Users\user\AppData\Local\Temp\~DFFE6867554BD92C1A.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF97328D057695074B.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF3C5C2A9E584434E2.TMP	data	#
C:\Users\user\AppData\Local\Temp\Tar1D24.tmp	data	#
C:\Users\user\AppData\Local\Temp\Tar1CE3.tmp	data	#
C:\Users\user\AppData\Local\Temp\Cab1D23.tmp	Microsoft Cabinet archive data, 58936 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\Cab1CE2.tmp	Microsoft Cabinet archive data, 58936 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\0CDE0000	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58936 bytes, 1 file	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 16 colors, 4 bits/pixel	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\index[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\imagestore.dat	data	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5591F920-4571-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5591F91E-4571-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5591F91C-4571-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	#

OCC-221220-TBU1XAT7X4.xls

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

OCC-221220-TBU1XAT7X4.xls Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

OCC-221220-TBU1XAT7X4.xls