Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

PO_Invoices_pdf.exe

Status: finished
Submission Time: 2021-02-02 08:47:15 +01:00
Malicious
Phishing
Trojan
Adware
Spyware
Evader
HawkEye AgentTesla MailPassView Matiex

Comments

Tags

  • exe
  • HawkEye
  • Yahoo

Details

  • Analysis ID:
    347154
  • API (Web) ID:
    596230
  • Analysis Started:
    2021-02-02 08:50:39 +01:00
  • Analysis Finished:
    2021-02-02 09:11:19 +01:00
  • MD5:
    59d7d8d5dd3e0055e7c0dcc75897f569
  • SHA1:
    b249b28d088d54e971e2d9d8b2688440f8e6d513
  • SHA256:
    ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report
malicious
Score: 17/37
malicious
Score: 44/46
malicious

IPs

IP Country Detection
131.186.113.70
 United States
104.16.155.36
 United States
104.21.19.200
 United States
Click to see the 2 hidden entries
199.193.7.228
 United States
216.146.43.70
 United States

Domains

Name IP Detection
69.170.12.0.in-addr.arpa
 0.0.0.0
checkip.dyndns.org
 0.0.0.0
whatismyipaddress.com
 104.16.155.36
Click to see the 3 hidden entries
freegeoip.app
 104.21.19.200
smtp.privateemail.com
 199.193.7.228
checkip.dyndns.com
 131.186.113.70

URLs

Name Detection
http://www.carterandcone.como.R
http://www.carterandcone.coml
http://www.goodfont.co.krF
Click to see the 87 hidden entries
https://github.com/Pester/Pester
http://www.fontbureau.comd
http://whatismyipaddress.com
http://www.fontbureau.comY
https://contoso.com/Icon
http://www.sakkal.com-mq
http://www.apache.org/licenses/LICENSE-2.0.html
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
http://ns.adobe.cobj
http://www.typography.net-d
http://pesterbdd.com/images/Pester.png
https://sectigo.com/CPS0
http://www.fontbureau.comF
http://www.goodfont.co.kr9
http://DynDns.comDynDNS
http://www.fontbureau.com
http://www.apache.org/licenses/LICENSE-2.0
http://nuget.org/NuGet.exe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
https://freegeoip.app/xml/
http://www.jiyu-kobo.co.jp/
http://ns.ado/1
http://www.tiro.com-cz
https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
http://www.typography.netn
http://fontfabrik.com(
http://www.sandoll.co.krn-u
http://www.fontbureau.comdsed
http://www.apache.org/licenses/LICENSE-2.0.htmlL
http://www.fontbureau.com/designers8
http://www.jiyu-kobo.co.jp/l
http://www.founder.com.cn/cniac
http://www.fontbureau.comm
http://www.typography.netx
http://pesterbdd.com/images/Pester.pngL
http://checkip.dyndns.org/HBFl
http://www.fontbureau.com/designers/frere-jones.html
http://www.founder.com.cn/cn
http://www.fontbureau.comceto
http://www.fontbureau.comdV
http://www.fontbureau.coma3
http://www.fontbureau.com/designers/cabarga.htmlN
http://www.founder.com.cn/cnT
http://fontfabrik.com
http://www.galapagosdesign.com/staff/dennis.htm
http://www.founder.com.cn/cn/cThe
http://www.typography.netD
http://csARxe.com
http://www.sajatypeworks.com
http://www.carterandcone.com
http://www.goodfont.co.kr
http://ns.adobe.c/g
http://www.fontbureau.com/designers
http://www.tiro.com
http://www.typography.net-siu
https://contoso.com/License
http://www.founder.com.cn/cnR
http://tempuri.org/DataSet1.xsd
http://www.fontbureau.com/designers?
https://github.com/Pester/PesterL
http://ocsp.sectigo.com0
http://www.zhongyicts.com.cnaN
http://www.founder.com.cn/cn/bThe
http://www.fontbureau.com/designers/?
http://www.fontbureau.com/designersG
http://www.fonts.com
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
http://www.sakkal.com
http://www.carterandcone.como.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.zhongyicts.com.cn
http://www.nirsoft.net/
http://whatismyipaddress.com/
http://www.urwpp.deDPlease
http://www.site.com/logs.php
http://www.sandoll.co.kr
http://127.0.0.1:HTTP/1.1
https://login.yahoo.com/config/login
https://api.ipify.org%GETMozilla/5.0
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
http://www.galapagosdesign.com/DPlease
http://whatismyipaddress.com/-
https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
https://nuget.org/nuget.exe
https://contoso.com/
http://www.typography.net
http://checkip.dyndns.org/

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_697020edb13ed8bc761f5d6b0de413dddfcbfb_b4666e22_1b230661\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_Invoices_pdf.exe.log
 ASCII text, with CRLF line terminators
 #
Click to see the 31 hidden entries
C:\Users\user\AppData\Local\Temp\hawkgoods.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\origigoods20.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\origigoods40.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe:Zone.Identifier
 ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_697020edb13ed8bc761f5d6b0de413dddfcbfb_b4666e22_12f099c3\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_93f07d9c4f92cda17563b29cabdf995c588ef9_00000000_1a4a83a4\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_93f07d9c4f92cda17563b29cabdf995c588ef9_00000000_14dc0d13\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\pid.txt
 ASCII text, with no line terminators
 #
C:\Users\user\AppData\Roaming\pidloc.txt
 ASCII text, with no line terminators
 #
C:\Users\user\Documents\20210202\PowerShell_transcript.830021.dnDUrXav.20210202085254.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\Documents\20210202\PowerShell_transcript.830021.vpu_jBUU.20210202085147.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\holderwb.txt
 Little-endian UTF-16 Unicode text, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zllqa32j.uf3.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fla1cgxx.qbm.ps1
 very short file (no magic)
 #
C:\Users\user\Documents\Matiex Keylogger\Screenshot.png
 PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awkr53h0.pdr.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4e14qwxc.os0.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\I$s#$lT3ssl.exe.log
 ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDB6.tmp.mdmp
 Mini DuMP crash report, 14 streams, Tue Feb 2 16:53:45 2021, 0x60521 type
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD84E.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD020.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF48.tmp.mdmp
 Mini DuMP crash report, 14 streams, Tue Feb 2 16:52:18 2021, 0x60521 type
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8566.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81AC.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7473.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER72DC.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BB7.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F33.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #