flash

PO_Invoices_pdf.exe

Status: finished
Submission Time: 02.02.2021 08:47:15
Malicious
Phishing
Trojan
Adware
Spyware
Evader
HawkEye AgentTesla MailPassView Matiex

Comments

Tags

  • exe
  • HawkEye
  • Yahoo

Details

  • Analysis ID:
    347154
  • API (Web) ID:
    596230
  • Analysis Started:
    02.02.2021 08:50:39
  • Analysis Finished:
    02.02.2021 09:11:19
  • MD5:
    59d7d8d5dd3e0055e7c0dcc75897f569
  • SHA1:
    b249b28d088d54e971e2d9d8b2688440f8e6d513
  • SHA256:
    ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
17/37

malicious
44/46

malicious

IPs

IP Country Detection
131.186.113.70
United States
104.16.155.36
United States
104.21.19.200
United States
Click to see the 2 hidden entries
199.193.7.228
United States
216.146.43.70
United States

Domains

Name IP Detection
69.170.12.0.in-addr.arpa
0.0.0.0
checkip.dyndns.org
0.0.0.0
whatismyipaddress.com
104.16.155.36
Click to see the 3 hidden entries
freegeoip.app
104.21.19.200
smtp.privateemail.com
199.193.7.228
checkip.dyndns.com
131.186.113.70

URLs

Name Detection
http://127.0.0.1:HTTP/1.1
http://www.fontbureau.com/designersG
http://www.fontbureau.com/designers/?
Click to see the 87 hidden entries
http://www.founder.com.cn/cn/bThe
http://www.zhongyicts.com.cnaN
http://ocsp.sectigo.com0
https://github.com/Pester/PesterL
http://www.fontbureau.com/designers?
http://tempuri.org/DataSet1.xsd
http://www.founder.com.cn/cnR
https://contoso.com/License
http://www.founder.com.cn/cnT
http://www.tiro.com
http://www.fontbureau.com/designers
http://ns.adobe.c/g
http://www.goodfont.co.kr
http://www.carterandcone.com
http://www.sajatypeworks.com
http://csARxe.com
http://www.typography.netD
http://www.founder.com.cn/cn/cThe
http://www.galapagosdesign.com/staff/dennis.htm
http://fontfabrik.com
http://www.typography.net-siu
http://checkip.dyndns.org/
http://www.typography.net
https://contoso.com/
https://nuget.org/nuget.exe
https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
http://whatismyipaddress.com/-
http://www.galapagosdesign.com/DPlease
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
https://api.ipify.org%GETMozilla/5.0
https://login.yahoo.com/config/login
http://www.fonts.com
http://www.sandoll.co.kr
http://www.site.com/logs.php
http://www.urwpp.deDPlease
http://whatismyipaddress.com/
http://www.nirsoft.net/
http://www.zhongyicts.com.cn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.carterandcone.como.
http://www.sakkal.com
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
http://www.founder.com.cn/cniac
https://freegeoip.app/xml/
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
http://nuget.org/NuGet.exe
http://www.apache.org/licenses/LICENSE-2.0
http://www.fontbureau.com
http://DynDns.comDynDNS
http://www.goodfont.co.kr9
http://www.fontbureau.comF
https://sectigo.com/CPS0
http://pesterbdd.com/images/Pester.png
http://www.carterandcone.como.R
http://ns.adobe.cobj
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
http://www.apache.org/licenses/LICENSE-2.0.html
http://www.sakkal.com-mq
https://contoso.com/Icon
http://www.fontbureau.comY
http://whatismyipaddress.com
http://www.fontbureau.comd
https://github.com/Pester/Pester
http://www.goodfont.co.krF
http://www.carterandcone.coml
http://www.typography.net-d
http://www.fontbureau.com/designers/cabarga.htmlN
http://www.fontbureau.coma3
http://www.fontbureau.comdV
http://www.fontbureau.comceto
http://www.founder.com.cn/cn
http://www.fontbureau.com/designers/frere-jones.html
http://checkip.dyndns.org/HBFl
http://pesterbdd.com/images/Pester.pngL
http://www.typography.netx
http://www.fontbureau.comm
http://www.jiyu-kobo.co.jp/
http://www.jiyu-kobo.co.jp/l
http://www.fontbureau.com/designers8
http://www.apache.org/licenses/LICENSE-2.0.htmlL
http://www.fontbureau.comdsed
http://www.sandoll.co.krn-u
http://fontfabrik.com(
http://www.typography.netn
https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
http://www.tiro.com-cz
http://ns.ado/1

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_697020edb13ed8bc761f5d6b0de413dddfcbfb_b4666e22_12f099c3\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_697020edb13ed8bc761f5d6b0de413dddfcbfb_b4666e22_1b230661\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_93f07d9c4f92cda17563b29cabdf995c588ef9_00000000_14dc0d13\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 31 hidden entries
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hawkgoods.exe_93f07d9c4f92cda17563b29cabdf995c588ef9_00000000_1a4a83a4\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_Invoices_pdf.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\hawkgoods.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\origigoods20.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\origigoods40.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F33.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BB7.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER72DC.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7473.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81AC.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8566.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF48.tmp.mdmp
Mini DuMP crash report, 14 streams, Tue Feb 2 16:52:18 2021, 0x60521 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD020.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD84E.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDB6.tmp.mdmp
Mini DuMP crash report, 14 streams, Tue Feb 2 16:53:45 2021, 0x60521 type
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\I$s#$lT3ssl.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4e14qwxc.os0.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awkr53h0.pdr.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fla1cgxx.qbm.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zllqa32j.uf3.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\holderwb.txt
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Roaming\pid.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\pidloc.txt
ASCII text, with no line terminators
#
C:\Users\user\Documents\20210202\PowerShell_transcript.830021.dnDUrXav.20210202085254.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210202\PowerShell_transcript.830021.vpu_jBUU.20210202085147.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\Matiex Keylogger\Screenshot.png
PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
#