xls.xls

Status: finished

Submission Time: 2021-02-09 11:52:12 +01:00

Malicious

Phishing

E-Banking Trojan

Trojan

Spyware

Exploiter

Evader

Hidden Macro 4.0 Gozi Ursnif

Comments

Details

Analysis ID:
350432
API (Web) ID:
602830
Analysis Started:

2021-02-09 11:52:13 +01:00
Analysis Finished:

2021-02-09 12:05:31 +01:00
MD5:
0e6d3ca70f81e25baf88e5a2bb5cde7e
SHA1:
830932f1ec44148a6327f08d95b2ebaa4694d2ad
SHA256:
b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

Open Full Report

malicious

Score: 9/56

malicious

Score: 18/47

malicious

IPs

IP	Country	Detection
8.208.96.68	Singapore
45.67.231.135	Moldova Republic of
104.16.249.249	United States
Click to see the 1 hidden entries
80.208.230.180	Lithuania

Domains

Name	IP	Detection
eorctconthoelrrpentshfex.com	45.67.231.135
online-docu-sign-st.com	8.208.96.68
1.0.0.127.in-addr.arpa	0.0.0.0
Click to see the 8 hidden entries
assets.onestore.ms	0.0.0.0
222.222.67.208.in-addr.arpa	0.0.0.0
8.8.8.8.in-addr.arpa	0.0.0.0
pronpepsipirpyamvioerd.com	80.208.230.180
mozilla.cloudflare-dns.com	104.16.249.249
myip.opendns.com	84.17.52.38
resolver1.opendns.com	208.67.222.222
ajax.aspnetcdn.com	0.0.0.0

URLs

Name	Detection
0
http://pronpepsipirpyamvioerd.com/manifest/epAdaEbgmyrS0/5cBg2_2F/5r8v5YqebG9_2BzXwQ53Or2/m_2BYyZlMo/Wjgc3SrdyI1oKZciJ/0VZWBVvz9ttQ/e_2BqGDPIqO/VywJMmm_2FxNKs/BOcG3xAwzit4RyHpLyJsr/vwEVLjnqkBMf1zrK/m34BDAlEVdkNvcp/4fnxbyz8Lb2BtkfzoG/Qmy6EiDgS/W_2BAz08nRnapN/NuB.snx
http://pronpepsipirpyamvioerd.com/favicon.ico
Click to see the 16 hidden entries
http://www.icra.org/vocabulary/.
http://pronpepsipirpyamvioerd.com/manifest/t9KapG5Lp7Zt_2Fa57QG/GX7C0FfmRVPiI55eGvl/6x2VyI3ttROAIozUzpTtuU/djl44EXt9ama4/XR_2FoMg/DUUaeRp34H0CCf_2FqktcZq/z9PSxtll7Y/oj4uvWMlnUr2X5bcU/HYCHWM70nrfm/_2BgTKf7qxG/3cOw5VQBP7LVAf/95TW5v6vv1PzXG2YnDn_2/B53HOO92/81PS.snx
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://constitution.org/usdeclar.txt
http://pronpepsipirpyamvioerd.com/manifest/8LuXDq_2BWfBiB/BEj6sfjtywNrZQzF5QZK7/NbbMkjR9SpGW28t6/1m9JUJz0exuG0Ws/6b83q2bcM1KtQpqf51/Z_2B1SUtN/P_2FDTQIaszfL7CFhXYP/tmsBI8pqKk7pm_2BfxZ/6rZJurPMhY6pGTLji_2FEt/IMZgEgmplBU7m/NokZx7zj/OP_2FSvKpKSMcRmuUdUVqR0/teCNe1.snx
http://constitution.org/usdeclar.txtC:
http://online-docu-sign-st.com/yytr.png
http://https://file://USER.ID%lu.exe/upd
http://www.%s.comPA
http://investor.msn.com/
http://www.hotmail.com/oe
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.msnbc.com/news/ticker.txt
http://investor.msn.com
http://www.windows.com/pctv.

Dropped files

Name	File Type	Hashes
C:\fyjh\zglgy\lckhvmn.drhdh	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
Click to see the 67 hidden entries
C:\Users\user\AppData\Local\Temp\8pjpp9kb.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\~DF542D6E5005877156.TMP	data	#
C:\Users\user\AppData\Local\Temp\B55E.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\~DF1A0EFD356D103ED9.TMP	data	#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.pdb	data	#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.out	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\RES8BAE.tmp	data	#
C:\Users\user\AppData\Local\Temp\RES6C1D.tmp	data	#
C:\Users\user\AppData\Local\Temp\D525.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\CSC8BAD.tmp	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSC6C1C.tmp	MSVC .res	#
C:\Users\user\AppData\Local\Temp\C730.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\B55E.bin1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\A8F1.bin	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\~DF686E8EF428A6F917.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF6C80C96287FEDF7A.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF6E8E516FC48BBD04.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFB493AFE510C14E57.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFD658EE7ED4C24B16.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFE424184E9A162E2E.TMP	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 9 18:52:42 2021, atime=Tue Feb 9 18:52:42 2021, length=8192, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\xls.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Tue Feb 9 18:52:42 2021, atime=Tue Feb 9 18:52:42 2021, length=325120, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\7G92O15Q.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\CHB05XTO.txt	ASCII text	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QG8KSXKE12RR2FGVPLFR.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\{14855AFD-63AD-6633-8D88-47FA113C6BCE}	HTML document, UTF-8 Unicode text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\{2EDCE888-B575-900B-AF42-B9C45396FD38}\cookie.cr\Cookies.cr	SQLite 3.x database, last written using SQLite version 3032001	#
C:\Users\user\AppData\Roaming\Microsoft\{2EDCE888-B575-900B-AF42-B9C45396FD38}\cookie.ff\7xwghk55.default\cookies.sqlite.ff	SQLite 3.x database, user version 7, last written using SQLite version 3017000	#
C:\Users\user\Desktop\0FDE0000	Applesoft BASIC program data, first line number 16	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F3D57A7-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\favicon[2].ico	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\favicon[1].ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\NuB[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\MWFMDL2[1].ttf	TrueType Font data, 15 tables, 1st "OS/2", 37 names, Microsoft, language 0x403, type 2 string, Normaloby	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\urlblockindex[1].bin	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\mwfmdl2-v3.54[1].woff	Web Open Font Format, TrueType, length 26288, version 0.0	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\54-41a2a0[1].css	UTF-8 Unicode text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\imagestore.dat	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\17-f90ef1[1].js	ASCII text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9CE57CE2-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B0BCB0B-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7EC5126A-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9F3D57A5-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9CE57CE0-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B0BCB09-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7EC51268-6B10-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\teCNe1[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.pdb	data	#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.out	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\7DDE0000	data	#
C:\Users\user\AppData\Local\Temp\29B8.bi1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\245D.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\B36F.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\override[1].css	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\RE1Mu3b[1].png	PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\MWFMDL2[1].woff	Web Open Font Format, TrueType, length 11480, version 0.0	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\81PS[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wcp-consent[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mwf-west-european-default.min[1].css	UTF-8 Unicode text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\jquery-1.9.1.min[1].js	ASCII text, with very long lines	#