flash

xls.xls

Status: finished
Submission Time: 09.02.2021 11:52:12
Malicious
Phishing
E-Banking Trojan
Trojan
Spyware
Exploiter
Evader
Hidden Macro 4.0 Gozi Ursnif

Comments

Tags

Details

  • Analysis ID:
    350432
  • API (Web) ID:
    602830
  • Analysis Started:
    09.02.2021 11:52:13
  • Analysis Finished:
    09.02.2021 12:05:31
  • MD5:
    0e6d3ca70f81e25baf88e5a2bb5cde7e
  • SHA1:
    830932f1ec44148a6327f08d95b2ebaa4694d2ad
  • SHA256:
    b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
9/56

malicious
18/47

malicious

IPs

IP Country Detection
8.208.96.68
Singapore
45.67.231.135
Moldova Republic of
104.16.249.249
United States
Click to see the 1 hidden entries
80.208.230.180
Lithuania

Domains

Name IP Detection
eorctconthoelrrpentshfex.com
45.67.231.135
online-docu-sign-st.com
8.208.96.68
1.0.0.127.in-addr.arpa
0.0.0.0
Click to see the 8 hidden entries
assets.onestore.ms
0.0.0.0
222.222.67.208.in-addr.arpa
0.0.0.0
8.8.8.8.in-addr.arpa
0.0.0.0
pronpepsipirpyamvioerd.com
80.208.230.180
mozilla.cloudflare-dns.com
104.16.249.249
myip.opendns.com
84.17.52.38
resolver1.opendns.com
208.67.222.222
ajax.aspnetcdn.com
0.0.0.0

URLs

Name Detection
http://pronpepsipirpyamvioerd.com/manifest/epAdaEbgmyrS0/5cBg2_2F/5r8v5YqebG9_2BzXwQ53Or2/m_2BYyZlMo/Wjgc3SrdyI1oKZciJ/0VZWBVvz9ttQ/e_2BqGDPIqO/VywJMmm_2FxNKs/BOcG3xAwzit4RyHpLyJsr/vwEVLjnqkBMf1zrK/m34BDAlEVdkNvcp/4fnxbyz8Lb2BtkfzoG/Qmy6EiDgS/W_2BAz08nRnapN/NuB.snx
http://www.icra.org/vocabulary/.
http://pronpepsipirpyamvioerd.com/manifest/t9KapG5Lp7Zt_2Fa57QG/GX7C0FfmRVPiI55eGvl/6x2VyI3ttROAIozUzpTtuU/djl44EXt9ama4/XR_2FoMg/DUUaeRp34H0CCf_2FqktcZq/z9PSxtll7Y/oj4uvWMlnUr2X5bcU/HYCHWM70nrfm/_2BgTKf7qxG/3cOw5VQBP7LVAf/95TW5v6vv1PzXG2YnDn_2/B53HOO92/81PS.snx
Click to see the 16 hidden entries
http://constitution.org/usdeclar.txt
http://constitution.org/usdeclar.txtC:
http://online-docu-sign-st.com/yytr.png
http://https://file://USER.ID%lu.exe/upd
http://www.%s.comPA
http://pronpepsipirpyamvioerd.com/manifest/8LuXDq_2BWfBiB/BEj6sfjtywNrZQzF5QZK7/NbbMkjR9SpGW28t6/1m9JUJz0exuG0Ws/6b83q2bcM1KtQpqf51/Z_2B1SUtN/P_2FDTQIaszfL7CFhXYP/tmsBI8pqKk7pm_2BfxZ/6rZJurPMhY6pGTLji_2FEt/IMZgEgmplBU7m/NokZx7zj/OP_2FSvKpKSMcRmuUdUVqR0/teCNe1.snx
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://pronpepsipirpyamvioerd.com/favicon.ico
0
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://www.windows.com/pctv.
http://investor.msn.com
http://www.msnbc.com/news/ticker.txt
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://investor.msn.com/
http://www.hotmail.com/oe

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.0.cs
UTF-8 Unicode (with BOM) text
#
Click to see the 67 hidden entries
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js
ASCII text, with CRLF line terminators
#
C:\fyjh\zglgy\lckhvmn.drhdh
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B0BCB09-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9CE57CE0-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9F3D57A5-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7EC5126A-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B0BCB0B-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9CE57CE2-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F3D57A7-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\imagestore.dat
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\54-41a2a0[1].css
UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\mwfmdl2-v3.54[1].woff
Web Open Font Format, TrueType, length 26288, version 0.0
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\urlblockindex[1].bin
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\MWFMDL2[1].ttf
TrueType Font data, 15 tables, 1st "OS/2", 37 names, Microsoft, language 0x403, type 2 string, Normaloby
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\NuB[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\favicon[1].ico
PNG image data, 16 x 16, 4-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\favicon[2].ico
MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\17-f90ef1[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\jquery-1.9.1.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mwf-west-european-default.min[1].css
UTF-8 Unicode text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wcp-consent[1].js
UTF-8 Unicode text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\81PS[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\MWFMDL2[1].woff
Web Open Font Format, TrueType, length 11480, version 0.0
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\RE1Mu3b[1].png
PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\override[1].css
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\teCNe1[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\245D.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\29B8.bi1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\7DDE0000
data
#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.out
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\8pjpp9kb.pdb
data
#
C:\Users\user\AppData\Local\Temp\A8F1.bin
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\B36F.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\B55E.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\B55E.bin1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\C730.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\CSC6C1C.tmp
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSC8BAD.tmp
MSVC .res
#
C:\Users\user\AppData\Local\Temp\D525.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RES6C1D.tmp
data
#
C:\Users\user\AppData\Local\Temp\RES8BAE.tmp
data
#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.out
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\vl8o3v8u.pdb
data
#
C:\Users\user\AppData\Local\Temp\~DF1A0EFD356D103ED9.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF542D6E5005877156.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF686E8EF428A6F917.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF6C80C96287FEDF7A.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF6E8E516FC48BBD04.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFB493AFE510C14E57.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFD658EE7ED4C24B16.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFE424184E9A162E2E.TMP
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 9 18:52:42 2021, atime=Tue Feb 9 18:52:42 2021, length=8192, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\xls.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Tue Feb 9 18:52:42 2021, atime=Tue Feb 9 18:52:42 2021, length=325120, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\7G92O15Q.txt
ASCII text
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\CHB05XTO.txt
ASCII text
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QG8KSXKE12RR2FGVPLFR.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\{14855AFD-63AD-6633-8D88-47FA113C6BCE}
HTML document, UTF-8 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\{2EDCE888-B575-900B-AF42-B9C45396FD38}\cookie.cr\Cookies.cr
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Roaming\Microsoft\{2EDCE888-B575-900B-AF42-B9C45396FD38}\cookie.ff\7xwghk55.default\cookies.sqlite.ff
SQLite 3.x database, user version 7, last written using SQLite version 3017000
#
C:\Users\user\Desktop\0FDE0000
Applesoft BASIC program data, first line number 16
#
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
PNG image data, 16 x 16, 4-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7EC51268-6B10-11EB-ADCF-ECF4BBB5915B}.dat
Microsoft Word Document
#