SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Status: finished

Submission Time: 2021-02-10 14:58:59 +01:00

Malicious

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
351337
API (Web) ID:
604592
Analysis Started:

2021-02-10 15:13:01 +01:00
Analysis Finished:

2021-02-10 15:23:36 +01:00
MD5:
4e62d8a29ba5805407ece642d63df461
SHA1:
320f45735c2da0a93359d00ae8d714b48f9c5531
SHA256:
ded0afec1ce538699df52daf0e024a3b2965fd0520e9ff4d5a8ed4c141967fb9
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 9/83

malicious

IPs

IP	Country	Detection
35.228.31.40	United States

Domains

Name	IP	Detection
c56.lepini.at	35.228.31.40
resolver1.opendns.com	208.67.222.222
api3.lepini.at	35.228.31.40
Click to see the 1 hidden entries
api10.laptok.at	35.228.31.40

URLs

Name	Detection
http://c56.lepini.at/jvassets/xI/t64.dat
https://contoso.com/License
https://toldsend.com4
Click to see the 21 hidden entries
http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lkn
https://github.com/Pester/Pester
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG
http://api10.laptok.at/favicon.ico
http://https://file://USER.ID%lu.exe/upd
http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/i
http://api3.lepini.at/api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q
https://contoso.com/Icon
http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S
http://constitution.org/usdeclar.txtC:
https://nuget.org/nuget.exe
https://contoso.com/
http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s
http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU
http://api3.lepini.at/api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://constitution.org/usdeclar.txt
http://api3.lepini.at/api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3
http://nuget.org/NuGet.exe

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\Documents\20210210\PowerShell_transcript.035347.M4D9XJsp.20210210151557.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
Click to see the 19 hidden entries
C:\Users\user\AppData\Local\Temp\~DFC64A65F1771A7294.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF591D27F1DF86430B.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF261AC9CD53787C21.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF051F935A0216EDA8.TMP	data	#
C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1BA15B0-6BF5-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq44l33x.4n1.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vwmmr5w.fli.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\RC[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\s[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\Bn8ddXU[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1BA15B6-6BF5-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1BA15B4-6BF5-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1BA15B2-6BF5-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	#

SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll