Register Login

sloganpng

top title background image

Deadly Variants of Covid 19.doc

Status: finished

Submission Time: 2021-02-22 19:46:13 +01:00

Malicious

Trojan

Exploiter

Evader

AsyncRAT

Comments

Tags

Details

Analysis ID:
356233
API (Web) ID:
614441
Analysis Started:

2021-02-22 19:51:43 +01:00
Analysis Finished:

2021-02-22 20:01:56 +01:00
MD5:
3d9171d094dae1fb8da244756dd9733c
SHA1:
91e43ec7a21e7e8c1fc2a6202ca3545974084ad2
SHA256:
4d1bde540b3c45739e1d8cff08e801ccb6ff9caad391109dc298b011a914e57c
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

malicious

Score: 12/47

IPs

IP	Country	Detection
79.134.225.49	Switzerland
93.89.224.134	Turkey
67.199.248.10	United States

Domains

Name	IP	Detection
greatestyear2021.ddns.net	79.134.225.49
bit.ly	67.199.248.10
sgkmudder.org.tr	93.89.224.134

URLs

Name	Detection
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://sgkmudder.org.tr/2d/mgLD5CcdJx9YVKl.jpg
Click to see the 12 hidden entries
http://crl.entrust.net/server1.crl0
http://ocsp.entrust.net03
http://bit.ly/2Me6ei3
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.%s.comPA
http://www.diginotar.nl/cps/pkioverheid0
http://ocsp.entrust.net0D
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://secure.comodo.com/CPS0
http://servername/isapibackend.dll
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
http://crl.entrust.net/2048ca.crl0

Dropped files

Name	File Type	Hashes	Detection
C:\Users\user\AppData\Local\Temp\tmpA055.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Users\Public\69577.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\rLliXAh.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 15 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2Me6ei3[1].htm	HTML document, ASCII text	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AD9C643-349E-46EF-BF24-C3A751787722}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CA5B12C-492C-4E57-AE2D-0E7798ADDEF4}.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AB5F6AD7-3C7C-4823-93B4-8E22DB7DEE25}.tmp	data	#
C:\Users\user\AppData\Local\Temp\Cab7021.tmp	Microsoft Cabinet archive data, 59134 bytes, 1 file	#
C:\Users\user\AppData\Local\Temp\Tar7022.tmp	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59134 bytes, 1 file	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Deadly Variants of Covid 19.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Feb 23 02:52:35 2021, length=833197, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	#
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Little-endian UTF-16 Unicode text, with no line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WBLPQVYT.txt	ASCII text	#
C:\Users\user\Desktop\~$adly Variants of Covid 19.doc	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#