flash

Deadly Variants of Covid 19.doc

Status: finished
Submission Time: 22.02.2021 19:46:13
Malicious
Trojan
Exploiter
Evader
AsyncRAT

Comments

Tags

  • COVID-19
  • doc
  • WHO

Details

  • Analysis ID:
    356233
  • API (Web) ID:
    614441
  • Analysis Started:
    22.02.2021 19:51:43
  • Analysis Finished:
    22.02.2021 20:01:56
  • MD5:
    3d9171d094dae1fb8da244756dd9733c
  • SHA1:
    91e43ec7a21e7e8c1fc2a6202ca3545974084ad2
  • SHA256:
    4d1bde540b3c45739e1d8cff08e801ccb6ff9caad391109dc298b011a914e57c
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
12/47

IPs

IP Country Detection
79.134.225.49
Switzerland
93.89.224.134
Turkey
67.199.248.10
United States

Domains

Name IP Detection
greatestyear2021.ddns.net
79.134.225.49
bit.ly
67.199.248.10
sgkmudder.org.tr
93.89.224.134

URLs

Name Detection
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://sgkmudder.org.tr/2d/mgLD5CcdJx9YVKl.jpg
Click to see the 12 hidden entries
http://crl.entrust.net/server1.crl0
http://ocsp.entrust.net03
http://bit.ly/2Me6ei3
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.%s.comPA
http://www.diginotar.nl/cps/pkioverheid0
http://ocsp.entrust.net0D
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://secure.comodo.com/CPS0
http://servername/isapibackend.dll
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
http://crl.entrust.net/2048ca.crl0

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mgLD5CcdJx9YVKl[1].jpg
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\tmpA055.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\rLliXAh.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 15 hidden entries
C:\Users\Public\69577.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 59134 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2Me6ei3[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AD9C643-349E-46EF-BF24-C3A751787722}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CA5B12C-492C-4E57-AE2D-0E7798ADDEF4}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AB5F6AD7-3C7C-4823-93B4-8E22DB7DEE25}.tmp
data
#
C:\Users\user\AppData\Local\Temp\Cab7021.tmp
Microsoft Cabinet archive data, 59134 bytes, 1 file
#
C:\Users\user\AppData\Local\Temp\Tar7022.tmp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Deadly Variants of Covid 19.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Feb 23 02:52:35 2021, length=833197, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WBLPQVYT.txt
ASCII text
#
C:\Users\user\Desktop\~$adly Variants of Covid 19.doc
data
#