Mixed Items.exe

Status: finished

Submission Time: 2021-03-05 14:22:23 +01:00

Malicious

Trojan

Spyware

Evader

HawkEye AgentTesla MailPassView Matiex Remcos

Comments

Details

Analysis ID:
363869
API (Web) ID:
629797
Analysis Started:

2021-03-05 14:26:26 +01:00
Analysis Finished:

2021-03-05 14:47:55 +01:00
MD5:
017e52146c9131dbc9487d834cdfc247
SHA1:
6dff831a7fd2a42ec3abe4c1ba51f3a9c9c6a25b
SHA256:
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 20/37

malicious

Score: 44/46

malicious

IPs

IP	Country	Detection
185.157.161.113	Sweden
104.21.31.39	United States
104.16.155.36	United States
Click to see the 2 hidden entries
216.146.43.70	United States
172.67.188.154	United States

Domains

Name	IP	Detection
feromo.duckdns.org	185.157.161.113
liverpoolofcfanclub.com	104.21.31.39
checkip.dyndns.org	0.0.0.0
Click to see the 4 hidden entries
157.184.7.0.in-addr.arpa	0.0.0.0
whatismyipaddress.com	104.16.155.36
freegeoip.app	172.67.188.154
checkip.dyndns.com	216.146.43.70

URLs

Name	Detection
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5120AB9D8EED6517DE7E81CD470A03B1.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ACE03D270F49949C304CBC49EDC5CEFA.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1031025574F544F1BD64E20EEEC4AAC7.html
Click to see the 23 hidden entries
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EBDA9D3C78F7FA5DA1492447CFEEA8B3.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC805D8F9D665A8AE96BD3B687F20834.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CADB725393BA475AD7E7466656748C83.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C7589177DBC0A00C03B00FCEDE09850.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C391B584FB3EF0C3E1226CABE1FDCB1.html
http://schemas.xmlsoap.org/wsdl/
http://nuget.org/NuGet.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.nirsoft.net/
http://whatismyipaddress.com/
https://login.yahoo.com/config/login
http://pesterbdd.com/images/Pester.png
https://nuget.org/nuget.exe
https://contoso.com/
https://contoso.com/Icon
http://schemas.xmlsoap.org/soap/encoding/
http://checkip.dyndns.org/
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrardset_CurrentDirectory-liverpo
https://github.com/Pester/Pester
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/License
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--

Dropped files

Name	File Type	Hashes
C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mixed Items.exe.log	ASCII text, with CRLF line terminators	#
Click to see the 29 hidden entries
C:\Users\user\AppData\Local\Temp\hawkgoods.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\origigoods20.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\Purchase Order.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\Matiexgoods.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\origigoods40.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\pid.txt	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mh5wpd4r.xxq.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyhy1zxg.gf4.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\WindowsAPI\Mixed_Items.exe_Url_4vyxcvojequ3efv0ai33sezp4mazprqx\4.152.723.137\yowqlu0x.newcfg	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zux455h.wha.ps1	very short file (no magic)	#
C:\Users\user\AppData\Roaming\pidloc.txt	ASCII text, with no line terminators	#
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.0nP0+V72.20210305142754.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.RPfp4n8i.20210305142756.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.YRcDMrIT.20210305142756.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3qm3trx.u2l.psm1	very short file (no magic)	#
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s1cg2kf.1xe.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jnw4mcb.ygh.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl	data	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl	data	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xe423063f, page size 16384, DirtyShutdown, Windows version 10.0	#

Mixed Items.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Mixed Items.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

Mixed Items.exe