flash

Mixed Items.exe

Status: finished
Submission Time: 05.03.2021 14:22:23
Malicious
Trojan
Spyware
Evader
HawkEye AgentTesla MailPassView Matiex Remcos

Comments

Tags

  • exe
  • RAT
  • RemcosRAT

Details

  • Analysis ID:
    363869
  • API (Web) ID:
    629797
  • Analysis Started:
    05.03.2021 14:26:26
  • Analysis Finished:
    05.03.2021 14:47:55
  • MD5:
    017e52146c9131dbc9487d834cdfc247
  • SHA1:
    6dff831a7fd2a42ec3abe4c1ba51f3a9c9c6a25b
  • SHA256:
    26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
20/37

malicious
44/46

malicious

IPs

IP Country Detection
185.157.161.113
Sweden
104.21.31.39
United States
104.16.155.36
United States
Click to see the 2 hidden entries
216.146.43.70
United States
172.67.188.154
United States

Domains

Name IP Detection
feromo.duckdns.org
185.157.161.113
liverpoolofcfanclub.com
104.21.31.39
checkip.dyndns.org
0.0.0.0
Click to see the 4 hidden entries
157.184.7.0.in-addr.arpa
0.0.0.0
whatismyipaddress.com
104.16.155.36
freegeoip.app
172.67.188.154
checkip.dyndns.com
216.146.43.70

URLs

Name Detection
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5120AB9D8EED6517DE7E81CD470A03B1.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C391B584FB3EF0C3E1226CABE1FDCB1.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C7589177DBC0A00C03B00FCEDE09850.html
Click to see the 23 hidden entries
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CADB725393BA475AD7E7466656748C83.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC805D8F9D665A8AE96BD3B687F20834.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EBDA9D3C78F7FA5DA1492447CFEEA8B3.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1031025574F544F1BD64E20EEEC4AAC7.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ACE03D270F49949C304CBC49EDC5CEFA.html
http://nuget.org/NuGet.exe
http://pesterbdd.com/images/Pester.png
http://schemas.xmlsoap.org/soap/encoding/
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/License
https://contoso.com/Icon
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--
https://github.com/Pester/Pester
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrardset_CurrentDirectory-liverpo
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://checkip.dyndns.org/
http://schemas.xmlsoap.org/wsdl/
https://contoso.com/
https://nuget.org/nuget.exe
https://login.yahoo.com/config/login
http://whatismyipaddress.com/
http://www.nirsoft.net/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mixed Items.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\Purchase Order.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
Click to see the 29 hidden entries
C:\Users\user\AppData\Local\Temp\hawkgoods.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\origigoods20.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\origigoods40.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xe423063f, page size 16384, DirtyShutdown, Windows version 10.0
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58596 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
#
C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jnw4mcb.ygh.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s1cg2kf.1xe.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zux455h.wha.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3qm3trx.u2l.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mh5wpd4r.xxq.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyhy1zxg.gf4.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\WindowsAPI\Mixed_Items.exe_Url_4vyxcvojequ3efv0ai33sezp4mazprqx\4.152.723.137\yowqlu0x.newcfg
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\pid.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\pidloc.txt
ASCII text, with no line terminators
#
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.0nP0+V72.20210305142754.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.RPfp4n8i.20210305142756.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.YRcDMrIT.20210305142756.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
#