New variant of covid 19.exe

Status: finished

Submission Time: 2021-03-09 22:17:55 +01:00

Malicious

Trojan

Evader

Quasar

Comments

Details

Analysis ID:
365752
API (Web) ID:
633566
Analysis Started:

2021-03-09 22:17:56 +01:00
Analysis Finished:

2021-03-09 22:33:49 +01:00
MD5:
a489513ca0de2472e0ad79830dd9ac44
SHA1:
b767fe686e074f551773f208e1cb756d114e38c4
SHA256:
df12835cd6bc77f9724900d2bf8f0403364ce6e8e81d389f8dc3b2eb8ca42961
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 8/84

IPs

IP	Country	Detection
104.21.31.39	United States
208.95.112.1	United States
103.28.70.164	United States

Domains

Name	IP	Detection
liverpoolofcfanclub.com	104.21.31.39
ip-api.com	208.95.112.1
devils.shacknet.us	103.28.70.164

URLs

Name	Detection
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html
Click to see the 97 hidden entries
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://www.liverpool.com/all-about/steven-gerrard
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://www.liverpool.com/all-about/curtis-jones
https://www.liverpool.com/all-about/champions-league
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
https://s2-prod.mirror.co.uk/
http://schemas.xmlsoap.org/wsdl/
https://www.liverpool.com/all-about/ozan-kabak
http://schema.org/NewsArticle
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
https://dynamic.t
https://felix.data.tm-awx.com/felix.min.js
https://i2-prod.liverpool.com
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations
https://felix.data.tm-awx.com/ampconfig.json"
http://schema.org/ListItem
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
https://s2-prod.liverpool.com/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://securepubads.g.doubleclick.net/tag/js/gpt.js
http://schema.org/BreadcrumbList
https://www.liverpool.com/schedule/
https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
http://api.ipify.org/
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
http://ip-api.com
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
https://www.liverpool.com/liverpool-fc-news/
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
https://www.liverpool.com/all-about/premier-league
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
https://c.amazon-adsystem.com/aax2/apstag.js
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
https://t0.tiles.ditu.live.com/tiles/gen
https://dev.ditu.live.com/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Routes/
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://s2-prod.liverpool.com
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
https://reachplc.hub.loginradius.com"
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
https://%s.xboxlive.com
http://schemas.datacontract.org/2004/07/
http://schemas.xmlsoap.org/soap/encoding/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
http://freegeoip.net/xml/
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
http://www.bingmapsportal.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://appexmapsappupdate.blob.core.windows.net

Dropped files

Name	File Type	Hashes
C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\svchost.exe_Url_0aeimnckxwjoc2ntwml1gvkearlpscly\2.792.19.755\3tlladac.newcfg	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
Click to see the 25 hidden entries
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	#
C:\Users\user\Documents\20210309\PowerShell_transcript.936905.LRCx2CiE.20210309221857.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210309\PowerShell_transcript.936905.DbJYrCru.20210309221943.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti3ey4z3.avd.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgtzpkku.luh.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oakhxzia.2dl.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkwequj1.yo0.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl	data	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl	data	#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log	ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	#
C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\svchost.exe_Url_0aeimnckxwjoc2ntwml1gvkearlpscly\2.792.19.755\1m4vpdph.newcfg	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\New_variant_of_covid_19.e_Url_0vajnaqbdmy0dt0v3gl1hvcjtehbwrpa\2.792.19.755\tosfmudg.newcfg	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48DD.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4840.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4292.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Mar 10 06:19:00 2021, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_New variant of c_e98153242e2463491fed9836c52db2aa5aff77_4c54b198_1517500f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x9ddcdd19, page size 16384, DirtyShutdown, Windows version 10.0	#
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	#

New variant of covid 19.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

New variant of covid 19.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

New variant of covid 19.exe