flash

New variant of covid 19.exe

Status: finished
Submission Time: 09.03.2021 22:17:55
Malicious
Trojan
Evader
Quasar

Comments

Tags

Details

  • Analysis ID:
    365752
  • API (Web) ID:
    633566
  • Analysis Started:
    09.03.2021 22:17:56
  • Analysis Finished:
    09.03.2021 22:33:49
  • MD5:
    a489513ca0de2472e0ad79830dd9ac44
  • SHA1:
    b767fe686e074f551773f208e1cb756d114e38c4
  • SHA256:
    df12835cd6bc77f9724900d2bf8f0403364ce6e8e81d389f8dc3b2eb8ca42961
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
8/84

IPs

IP Country Detection
104.21.31.39
United States
208.95.112.1
United States
103.28.70.164
United States

Domains

Name IP Detection
liverpoolofcfanclub.com
104.21.31.39
ip-api.com
208.95.112.1
devils.shacknet.us
103.28.70.164

URLs

Name Detection
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html
http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html
Click to see the 97 hidden entries
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
https://dev.ditu.live.com/REST/v1/Routes/
https://t0.tiles.ditu.live.com/tiles/gen
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
https://c.amazon-adsystem.com/aax2/apstag.js
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
https://www.liverpool.com/all-about/premier-league
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
https://www.liverpool.com/liverpool-fc-news/
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
http://ip-api.com
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
http://api.ipify.org/
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
https://appexmapsappupdate.blob.core.windows.net
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.bingmapsportal.com
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
http://freegeoip.net/xml/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
http://schemas.xmlsoap.org/soap/encoding/
http://schemas.datacontract.org/2004/07/
https://dev.virtualearth.net/REST/v1/Routes/
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
https://reachplc.hub.loginradius.com"
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
https://s2-prod.liverpool.com
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
https://%s.xboxlive.com
https://dev.virtualearth.net/REST/v1/Locations
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
https://i2-prod.liverpool.com
https://felix.data.tm-awx.com/felix.min.js
https://dynamic.t
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
https://www.liverpool.com/all-about/ozan-kabak
http://schemas.xmlsoap.org/wsdl/
https://s2-prod.mirror.co.uk/
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
https://www.liverpool.com/all-about/champions-league
https://www.liverpool.com/all-about/curtis-jones
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
https://www.liverpool.com/all-about/steven-gerrard
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
http://schema.org/NewsArticle
https://www.liverpool.com/schedule/
http://schema.org/BreadcrumbList
https://securepubads.g.doubleclick.net/tag/js/gpt.js
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://s2-prod.liverpool.com/
https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
https://felix.data.tm-awx.com/ampconfig.json"
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
http://schema.org/ListItem

Dropped files

Name File Type Hashes Detection
C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Network\Downloader\edb.chk
data
#
Click to see the 25 hidden entries
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x9ddcdd19, page size 16384, DirtyShutdown, Windows version 10.0
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_New variant of c_e98153242e2463491fed9836c52db2aa5aff77_4c54b198_1517500f\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4292.tmp.dmp
Mini DuMP crash report, 15 streams, Wed Mar 10 06:19:00 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4840.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER48DD.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58596 bytes, 1 file
#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
#
C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\New_variant_of_covid_19.e_Url_0vajnaqbdmy0dt0v3gl1hvcjtehbwrpa\2.792.19.755\tosfmudg.newcfg
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\svchost.exe_Url_0aeimnckxwjoc2ntwml1gvkearlpscly\2.792.19.755\1m4vpdph.newcfg
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\svchost.exe_Url_0aeimnckxwjoc2ntwml1gvkearlpscly\2.792.19.755\3tlladac.newcfg
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
#
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkwequj1.yo0.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oakhxzia.2dl.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgtzpkku.luh.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti3ey4z3.avd.ps1
very short file (no magic)
#
C:\Users\user\Documents\20210309\PowerShell_transcript.936905.DbJYrCru.20210309221943.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210309\PowerShell_transcript.936905.LRCx2CiE.20210309221857.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
#