hbvo9thTAX.exe

Status: finished

Submission Time: 2021-04-03 19:26:14 +02:00

Malicious

Trojan

Evader

Nanocore

Comments

Details

Analysis ID:
381486
API (Web) ID:
665125
Analysis Started:

2021-04-03 19:26:16 +02:00
Analysis Finished:

2021-04-03 19:43:56 +02:00
MD5:
0d646c6e6c2666f24b9e65cd1322fa86
SHA1:
9e7bfc67a55d697ec2dc7779737e4bc4793fcce8
SHA256:
cb19133e564f301e0b3bcba9f0cd81dd21ab65aaf5a4d506c29e70159b2c26bc
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 11/43

malicious

IPs

IP	Country	Detection
79.134.225.7	Switzerland

Domains

Name	IP	Detection
james12.ddns.net	79.134.225.7

URLs

Name	Detection
127.0.0.1
james12.ddns.net
https://contoso.com/
Click to see the 16 hidden entries
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
https://github.com/Pester/Pester
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.microsoft.cow:
https://contoso.com/Icon
https://contoso.com/License
https://nuget.org/nuget.exe
http://nuget.org/NuGet.exe
http://schemas.xmlsoap.org/wsdl/
http://www.microsoft.uc
http://www.apache.org/licenses/LICENSE-2.0.html
http://schemas.xmlsoap.org/soap/encoding/
http://crl.D
http://pesterbdd.com/images/Pester.png
http://logo.veris
http://crl.m

Dropped files

Name	File Type	Hashes
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hbvo9thTAX.exe.log	ASCII text, with CRLF line terminators	#
Click to see the 24 hidden entries
C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	#
C:\Users\user\AppData\Local\Temp\tmpABAD.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.mbI4G_ed.20210403192711.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.mGBKDpXQ.20210403192735.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.lSfpxzZ7.20210403192730.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349._m_N6GZ+.20210403192708.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.Jo7+hiPB.20210403192707.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	#
C:\Users\user\AppData\Local\Temp\tmp3FE.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zawy1uep.upl.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujmi11ov.11q.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj0cfrkv.v0m.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzx2opuj.bcr.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyrii040.scl.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbbpxawf.xpy.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyd25ghk.v0e.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmafyeex.kax.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4mlodfs.k4y.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajzbn5nt.ie4.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	#

hbvo9thTAX.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

hbvo9thTAX.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

hbvo9thTAX.exe