Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

Refno.191938.xlsx

Status: finished
Submission Time: 2021-05-04 15:44:46 +02:00
Malicious
Trojan
Exploiter
Evader
FormBook

Comments

Tags

  • Formbook
  • VelvetSweatshop
  • xlsx

Details

  • Analysis ID:
    404009
  • API (Web) ID:
    710123
  • Analysis Started:
    2021-05-04 16:39:37 +02:00
  • Analysis Finished:
    2021-05-04 16:53:20 +02:00
  • MD5:
    a6ea0794f2791f9f2bdfcdb467122e6b
  • SHA1:
    83815a1977485c3fabdd49c91926d0482e3b78e1
  • SHA256:
    db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Third Party Analysis Engines

Open Full Report
malicious
Score: 18/59
malicious
Score: 11/47
malicious

IPs

IP Country Detection
198.23.213.57
 United States
43.226.23.112
 Hong Kong

Domains

Name IP Detection
20svip.com
 43.226.23.112
www.pistonpounder.com
 0.0.0.0
www.20svip.com
 0.0.0.0
Click to see the 1 hidden entries
www.streamxvid.com
 178.33.233.22

URLs

Name Detection
http://198.23.213.57/ohms.exe
www.kelurahanpatikidul.xyz/op9s/
http://www.20svip.com/op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A==
Click to see the 16 hidden entries
https://github.com/MrCylops
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.hotmail.com/oe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
http://www.%s.comPA
http://www.piriform.com/ccleaner
http://investor.msn.com/
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://vbcity.com/forums/t/51894.aspx
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.icra.org/vocabulary/.
http://www.msnbc.com/news/ticker.txt
http://investor.msn.com
http://www.windows.com/pctv.

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ohms[1].exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\tmp4D08.tmp
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
Click to see the 7 hidden entries
C:\Users\user\Desktop\~$Refno.191938.xlsx
 data
 #
C:\Users\Public\vbc.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8078B401.emf
 Windows Enhanced Metafile (EMF) image data version 0x10000
 #
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DAC28400.emf
 Windows Enhanced Metafile (EMF) image data version 0x10000
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C7KNZSSZ1DI8GVV6CBOE.temp
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FGWHD4SVKSW8FSD4W3RI.temp
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VS5R8C47SQIP1WVHNPQO.temp
 data
 #