Register Login

sloganpng

top title background image

Citvonvhciktufwvyzyhistnewdjgsoqdr.exe

Status: finished

Submission Time: 2021-05-12 06:21:25 +02:00

Malicious

Trojan

Evader

FormBook

Comments

Tags

Details

Analysis ID:
411769
API (Web) ID:
779371
Analysis Started:

2021-05-12 06:29:05 +02:00
Analysis Finished:

2021-05-12 06:45:23 +02:00
MD5:
4e71f90d1817f44313f4e101ef393968
SHA1:
3932f9822134761e7bf9bc1902f8cc28b6820559
SHA256:
aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 49/70

Open Full Report

malicious

Score: 15/34

malicious

Score: 31/47

IPs

IP	Country	Detection
198.54.117.212	United States

Domains

Name	IP	Detection
www.thrg33.club	0.0.0.0
www.georgeswebwerks.com	0.0.0.0
www.rest-blog.com	118.27.99.91
Click to see the 3 hidden entries
parkingpage.namecheap.com	198.54.117.212
onedrive.live.com	0.0.0.0
xhtfga.dm.files.1drv.com	0.0.0.0

URLs

Name	Detection
www.clinics.life/qku9/
https://contoso.com/
https://github.com/Pester/Pester
Click to see the 15 hidden entries
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://mscrl.micro
https://contoso.com/Icon
https://contoso.com/License
http://schemas.microsoft.coT
https://nuget.org/nuget.exe
https://xhtfga.dm.files.1drv.com/y4m8SMkzvpejvDLx8dnrECcyq_e2qmwA_A7cOWUQWdVRMq0yniUlzBSm_G1n5_On9Y_
http://schemas.xmlsoap.org/wsdl/
https://go.micro
http://crl.microsof
http://www.apache.org/licenses/LICENSE-2.0.html
http://schemas.xmlsoap.org/soap/encoding/
http://pesterbdd.com/images/Pester.png
http://osoft.com/PKI/doefault.htm0
http://nuget.org/NuGet.exe

Dropped files

Name	File Type	Hashes	Detection
C:\Users\Public\Citvon\Citvon.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Windows \System32\Netplwiz.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Windows \System32\NETUTILS.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	#
Click to see the 15 hidden entries
C:\Users\Public\Netplwiz.exe	PE32+ executable (GUI) x86-64, for MS Windows	#
C:\Users\Public\NETUTILS.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	#
C:\Users\Public\PXOR.bat	ASCII text, with CRLF line terminators	#
C:\Users\Public\nest	ASCII text, with CRLF line terminators	#
C:\Users\Public\novtiC.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Citvon\\Citvon.exe">), ASCII text, with CRLF line terminators	#
C:\Users\Public\stt.bat	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Citvonvhciktufwvyzyhistnewdjgso[2]	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Citvonvhciktufwvyzyhistnewdjgso[1]	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Citvonvhciktufwvyzyhistnewdjgso[1]	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3d0dqmo2.y55.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_effl5svh.hnm.ps1	very short file (no magic)	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QMQWYHM887V4RPK1MFDO.temp	data	#
C:\Users\user\Documents\20210512\PowerShell_transcript.124406.e+5goyTn.20210512063021.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\Public\Cdex.bat	ASCII text, with no line terminators	#