flash

#RFQ ORDER7678432213211.exe

Status: finished
Submission Time: 20.07.2021 08:07:12
Malicious
Trojan
Evader
Nanocore

Comments

Tags

  • exe
  • NanoCore
  • RAT

Details

  • Analysis ID:
    451085
  • API (Web) ID:
    818678
  • Analysis Started:
    20.07.2021 08:12:09
  • Analysis Finished:
    20.07.2021 08:24:11
  • MD5:
    2f286cd817b368e8a747e8f0d8f28825
  • SHA1:
    e49beec02d942e12b0dad74d81ab8ed4f02667e2
  • SHA256:
    b291d719522053a662cadd70b131668a1d953d4c4dd648e8a5647b689eb6341d
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
6/46

IPs

IP Country Detection
194.5.98.120
Netherlands

URLs

Name Detection
194.5.98.120
joseedward5001.ddns.net
http://www.fontbureau.com
Click to see the 36 hidden entries
http://www.galapagosdesign.com/
http://www.fontbureau.comF
http://www.galapagosdesign.com/staff/dennis.htmI;
http://www.agfamonotype.
http://www.fonts.comd
http://pesterbdd.com/images/Pester.png
http://www.jiyu-kobo.co.jp//tr
http://www.jiyu-kobo.co.jp/jp/j.
http://www.apache.org/licenses/LICENSE-2.0.html
http://www.galapagosdesign.com/W
https://go.micro
http://www.tiro.com
http://www.jiyu-kobo.co.jp/X.
http://www.jiyu-kobo.co.jp/u.
http://www.jiyu-kobo.co.jp/jp/O.
http://www.jiyu-kobo.co.jp/jp/
http://www.fontbureau.coma
https://github.com/Pester/Pester
http://www.fontbureau.comasva
http://www.jiyu-kobo.co.jp/X7e
http://www.fontbureau.comaV.
http://www.fontbureau.comgrita
http://www.fontbureau.com/designers/frere-jones.html
http://www.jiyu-kobo.co.jp/s
http://www.jiyu-kobo.co.jp/Y0-f
http://www.jiyu-kobo.co.jp/
http://www.jiyu-kobo.co.jp/n-u
http://www.fonts.comp
http://www.jiyu-kobo.co.jp/Y.
http://www.fonts.com
http://www.jiyu-kobo.co.jp/2.
http://www.jiyu-kobo.co.jp/O.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.jiyu-kobo.co.jp/c.U
http://www.jiyu-kobo.co.jp/rV.
http://www.sakkal.com

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#RFQ ORDER7678432213211.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\tmpFD92.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
Non-ISO extended-ASCII text, with no line terminators
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Roaming\XgPYsUfalKn.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\XgPYsUfalKn.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3lbm0dym.0pl.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bowk3z4.alr.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkmlqmz3.kot.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbvx1mrl.nve.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjdu1muo.pll.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwb0ckt4.xfw.psm1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
data
#
C:\Users\user\Documents\20210720\PowerShell_transcript.226546.QECk8fRN.20210720081336.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210720\PowerShell_transcript.226546.u9dWU6FT.20210720081341.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210720\PowerShell_transcript.226546.xFvC9uuU.20210720081339.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#