flash

presentation[2021.09.09_15-26].vbs

Status: finished
Submission Time: 13.09.2021 10:57:00
Malicious
Trojan
Evader
Ursnif

Comments

Tags

Details

  • Analysis ID:
    482024
  • API (Web) ID:
    849596
  • Analysis Started:
    13.09.2021 11:00:03
  • Analysis Finished:
    13.09.2021 11:15:01
  • MD5:
    783f03c1b5f346544c131ea2b164e54d
  • SHA1:
    9100e6d4ce0edfcb161552fdf2721835f12470a2
  • SHA256:
    683fbb9eb6fd6a0a2bab8471d1be28bd45f0598e1db19dc3f6d7536f1c4b5e8b
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
15/27

malicious

IPs

IP Country Detection
188.127.235.42
Russian Federation

Domains

Name IP Detection
art.microsoftsofymicrosoftsoft.at
188.127.235.42
atl.bigbigpoppa.com
188.127.235.42
resolver1.opendns.com
208.67.222.222

URLs

Name Detection
http://art.microsoftsofymicrosoftsoft.at/0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6
http://art.microsoftsofymicrosoftsoft.at/J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD
http://atl.bigbigpoppa.com/_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw
Click to see the 15 hidden entries
http://atl.bigbigpoppa.com/ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5
http://atl.bigbigpoppa.com/fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W
http://crl.m-
http://nuget.org/NuGet.exe
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\fum.cpp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
Click to see the 15 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\RESDDD0.tmp
data
#
C:\Users\user\AppData\Local\Temp\RESEAC0.tmp
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbwk5wqt.vfi.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkeod5lv.u3f.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\Documents\20210913\PowerShell_transcript.936905.2Hrty1Wv.20210913110432.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#