Register Login

sloganpng

top title background image

presentation[2021.09.09_15-26].vbs

Status: finished

Submission Time: 2021-09-13 10:57:00 +02:00

Malicious

Trojan

Evader

Ursnif

Comments

Tags

Details

Analysis ID:
482024
API (Web) ID:
849596
Analysis Started:

2021-09-13 11:00:03 +02:00
Analysis Finished:

2021-09-13 11:15:01 +02:00
MD5:
783f03c1b5f346544c131ea2b164e54d
SHA1:
9100e6d4ce0edfcb161552fdf2721835f12470a2
SHA256:
683fbb9eb6fd6a0a2bab8471d1be28bd45f0598e1db19dc3f6d7536f1c4b5e8b
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 15/27

malicious

IPs

IP	Country	Detection
188.127.235.42	Russian Federation

Domains

Name	IP	Detection
art.microsoftsofymicrosoftsoft.at	188.127.235.42
atl.bigbigpoppa.com	188.127.235.42
resolver1.opendns.com	208.67.222.222

URLs

Name	Detection
http://atl.bigbigpoppa.com/fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W
http://art.microsoftsofymicrosoftsoft.at/0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6
http://art.microsoftsofymicrosoftsoft.at/J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD
Click to see the 15 hidden entries
http://atl.bigbigpoppa.com/ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5
http://atl.bigbigpoppa.com/_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw
http://constitution.org/usdeclar.txtC:
https://github.com/Pester/Pester
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://https://file://USER.ID%lu.exe/upd
https://contoso.com/Icon
https://contoso.com/License
http://crl.m-
https://nuget.org/nuget.exe
https://contoso.com/
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://constitution.org/usdeclar.txt
http://nuget.org/NuGet.exe

Dropped files

Name	File Type	Hashes	Detection
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\fum.cpp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.0.cs	UTF-8 Unicode (with BOM) text	#
Click to see the 15 hidden entries
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\Documents\20210913\PowerShell_transcript.936905.2Hrty1Wv.20210913110432.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkeod5lv.u3f.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbwk5wqt.vfi.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\RESEAC0.tmp	data	#
C:\Users\user\AppData\Local\Temp\RESDDD0.tmp	data	#