6P61y0u6Nn.exe

Status: finished

Submission Time: 2021-09-15 15:44:17 +02:00

Malicious

Trojan

Adware

Exploiter

Evader

AgentTesla

Comments

Details

Analysis ID:
483898
API (Web) ID:
851463
Analysis Started:

2021-09-15 15:53:32 +02:00
Analysis Finished:

2021-09-15 16:11:09 +02:00
MD5:
83f51a31a3b9ed0a4087aca907befdeb
SHA1:
f3805488954d7bdb7b1d83ef77968ae59170a1e9
SHA256:
d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 40/69

Open Full Report

malicious

Score: 13/35

malicious

Score: 22/28

Domains

Name	IP	Detection
canonicalizer.ucsuri.tcs	0.0.0.0

URLs

Name	Detection
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Click to see the 15 hidden entries
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
http://www.nirsoft.net/
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
http://www.davidemauri.it/
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
https://sectigo.com/CPS0D
https://sectigo.com/CPS0C
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://regexlib.com/
http://ocsp.sectigo.com0
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
https://sectigo.com/CPS0

Dropped files

Name	File Type	Hashes
C:\Program Files\Common Files\system\E59A6148\svchost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
Click to see the 61 hidden entries
C:\Program Files\Common Files\system\E59A6148\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxw1d434.kcs.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soufzxk1.qev.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sssd5d50.ed0.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdifzaeb.1nw.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_te20ts3b.dv2.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uumxibsd.qrp.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbtwqko3.baj.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2dsoebv.o3s.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvmxazb3.r4v.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\a6bde2fa-d937-4133-8635-97d75b194940\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\b5da386f-05a4-4a60-a911-8b9954bd3249\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqobtuj1.jfs.ps1	very short file (no magic)	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.+XmHsUNP.20210915155527.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.1UafY6nv.20210915155630.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.2IO6Ihvl.20210915155520.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.7dgcABRu.20210915155608.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.CByUc04+.20210915155502.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.OpllYleI.20210915155500.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.Usb5hF8x.20210915155615.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.Z7CArzfL.20210915155612.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345._PywPqRN.20210915155503.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.cNh4BXcU.20210915155615.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.hovu9FR5.20210915155511.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.m3EPoBtw.20210915155610.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.nsM1HNmK.20210915155512.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.571345.sWSZZ_Tx.20210915155519.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bakq5gb0.q3f.ps1	very short file (no magic)	#
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0xb5c8843e, page size 16384, DirtyShutdown, Windows version 10.0	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\114ecffd-3c3d-4852-9b52-9e435e4d4550\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\743d8702-3ca1-4afe-8f7c-4f95be21c963\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\79402708-a4e5-478e-aa5f-5322f2c0e4b7\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vq4c30n.hre.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fhtvdiy.ks4.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53g0o2y2.5iz.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cymq2wv.eqf.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxn55ua0.cnh.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_butynpy2.fhn.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvydw1mq.uvm.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5mblyo5.hbx.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ichx54v4.s1k.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyamx0do.zt4.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jddt5hq2.czv.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jna5bssn.ldi.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpezsbnz.1f0.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbdjttyt.kg4.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nd4is0gq.rfd.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndk5muty.fik.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npy3ftdb.oi1.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psd5o1gf.32i.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptyzf23y.xc5.ps1	very short file (no magic)	#

6P61y0u6Nn.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

Domains

URLs

Dropped files

6P61y0u6Nn.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

Domains

URLs

Dropped files

Search started

6P61y0u6Nn.exe