lKJbVguaav.exe

Status: finished

Submission Time: 2021-09-15 15:50:25 +02:00

Malicious

Trojan

Adware

Exploiter

Evader

AgentTesla

Comments

Details

Analysis ID:
483912
API (Web) ID:
851470
Analysis Started:

2021-09-15 16:10:16 +02:00
Analysis Finished:

2021-09-15 16:27:15 +02:00
MD5:
5f377de371a8e95acec9956303d6f032
SHA1:
4d36d918df8ff90c0327ef713cfa262591d93636
SHA256:
46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 42/68

Open Full Report

malicious

Score: 12/35

malicious

Score: 30/45

Domains

Name	IP	Detection
canonicalizer.ucsuri.tcs	0.0.0.0

URLs

Name	Detection
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://regexlib.com/
https://dev.virtualearth.net/REST/v1/Routes/
Click to see the 49 hidden entries
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/mapcontrol/logging.ashx
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
https://dynamic.t
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://dev.ditu.live.com/REST/v1/Locations
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
http://ocsp.sectigo.com0
https://dev.ditu.live.com/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://t0.tiles.ditu.live.com/tiles/gen
https://dev.virtualearth.net/REST/v1/Routes/Walking
http://www.davidemauri.it/
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://dev.ditu.live.com/mapcontrol/logging.ashx
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://sectigo.com/CPS0C
https://sectigo.com/CPS0D
https://appexmapsappupdate.blob.core.windows.net
http://www.nirsoft.net/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.bingmapsportal.com
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
https://sectigo.com/CPS0

Dropped files

Name	File Type	Hashes
C:\Program Files\Common Files\system\E59A6148\svchost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
Click to see the 65 hidden entries
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lKJbVguaav.exe_2d31aef62bf69c86310ee4e4d6bcfe8179b846_f2aaf5a9_0d501a6f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\Program Files\Common Files\system\E59A6148\svchost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmd5esqe.nye.psm1	very short file (no magic)	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n53wgmkc.hjj.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkandfd3.edm.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owyqwer5.pit.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prdboqvj.obf.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3cudrtk.i1j.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t55ukbii.j4o.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcgbxqwq.o1n.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlmwsvb4.xai.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w03g12pt.ext.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyv2ksux.dc3.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4bdcww5.qt0.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itmz2rec.cma.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.DYnW38wW.20210915161257.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.FKgT1nS8.20210915161142.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.Ip8DGDRD.20210915161155.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.UDSSE0Wa.20210915161256.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.WgKkZP8O.20210915161259.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.Y6uDcGdZ.20210915161140.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.dh5SBumr.20210915161301.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.jUr0FIc5.20210915161154.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.omxvttNV.20210915161253.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.shlvG_Cr.20210915161146.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.tRwex4kM.20210915161147.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.yYZmvm0B.20210915161155.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.z8gC+7xP.20210915161149.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEC9.tmp.csv	data	#
C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE8C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC6.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3FB.tmp.dmp	Mini DuMP crash report, 14 streams, CheckSum 0x00000004, Wed Sep 15 23:12:22 2021, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13AA.tmp.txt	data	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x9d0904e9, page size 16384, DirtyShutdown, Windows version 10.0	#
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4ep12v3.0x4.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat	ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sujccj5.2hr.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0to0l3af.5lh.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wq03asq.lvp.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fxzhyif.zrp.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52yaov0d.0wm.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3fzrzyw.hii.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_av5ukidk.5ll.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayrbxg4e.dwv.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cucfolck.ogk.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dahb04fl.vus.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2lf1ctc.q2f.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffdfjlzo.kti.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guupapww.iif.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i34xi30m.50h.psm1	very short file (no magic)	#

lKJbVguaav.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

Domains

URLs

Dropped files

lKJbVguaav.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

Domains

URLs

Dropped files

Search started

lKJbVguaav.exe