flash

lKJbVguaav.exe

Status: finished
Submission Time: 15.09.2021 15:50:25
Malicious
Trojan
Adware
Exploiter
Evader
AgentTesla

Comments

Tags

  • AfiaWaveEnterprisesOy
  • AgentTesla
  • exe
  • signed

Details

  • Analysis ID:
    483912
  • API (Web) ID:
    851470
  • Analysis Started:
    15.09.2021 16:10:16
  • Analysis Finished:
    15.09.2021 16:27:15
  • MD5:
    5f377de371a8e95acec9956303d6f032
  • SHA1:
    4d36d918df8ff90c0327ef713cfa262591d93636
  • SHA256:
    46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
42/68

malicious
12/35

malicious
30/45

Domains

Name IP Detection
canonicalizer.ucsuri.tcs
0.0.0.0

URLs

Name Detection
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
http://ocsp.sectigo.com0
https://dev.ditu.live.com/REST/v1/Routes/
Click to see the 49 hidden entries
https://dev.virtualearth.net/REST/v1/Routes/Driving
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://t0.tiles.ditu.live.com/tiles/gen
https://dev.virtualearth.net/REST/v1/Routes/Walking
http://www.davidemauri.it/
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://sectigo.com/CPS0C
https://sectigo.com/CPS0D
https://appexmapsappupdate.blob.core.windows.net
http://www.nirsoft.net/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.bingmapsportal.com
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
https://sectigo.com/CPS0
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
http://regexlib.com/
https://dev.virtualearth.net/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/REST/v1/Locations
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
https://dev.virtualearth.net/mapcontrol/logging.ashx
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
https://dynamic.t
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
https://dev.virtualearth.net/REST/v1/Routes/Transit
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
http://www.sourceforge.net/projects/regextestkhttp://www.codeproject.com/KB/cs/dotnetregextest.aspx_
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://dev.ditu.live.com/REST/v1/Locations
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=

Dropped files

Name File Type Hashes Detection
C:\Program Files\Common Files\system\E59A6148\svchost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\Common Files\system\E59A6148\svchost.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lKJbVguaav.exe_2d31aef62bf69c86310ee4e4d6bcfe8179b846_f2aaf5a9_0d501a6f\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 65 hidden entries
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x9d0904e9, page size 16384, DirtyShutdown, Windows version 10.0
#
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13AA.tmp.txt
data
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3FB.tmp.dmp
Mini DuMP crash report, 14 streams, CheckSum 0x00000004, Wed Sep 15 23:12:22 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC6.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE8C.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEC9.tmp.csv
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\AdvancedRun.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\19b25a48-953e-448c-9e64-5dc032452e45\test.bat
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\AdvancedRun.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5bb2c36b-9ef3-485f-8cd6-e02fb42d70a2\test.bat
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\AdvancedRun.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\6b30eb02-4ddc-4526-af49-69f73f778fc3\test.bat
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\AdvancedRun.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\74756a05-3a9e-4a94-ac38-fe701c90e011\test.bat
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sujccj5.2hr.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0to0l3af.5lh.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wq03asq.lvp.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fxzhyif.zrp.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52yaov0d.0wm.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3fzrzyw.hii.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_av5ukidk.5ll.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayrbxg4e.dwv.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cucfolck.ogk.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dahb04fl.vus.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2lf1ctc.q2f.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffdfjlzo.kti.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guupapww.iif.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i34xi30m.50h.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4ep12v3.0x4.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itmz2rec.cma.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmd5esqe.nye.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n53wgmkc.hjj.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkandfd3.edm.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owyqwer5.pit.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prdboqvj.obf.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3cudrtk.i1j.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t55ukbii.j4o.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcgbxqwq.o1n.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlmwsvb4.xai.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w03g12pt.ext.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyv2ksux.dc3.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4bdcww5.qt0.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\AdvancedRun.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\a917f366-d607-4eab-84c4-b148dd5c0b83\test.bat
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.DYnW38wW.20210915161257.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.FKgT1nS8.20210915161142.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.Ip8DGDRD.20210915161155.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.UDSSE0Wa.20210915161256.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.WgKkZP8O.20210915161259.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.Y6uDcGdZ.20210915161140.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.dh5SBumr.20210915161301.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.jUr0FIc5.20210915161154.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.omxvttNV.20210915161253.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.shlvG_Cr.20210915161146.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.tRwex4kM.20210915161147.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.yYZmvm0B.20210915161155.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210915\PowerShell_transcript.216554.z8gC+7xP.20210915161149.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
data
#