KDH32783JHC73287SDF87.VBS

Status: finished

Submission Time: 2021-09-25 10:17:29 +02:00

Malicious

Trojan

Spyware

Evader

AsyncRAT

Comments

Details

Analysis ID:
490264
API (Web) ID:
857834
Analysis Started:

2021-09-25 10:25:09 +02:00
Analysis Finished:

2021-09-25 10:38:26 +02:00
MD5:
51bada4133b4400a6f7acac7e67695af
SHA1:
53d9b24ac41d2c5b5452c004797a9aff04a64487
SHA256:
14670db63054f493d6b33519e1eab9caf1dd1576999ffedf775d19119c0d78e2
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

IPs

IP	Country	Detection
77.247.127.198	United Kingdom
104.21.26.226	United States
104.21.66.125	United States
Click to see the 1 hidden entries
172.67.139.125	United States

Domains

Name	IP	Detection
mo1010.duckdns.org	77.247.127.198
java-eg.com	104.21.66.125
chilp.it	172.67.139.125

URLs

Name	Detection
mo1010.duckdns.org
https://nuget.org/nuget.exe
http://java-eg.com
Click to see the 32 hidden entries
https://github.com/Pester/Pester
http://james.newtonking.com/projects/json
https://chilp.it/7854
https://java-eg.com
https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/php.jpg
http://schemas.xmlsoap.org/wsdl/
https://contoso.com/
https://chilp.it/7854610X
https://www.newtonsoft.com/jsonschema
http://chilp.itx
https://www.nuget.org/packages/Newtonsoft.Json.Bson
https://system.data.sqlite.org/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://crl.miV
http://crl.micros
http://www.apache.org/licenses/LICENSE-2.0.html
http://nuget.org/NuGet.exe
https://java-eg.com8
https://java-eg.comx
https://chilp.it/7854610
https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/i2.jpg
http://chilp.it
http://pesterbdd.com/images/Pester.png
http://schemas.xmlsoap.org/soap/encoding/
http://chilp.it/7854610
https://go.micro
https://contoso.com/License
https://contoso.com/Icon
https://java-eg.com/wp-content/themes/twentyseventeen/template-parts/header/java/i1.jpg
https://system.data.sqlite.org/X
https://www.newtonsoft.com/json
https://chilp.it

Dropped files

Name	File Type	Hashes
C:\Users\Public\Music\alosh.ps1	ASCII text, with CRLF line terminators	#
C:\Users\Public\Music\run.ps1	ASCII text, with CRLF line terminators	#
C:\Users\Public\Music\vb.bat	ASCII text, with CRLF line terminators	#
Click to see the 26 hidden entries
C:\Users\Public\Music\vb.vbs	ASCII text, with CRLF line terminators	#
C:\Users\Public\Service.ps1	ASCII text, with very long lines	#
C:\Users\Public\WindowsStateRepositoryCore.bat	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.0.cs	C++ source, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ra2cc3nn.htl.psm1	very short file (no magic)	#
C:\Users\user\Documents\20210925\PowerShell_transcript.141700.ZNRASwRg.20210925102617.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4t0ypvc.tro.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\vfl4qio1\CSC646E655CB52D4766BD87DD83F0456ED1.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\vfl4qio1\vfl4qio1.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\Documents\20210925\PowerShell_transcript.141700.6c+yQSjo.20210925102653.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20210925\PowerShell_transcript.141700.AqQg2vAe.20210925102646.txt	UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators	#
C:\Users\user\Documents\20210925\PowerShell_transcript.141700.Wmi7Y8+9.20210925102640.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\ProgramData\ServiceState\WindowsStateRepositoryCore.vbs	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qaqxfbd5.hwt.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozfsb0sd.c5h.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiavrk5x.uun.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogriscnf.3fi.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsosxhun.yqd.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zjx0icl.5k2.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\RESF057.tmp	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61157 bytes, 1 file	#

KDH32783JHC73287SDF87.VBS

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

KDH32783JHC73287SDF87.VBS Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

KDH32783JHC73287SDF87.VBS