malware.ps1

Status: finished

Submission Time: 2021-11-22 20:39:24 +01:00

Malicious

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
526642
API (Web) ID:
894164
Analysis Started:

2021-11-22 20:41:40 +01:00
Analysis Finished:

2021-11-22 20:47:57 +01:00
MD5:
b0b0657a4c375cffc126892c10b5acd6
SHA1:
580152e7c431a47fd0fe487b0171476de9b8e407
SHA256:
061eb7119db9995949b39369aed60c2c7617c82e580705206ce7b60de123aaa5
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 56	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

URLs

Name	Detection
http://nuget.org/NuGet.exe
http://www.apache.org/licenses/LICENSE-2.0
http://constitution.org/usdeclar.txt
Click to see the 13 hidden entries
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
https://oneget.orgX
http://https://file://USER.ID%lu.exe/upd
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester
https://oneget.org

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebtshoty.hoc.psm1	very short file (no magic)	#
Click to see the 16 hidden entries
C:\Users\user\Documents\20211122\PowerShell_transcript.618321.JkieqDuu.20211122204245.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X0LX71ESHNRJY9TJQYH1.temp	data	#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ad403csv\CSCD6795C79BDE3450B9F7CAA8771DF83B.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kc3e5p1v.f0a.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Temp\RESE4F1.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RESD522.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols	#
C:\Users\user\AppData\Local\Temp\5z3xaygo\CSC84083F42CE6043C2AA7FFF454285CD95.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#

malware.ps1

Comments

Tags

Available tags:

Details

Joe Sandbox

URLs

Dropped files

malware.ps1 Options

Comments

Tags

Available tags:

Details

Joe Sandbox

URLs

Dropped files

Search started

malware.ps1