flash

malware.ps1

Status: finished
Submission Time: 22.11.2021 20:39:24
Malicious
Trojan
Evader
Ursnif

Comments

Tags

Details

  • Analysis ID:
    526642
  • API (Web) ID:
    894164
  • Analysis Started:
    22.11.2021 20:41:40
  • Analysis Finished:
    22.11.2021 20:47:57
  • MD5:
    b0b0657a4c375cffc126892c10b5acd6
  • SHA1:
    580152e7c431a47fd0fe487b0171476de9b8e407
  • SHA256:
    061eb7119db9995949b39369aed60c2c7617c82e580705206ce7b60de123aaa5
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
56/100

URLs

Name Detection
http://nuget.org/NuGet.exe
http://www.apache.org/licenses/LICENSE-2.0
http://constitution.org/usdeclar.txt
Click to see the 13 hidden entries
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
https://oneget.orgX
http://https://file://USER.ID%lu.exe/upd
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester
https://oneget.org

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
Click to see the 16 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5z3xaygo\5z3xaygo.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\5z3xaygo\CSC84083F42CE6043C2AA7FFF454285CD95.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RESD522.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESE4F1.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebtshoty.hoc.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kc3e5p1v.f0a.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\ad403csv\CSCD6795C79BDE3450B9F7CAA8771DF83B.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\ad403csv\ad403csv.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X0LX71ESHNRJY9TJQYH1.temp
data
#
C:\Users\user\Documents\20211122\PowerShell_transcript.618321.JkieqDuu.20211122204245.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#