anIV2qJeLD.exe

Status: finished

Submission Time: 2021-11-23 20:43:07 +01:00

Malicious

E-Banking Trojan

Trojan

Spyware

Evader

Ursnif

Comments

Details

Analysis ID:
527473
API (Web) ID:
894995
Analysis Started:

2021-11-23 20:43:07 +01:00
Analysis Finished:

2021-11-23 20:59:06 +01:00
MD5:
20c0d2005c6a542fb9c20466775c6142
SHA1:
aff311698bd06a0010c9be81dae43d9c37dd847d
SHA256:
4c50ff0945136ff0f79eb75ee7d5c86025282ab519488f692ffc267873160bb6
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

IPs

IP	Country	Detection
89.44.9.140	Romania
209.202.254.90	United States
87.248.118.23	United Kingdom
Click to see the 3 hidden entries
87.248.100.216	United Kingdom
98.137.11.163	United States
212.82.100.140	United Kingdom

Domains

Name	IP	Detection
soderunovos.website	89.44.9.140
222.222.67.208.in-addr.arpa	0.0.0.0
new-fp-shed.wg1.b.yahoo.com	87.248.100.216
Click to see the 10 hidden entries
myip.opendns.com	84.17.52.63
lycos.com	209.202.254.90
resolver1.opendns.com	208.67.222.222
ds-ats.member.g02.yahoodns.net	212.82.100.140
yahoo.com	98.137.11.163
edge.gycpi.b.yahoodns.net	87.248.118.23
www.lycos.com	209.202.254.90
www.yahoo.com	0.0.0.0
mail.yahoo.com	0.0.0.0
login.yahoo.com	0.0.0.0

URLs

Name	Detection
https://soderunovos.website
https://qoderunovos.website
https://www.lycos.com/images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg/
Click to see the 27 hidden entries
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4np
https://policies.yahoo.com/w3c/p3p.xml
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://ns.micro/1
https://soderunovos.website/jdraw/F_2Fam6oH9/d5VYFYpsfuCm2K1vb/FQEZJonXTERW/XCyivBuN7WP/pkkBh6P8bwS7JA/_2BGKoxOOY8NFu9I7k4lJ/PQBFMF7GdwoWQQpH/fx_2BleSZS1DDTO/Af_2FwYYreElF2LILk/I1df5_2Fd/zVYWpMKEIfwVAwGc0tI5/Te_2FDbyN2KV7bbG5lt/D80197YRF38WxHFk/uqB4Yp.crw
https://soderunovos.website/jdraw/f6g_2FiF4/BVB_2BmxiIV1nw_2B4cK/CEW08ItbFLwHO8UQuXN/_2BLf2lFUFBrC4suobQbOB/0fGYw2vRMdeDd/GloxsNvw/PasUyB_2F_2BHKhCo7UgE3u/2gjzOvnViA/3VWPE0psH7LTVPa7Y/AQrrT0oMv35d/Jg57ryhE8om/OJw5Ee8c4mGK6J/l0QzZoUYoPnAbKMV1LRii/_2FzkrD.crw
http://ns.adobe.ux
https://www.yahoo.com/jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw
https://www.lycos.com/images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg
https://nuget.org/nuget.exe
https://contoso.com/
http://constitution.org/usdeclar.txt
https://github.com/Pester/Pester
https://yahoo.com/jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2H
http://ns.adobe.cmg
http://https://file://USER.ID%lu.exe/upd
https://contoso.com/Icon
https://contoso.com/License
http://constitution.org/usdeclar.txtC:
https://soderunovos.websitehttps://qoderunovos.website
http://ns.adobp/
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://ns.adobe.co/xa
http://nuget.org/NuGet.exe
https://lycos.com/images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
Click to see the 18 hidden entries
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\Documents\20211123\PowerShell_transcript.621365.AV42ly4k.20211123204455.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Microsoft\MarkClass	HTML document, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\pqwen5zh\CSC508E00641FC7448693989664B7E60.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\CSCB52324015C2F4AC8AC468C73504A2519.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvos14d3.p1v.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffwdztah.pvw.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\RESF386.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RESD669.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Temp\1B15.bi1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#

anIV2qJeLD.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

anIV2qJeLD.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

Search started

anIV2qJeLD.exe