flash

anIV2qJeLD.exe

Status: finished
Submission Time: 23.11.2021 20:43:07
Malicious
E-Banking Trojan
Trojan
Spyware
Evader
Ursnif

Comments

Tags

  • exe
  • Gozi
  • ISFB

Details

  • Analysis ID:
    527473
  • API (Web) ID:
    894995
  • Analysis Started:
    23.11.2021 20:43:07
  • Analysis Finished:
    23.11.2021 20:59:06
  • MD5:
    20c0d2005c6a542fb9c20466775c6142
  • SHA1:
    aff311698bd06a0010c9be81dae43d9c37dd847d
  • SHA256:
    4c50ff0945136ff0f79eb75ee7d5c86025282ab519488f692ffc267873160bb6
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
89.44.9.140
Romania
209.202.254.90
United States
87.248.118.23
United Kingdom
Click to see the 3 hidden entries
87.248.100.216
United Kingdom
98.137.11.163
United States
212.82.100.140
United Kingdom

Domains

Name IP Detection
soderunovos.website
89.44.9.140
222.222.67.208.in-addr.arpa
0.0.0.0
resolver1.opendns.com
208.67.222.222
Click to see the 10 hidden entries
ds-ats.member.g02.yahoodns.net
212.82.100.140
yahoo.com
98.137.11.163
edge.gycpi.b.yahoodns.net
87.248.118.23
www.lycos.com
209.202.254.90
www.yahoo.com
0.0.0.0
mail.yahoo.com
0.0.0.0
login.yahoo.com
0.0.0.0
new-fp-shed.wg1.b.yahoo.com
87.248.100.216
myip.opendns.com
84.17.52.63
lycos.com
209.202.254.90

URLs

Name Detection
https://qoderunovos.website
https://soderunovos.website
https://yahoo.com/jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw
Click to see the 27 hidden entries
https://lycos.com/images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg
http://nuget.org/NuGet.exe
http://ns.adobe.co/xa
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
http://ns.adobp/
https://soderunovos.websitehttps://qoderunovos.website
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
http://ns.adobe.cmg
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2H
https://www.lycos.com/images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg/
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txt
https://contoso.com/
https://nuget.org/nuget.exe
https://www.lycos.com/images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg
https://www.yahoo.com/jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw
http://ns.adobe.ux
https://soderunovos.website/jdraw/f6g_2FiF4/BVB_2BmxiIV1nw_2B4cK/CEW08ItbFLwHO8UQuXN/_2BLf2lFUFBrC4suobQbOB/0fGYw2vRMdeDd/GloxsNvw/PasUyB_2F_2BHKhCo7UgE3u/2gjzOvnViA/3VWPE0psH7LTVPa7Y/AQrrT0oMv35d/Jg57ryhE8om/OJw5Ee8c4mGK6J/l0QzZoUYoPnAbKMV1LRii/_2FzkrD.crw
https://soderunovos.website/jdraw/F_2Fam6oH9/d5VYFYpsfuCm2K1vb/FQEZJonXTERW/XCyivBuN7WP/pkkBh6P8bwS7JA/_2BGKoxOOY8NFu9I7k4lJ/PQBFMF7GdwoWQQpH/fx_2BleSZS1DDTO/Af_2FwYYreElF2LILk/I1df5_2Fd/zVYWpMKEIfwVAwGc0tI5/Te_2FDbyN2KV7bbG5lt/D80197YRF38WxHFk/uqB4Yp.crw
http://ns.micro/1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://policies.yahoo.com/w3c/p3p.xml
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4np

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie
ASCII text, with no line terminators
#
Click to see the 18 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\1B15.bi1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RESD669.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESF386.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffwdztah.pvw.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvos14d3.p1v.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\CSCB52324015C2F4AC8AC468C73504A2519.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\pqwen5zh\CSC508E00641FC7448693989664B7E60.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\MarkClass
HTML document, ASCII text, with CRLF line terminators
#
C:\Users\user\Documents\20211123\PowerShell_transcript.621365.AV42ly4k.20211123204455.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
\Device\ConDrv
ASCII text, with CRLF, CR line terminators
#