Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

2GEg45PlG9.exe

Status: finished
Submission Time: 2021-11-24 20:08:19 +01:00
Malicious
E-Banking Trojan
Trojan
Spyware
Evader
Ursnif

Comments

Tags

  • exe
  • Gozi

Details

  • Analysis ID:
    528165
  • API (Web) ID:
    895685
  • Analysis Started:
    2021-11-24 20:19:07 +01:00
  • Analysis Finished:
    2021-11-24 20:35:02 +01:00
  • MD5:
    f100bcf4531fa33e2dd85c321e40abff
  • SHA1:
    0599268c78900d3f791b55f3e65401239f5b4309
  • SHA256:
    1effa020a0b9aba59323d36d4c8680fa1bcd34f95e5b223b315053c08f4fb349
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious
Score: 24/45

IPs

IP Country Detection
89.45.4.117
 Romania
209.202.254.90
 United States
87.248.118.23
 United Kingdom
Click to see the 3 hidden entries
87.248.100.215
 United Kingdom
98.137.11.164
 United States
212.82.100.140
 United Kingdom

Domains

Name IP Detection
doreuneruy.store
 89.45.4.117
222.222.67.208.in-addr.arpa
 0.0.0.0
new-fp-shed.wg1.b.yahoo.com
 87.248.100.215
Click to see the 10 hidden entries
myip.opendns.com
 84.17.52.63
lycos.com
 209.202.254.90
resolver1.opendns.com
 208.67.222.222
ds-ats.member.g02.yahoodns.net
 212.82.100.140
yahoo.com
 98.137.11.164
edge.gycpi.b.yahoodns.net
 87.248.118.23
www.lycos.com
 209.202.254.90
www.yahoo.com
 0.0.0.0
mail.yahoo.com
 0.0.0.0
login.yahoo.com
 0.0.0.0

URLs

Name Detection
https://doreuneruy.store
https://qorunegolu.club
https://contoso.com/
Click to see the 35 hidden entries
https://doreuneruy.store/mE
https://www.lycos.com/images/ppqRJQCldf/y0aRV5ltpZLhF1Y6u/5E2P5n72GVgs/ZRfgQ7qOCw_/2FDj_2BPVh3CIG/ApimckfoZh3aFZlq1LHS9/dS4GzS9wFh0ghVyH/li9W0GkYIKxTCnu/icYaVVs6u_2FJWtYks/uKm30YMYG/4F3z2kj2C5Znei1zf20Z/n8ahvXXU8Rrtq8huPKA/o6zOJ_2B2aKD2SM1OlCsYY/7rAThTJULy_2F/_2FrljP6/t_2Bt0F8DR7W_2FSEdEgZ_2/FgV1waOmII/rFQv_2F9vOq/YOnsMkl.jpeg/
http://ns.adobe.cmgbbn
https://doreuneruy.store/jdraw/eKaIOMBSk5/OmJgUmRZLr75WvgmQ/lCAAoG2FlxCw/NYzS1o_2BFi/Ieqx_2FKcvuYNo/7IkLYskhOhbfPZpn3msj_/2BR_2Fhl7PSteeC_/2Fx6wkm1gCCOSzv/ojOhT7mIu1zV1InOuI/v0PzrfJti/Vp_2B_2FXz6Vw_2B8AOy/f6kLklWb2UbpPJ8knZc/CNedLE3nD8G6LBOjysaOgx/q1vP.crw
https://www.lycos.com/images/ppqRJQCldf/y0aRV5ltpZLhF1Y6u/5E2P5n72GVgs/ZRfgQ7qOCw_/2FDj_2BPVh3CIG/ApimckfoZh3aFZlq1LHS9/dS4GzS9wFh0ghVyH/li9W0GkYIKxTCnu/icYaVVs6u_2FJWtYks/uKm30YMYG/4F3z2kj2C5Znei1zf20Z/n8ahvXXU8Rrtq8huPKA/o6zOJ_2B2aKD2SM1OlCsYY/7rAThTJULy_2F/_2FrljP6/t_2Bt0F8DR7W_2FSEdEgZ_2/FgV1waOmII/rFQv_2F9vOq/YOnsMkl.jpeg
http://constitution.org/usdeclar.txt
https://lycos.com/images/ppqRJQCldf/y0aRV5ltpZLhF1Y6u/5E2P5n72GVgs/ZRfgQ7qOCw_/2FDj_2BPVh3CIG/ApimckfoZh3aFZlq1LHS9/dS4GzS9wFh0ghVyH/li9W0GkYIKxTCnu/icYaVVs6u_2FJWtYks/uKm30YMYG/4F3z2kj2C5Znei1zf20Z/n8ahvXXU8Rrtq8huPKA/o6zOJ_2B2aKD2SM1OlCsYY/7rAThTJULy_2F/_2FrljP6/t_2Bt0F8DR7W_2FSEdEgZ_2/FgV1waOmII/rFQv_2F9vOq/YOnsMkl.jpeg
http://twitter.com/spotifySSOR_
https://www.yahoo.com/M
https://nuget.org/nuget.exe
https://www.yahoo.com/jdraw/Pzj8ZAf1ocor/vwsK7U9HF_2/BSjjGESBX8ncCP/rsp24bDI0WxsD9fAtnq85/rAH52N6aYS
https://www.yahoo.com/F
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fPzj8ZAf1ocor%2fvwsK7U9H
https://doreuneruy.store/jdraw/9h3_2FCmvCPAOiqfbbwOZ/EDyF0nUwfnz0i_2B/zRdR8YVxUZKNNmY/vh0mWq_2BHQORAUjil/Wy1ZX7xjv/qL7UjzfbaMRckwwpBr7M/ZU4TPOLT0IGmp_2FqN5/9mRjeYDMBNc5x7HMWXCA4m/OQS9XBJVBHWu0/pJXVZOQ3/aoSVwCoLr8yuRXdSOyZXUNC/Ax4ZOlmgeU/J19Mkd.crw
http://ns.micro/1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://policies.yahoo.com/w3c/p3p.xml
https://contoso.com/License
https://doreuneruy.store/jdraw/3UXHIycRk8M6aa2qOlHTdp/8jPuZVV_2B0Th/06YoiQaE/_2FatRxjXAnjx3AlxRhb2k2
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://www.yahoo.com/b
http://ns.adobp/
https://doreuneruy.store/u
https://doreuneruy.store/jdraw/3UXHIycRk8M6aa2qOlHTdp/8jPuZVV_2B0Th/06YoiQaE/_2FatRxjXAnjx3AlxRhb2k2/1D4WV7ZMym/m2C_2FFYEC_2FU7Yk/i_2BPnwgmBF0/IPzTLMeRUBV/cxcHi5I_2FpZBi/N1gpoZwjss03S_2Fbnr3z/jVvgtIBwhuwnmbuC/0OORMWqE7PIEiI9/PgDQNnYSyBZIKuFwau/KOHqRL.crw
http://constitution.org/usdeclar.txtC:
http://nuget.org/NuGet.exe
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4d9
https://doreuneruy.storehttps://qorunegolu.club
https://doreuneruy.store/
http://ns.adobe.uxB
https://www.yahoo.com/
https://github.com/Pester/Pester

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\a4dqpwui.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\a4dqpwui.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
\Device\ConDrv
 ASCII text, with CRLF, CR line terminators
 #
Click to see the 19 hidden entries
C:\Users\user\WhiteBook.lnk
 MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
 #
C:\Users\user\TestLocal.ps1
 ASCII text, with no line terminators
 #
C:\Users\user\Documents\20211124\PowerShell_transcript.210979.70ejDSqS.20211124202106.txt
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\MarkClass
 HTML document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\i3kd1hp5.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
 #
C:\Users\user\AppData\Local\Temp\i3kd1hp5.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\i3kd1hp5.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\i3kd1hp5.0.cs
 UTF-8 Unicode (with BOM) text
 #
C:\Users\user\AppData\Local\Temp\a4dqpwui.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\Users\user\AppData\Local\Temp\a4dqpwui.0.cs
 UTF-8 Unicode (with BOM) text
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_so4yl5bd.pgt.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgbbr5eh.4nx.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\RESE1B0.tmp
 Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
 #
C:\Users\user\AppData\Local\Temp\RESBB1D.tmp
 Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
 #
C:\Users\user\AppData\Local\Temp\CSCB9FFCE128DE8401581818FC38CDBD6E1.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\CSC8C8ABE1FEF4C478388BEE18242C93FA2.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\A402.bi1
 ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #