flash

2GEg45PlG9.exe

Status: finished
Submission Time: 24.11.2021 20:08:19
Malicious
E-Banking Trojan
Trojan
Spyware
Evader
Ursnif

Comments

Tags

  • exe
  • Gozi

Details

  • Analysis ID:
    528165
  • API (Web) ID:
    895685
  • Analysis Started:
    24.11.2021 20:19:07
  • Analysis Finished:
    24.11.2021 20:35:02
  • MD5:
    f100bcf4531fa33e2dd85c321e40abff
  • SHA1:
    0599268c78900d3f791b55f3e65401239f5b4309
  • SHA256:
    1effa020a0b9aba59323d36d4c8680fa1bcd34f95e5b223b315053c08f4fb349
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
24/45

IPs

IP Country Detection
89.45.4.117
Romania
209.202.254.90
United States
87.248.118.23
United Kingdom
Click to see the 3 hidden entries
87.248.100.215
United Kingdom
98.137.11.164
United States
212.82.100.140
United Kingdom

Domains

Name IP Detection
doreuneruy.store
89.45.4.117
222.222.67.208.in-addr.arpa
0.0.0.0
new-fp-shed.wg1.b.yahoo.com
87.248.100.215
Click to see the 10 hidden entries
myip.opendns.com
84.17.52.63
lycos.com
209.202.254.90
resolver1.opendns.com
208.67.222.222
ds-ats.member.g02.yahoodns.net
212.82.100.140
yahoo.com
98.137.11.164
edge.gycpi.b.yahoodns.net
87.248.118.23
www.lycos.com
209.202.254.90
www.yahoo.com
0.0.0.0
mail.yahoo.com
0.0.0.0
login.yahoo.com
0.0.0.0

URLs

Name Detection
https://doreuneruy.store
https://qorunegolu.club
http://nuget.org/NuGet.exe
Click to see the 35 hidden entries
https://doreuneruy.store/jdraw/3UXHIycRk8M6aa2qOlHTdp/8jPuZVV_2B0Th/06YoiQaE/_2FatRxjXAnjx3AlxRhb2k2
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://www.yahoo.com/b
http://ns.adobp/
https://doreuneruy.store/u
https://doreuneruy.store/jdraw/3UXHIycRk8M6aa2qOlHTdp/8jPuZVV_2B0Th/06YoiQaE/_2FatRxjXAnjx3AlxRhb2k2/1D4WV7ZMym/m2C_2FFYEC_2FU7Yk/i_2BPnwgmBF0/IPzTLMeRUBV/cxcHi5I_2FpZBi/N1gpoZwjss03S_2Fbnr3z/jVvgtIBwhuwnmbuC/0OORMWqE7PIEiI9/PgDQNnYSyBZIKuFwau/KOHqRL.crw
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4d9
https://doreuneruy.storehttps://qorunegolu.club
https://doreuneruy.store/
http://ns.adobe.uxB
https://www.yahoo.com/
https://github.com/Pester/Pester
https://www.yahoo.com/M
https://doreuneruy.store/mE
https://www.lycos.com/images/ppqRJQCldf/y0aRV5ltpZLhF1Y6u/5E2P5n72GVgs/ZRfgQ7qOCw_/2FDj_2BPVh3CIG/ApimckfoZh3aFZlq1LHS9/dS4GzS9wFh0ghVyH/li9W0GkYIKxTCnu/icYaVVs6u_2FJWtYks/uKm30YMYG/4F3z2kj2C5Znei1zf20Z/n8ahvXXU8Rrtq8huPKA/o6zOJ_2B2aKD2SM1OlCsYY/7rAThTJULy_2F/_2FrljP6/t_2Bt0F8DR7W_2FSEdEgZ_2/FgV1waOmII/rFQv_2F9vOq/YOnsMkl.jpeg/
http://ns.adobe.cmgbbn
https://doreuneruy.store/jdraw/eKaIOMBSk5/OmJgUmRZLr75WvgmQ/lCAAoG2FlxCw/NYzS1o_2BFi/Ieqx_2FKcvuYNo/7IkLYskhOhbfPZpn3msj_/2BR_2Fhl7PSteeC_/2Fx6wkm1gCCOSzv/ojOhT7mIu1zV1InOuI/v0PzrfJti/Vp_2B_2FXz6Vw_2B8AOy/f6kLklWb2UbpPJ8knZc/CNedLE3nD8G6LBOjysaOgx/q1vP.crw
https://www.lycos.com/images/ppqRJQCldf/y0aRV5ltpZLhF1Y6u/5E2P5n72GVgs/ZRfgQ7qOCw_/2FDj_2BPVh3CIG/ApimckfoZh3aFZlq1LHS9/dS4GzS9wFh0ghVyH/li9W0GkYIKxTCnu/icYaVVs6u_2FJWtYks/uKm30YMYG/4F3z2kj2C5Znei1zf20Z/n8ahvXXU8Rrtq8huPKA/o6zOJ_2B2aKD2SM1OlCsYY/7rAThTJULy_2F/_2FrljP6/t_2Bt0F8DR7W_2FSEdEgZ_2/FgV1waOmII/rFQv_2F9vOq/YOnsMkl.jpeg
http://constitution.org/usdeclar.txt
https://lycos.com/images/ppqRJQCldf/y0aRV5ltpZLhF1Y6u/5E2P5n72GVgs/ZRfgQ7qOCw_/2FDj_2BPVh3CIG/ApimckfoZh3aFZlq1LHS9/dS4GzS9wFh0ghVyH/li9W0GkYIKxTCnu/icYaVVs6u_2FJWtYks/uKm30YMYG/4F3z2kj2C5Znei1zf20Z/n8ahvXXU8Rrtq8huPKA/o6zOJ_2B2aKD2SM1OlCsYY/7rAThTJULy_2F/_2FrljP6/t_2Bt0F8DR7W_2FSEdEgZ_2/FgV1waOmII/rFQv_2F9vOq/YOnsMkl.jpeg
http://twitter.com/spotifySSOR_
https://contoso.com/
https://nuget.org/nuget.exe
https://www.yahoo.com/jdraw/Pzj8ZAf1ocor/vwsK7U9HF_2/BSjjGESBX8ncCP/rsp24bDI0WxsD9fAtnq85/rAH52N6aYS
https://www.yahoo.com/F
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fPzj8ZAf1ocor%2fvwsK7U9H
https://doreuneruy.store/jdraw/9h3_2FCmvCPAOiqfbbwOZ/EDyF0nUwfnz0i_2B/zRdR8YVxUZKNNmY/vh0mWq_2BHQORAUjil/Wy1ZX7xjv/qL7UjzfbaMRckwwpBr7M/ZU4TPOLT0IGmp_2FqN5/9mRjeYDMBNc5x7HMWXCA4m/OQS9XBJVBHWu0/pJXVZOQ3/aoSVwCoLr8yuRXdSOyZXUNC/Ax4ZOlmgeU/J19Mkd.crw
http://ns.micro/1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://policies.yahoo.com/w3c/p3p.xml

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\a4dqpwui.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
Click to see the 19 hidden entries
C:\Users\user\AppData\Local\Temp\A402.bi1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\CSC8C8ABE1FEF4C478388BEE18242C93FA2.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSCB9FFCE128DE8401581818FC38CDBD6E1.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RESBB1D.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESE1B0.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgbbr5eh.4nx.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_so4yl5bd.pgt.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\a4dqpwui.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\a4dqpwui.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\a4dqpwui.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\i3kd1hp5.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\i3kd1hp5.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\i3kd1hp5.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\i3kd1hp5.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\MarkClass
HTML document, ASCII text, with CRLF line terminators
#
C:\Users\user\Documents\20211124\PowerShell_transcript.210979.70ejDSqS.20211124202106.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\TestLocal.ps1
ASCII text, with no line terminators
#
C:\Users\user\WhiteBook.lnk
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
#
\Device\ConDrv
ASCII text, with CRLF, CR line terminators
#