flash

DETAILS.vbs

Status: finished
Submission Time: 25.11.2021 11:23:34
Malicious
Trojan
Spyware
Evader
GuLoader

Comments

Tags

Details

  • Analysis ID:
    528495
  • API (Web) ID:
    896019
  • Analysis Started:
    25.11.2021 11:23:35
  • Analysis Finished:
    25.11.2021 11:40:39
  • MD5:
    6ece5dd9df7e2a34f492adc0c6184d81
  • SHA1:
    f205057a0d17fab518a137e266335883a581289b
  • SHA256:
    fc344554030bfb7f2ca7c79e99a5006f740c3c9f210dc38757c53537c9692f5e
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301

malicious
100/100

IPs

IP Country Detection
103.167.84.150
unknown
193.104.197.85
unknown

Domains

Name IP Detection
septnet.duckdns.org
193.104.197.85

URLs

Name Detection
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin
http://103.167.84.150/
http://103.167.84.150/mconta/Host_DwUbTLydN243.binhttp://103.167.84.150/bconta/Host_DwUbTLydN243.bin
Click to see the 20 hidden entries
http://103.167.84.150/mconta/Host_DwUbTLydN243.bins
http://nuget.org/NuGet.exe
http://103.167.84.150/mconta/Host_DwUbTLydN243.binO
http://pesterbdd.com/images/Pester.png
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin-
http://www.apache.org/licenses/LICENSE-2.0.html
http://103.167.84.150/mconta/Host_DwUbTLydN243.bin)
https://contoso.com/
https://nuget.org/nuget.exe
https://contoso.com/License
https://contoso.com/Icon
http://103.167.84.150/mconta/Host_DwUbTLydN243.binE
http://103.167.84.150/mconta/Host_DwUbTLydN243.bind
http://103.167.84.150/mconta/Host_DwUbTLydN243.bina8;
http://103.167.84.150/bconta/Host_DwUbTLydN243.bin
http://crl.micr
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://aka.ms/pscore6lBpm
https://github.com/Pester/Pester
http://103.167.84.150/mconta/Host_DwUbTLydN243.binU.s

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\mla4kvb3.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbzy0giw.xe5.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\mla4kvb3.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
Click to see the 36 hidden entries
C:\Users\user\AppData\Local\Temp\mla4kvb3.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\mla4kvb3.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\uotckr0j.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\uotckr0j.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\uotckr0j.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\uotckr0j.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\vybs2gqu.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\vybs2gqu.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\vybs2gqu.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\vybs2gqu.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CPE4ML5E19SATFFMY0CN.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T8MESU3T7X76FA8UZPP9.temp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
data
#
C:\Users\user\Documents\20211125\PowerShell_transcript.216041.5JIK3KS8.20211125112652.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20211125\PowerShell_transcript.216041.AXD9vgjE.20211125112655.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20211125\PowerShell_transcript.216041.VY6BGjMK.20211125112645.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20211125\PowerShell_transcript.216041.V_8beKi2.20211125112712.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20211125\PowerShell_transcript.216041.jxZRzE3K.20211125112537.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\CSC3851A02150B343D6B4C9C6BEA8107533.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSC77023F4354E6477E97855CB603CA0.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSC9CB81DB86B7E400B9F74BAF89293FF3.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\Depopulato2.dat
data
#
C:\Users\user\AppData\Local\Temp\RES34E6.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RES728B.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESD18D.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x486, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ziegzhu.r2z.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xwfdi1y.d45.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0z3ml3q.bjh.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ii1ag2th.hcn.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2nymaw1.wkd.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmlvvt2e.lbt.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwqfouut.cdz.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwszr1gg.pp5.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3yige21.53a.ps1
ASCII text, with no line terminators
#