flash

3nkW4MtwSD.rtf

Status: finished
Submission Time: 25.11.2021 17:23:10
Malicious
Trojan
Exploiter
Evader
FormBook

Comments

Tags

  • rtf

Details

  • Analysis ID:
    528701
  • API (Web) ID:
    896223
  • Analysis Started:
    25.11.2021 17:23:10
  • Analysis Finished:
    25.11.2021 17:34:48
  • MD5:
    5aad2b6635b3069402aaf6ff389bea64
  • SHA1:
    a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092
  • SHA256:
    718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
32/57

malicious

IPs

IP Country Detection
198.46.199.153
United States
34.102.136.180
United States

Domains

Name IP Detection
troddu.com
162.240.31.112
www.troddu.com
0.0.0.0
www.cuteprofessionalscrubs.com
0.0.0.0
Click to see the 3 hidden entries
www.mountfrenchlodge.net
0.0.0.0
cuteprofessionalscrubs.com
34.102.136.180
mountfrenchlodge.net
34.102.136.180

URLs

Name Detection
http://198.46.199.153/70007/vbc.exe
www.cuteprofessionalscrubs.com/9gr5/
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Click to see the 30 hidden entries
http://www.hotmail.com/oe
http://treyresearch.net
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
http://java.sun.com
http://www.icra.org/vocabulary/.
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
http://investor.msn.com/
http://www.msn.com/?ocid=iehp
http://www.msn.com/de-de/?ocid=iehp
http://www.piriform.com/ccleaner
http://computername/printers/printername/.printer
http://www.%s.comPA
http://www.autoitscript.com/autoit3
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=18(P&
http://www.mountfrenchlodge.net/9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8
http://www.msn.com/?ocid=iehps
https://support.mozilla.org
http://www.cuteprofessionalscrubs.com/9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8
http://servername/isapibackend.dll
http://www.windows.com/pctv.
http://www.msn.com/?ocid=iehpg
http://investor.msn.com
http://www.msnbc.com/news/ticker.txt
http://wellformedweb.org/CommentAPI/
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
http://www.iis.fhg.de/audioPA
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1-220

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp
Composite Document File V2 Document, Cannot read section info
#
C:\Users\Public\vbc.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 6 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{105A16FA-9724-40E9-B86D-EF139A6795E6}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E201F6-E172-4FB7-8EA2-C5E78A0177C3}.tmp
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3nkW4MtwSD.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 26 00:24:08 2021, mtime=Fri Nov 26 00:24:08 2021, atime=Fri Nov 26 00:24:12 2021, length=22268, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\Desktop\~$kW4MtwSD.rtf
data
#