Register Login

sloganpng

top title background image

TT_SWIFT_Export Order_noref S10SMG00318021.exe

Status: finished

Submission Time: 2021-11-25 17:29:11 +01:00

Malicious

Trojan

Evader

FormBook

Comments

Tags

Details

Analysis ID:
528704
API (Web) ID:
896226
Analysis Started:

2021-11-25 17:29:12 +01:00
Analysis Finished:

2021-11-25 17:40:29 +01:00
MD5:
fff91c58119d3cd7f68457e8565f7116
SHA1:
4201eb7214bd3658889739e4856412b8063e0405
SHA256:
f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 10/28

malicious

IPs

IP	Country	Detection
23.227.38.74	Canada
156.226.250.165	Seychelles
209.17.116.163	United States
Click to see the 1 hidden entries
34.102.136.180	United States

Domains

Name	IP	Detection
www.oki-net.com	154.196.11.204
www.wamhsh.com	156.226.250.165
www.aarondecker.online	209.17.116.163
Click to see the 9 hidden entries
shops.myshopify.com	23.227.38.74
www.innovativepropsolutions.com	0.0.0.0
www.754711.com	0.0.0.0
www.pyjama-france.com	0.0.0.0
www.hpsaddlerock.com	0.0.0.0
www.elderlycareacademy.com	0.0.0.0
www.blueharepress.com	0.0.0.0
webredir.vip.gandi.net	217.70.184.50
hpsaddlerock.com	34.102.136.180

URLs

Name	Detection
http://www.pyjama-france.com/46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB
www.liberia-infos.net/46uq/
http://www.aarondecker.online/46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y
Click to see the 14 hidden entries
http://www.wamhsh.com/46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3
https://shop.gandi.net/en
https://shop.gandi.net/en/domain/transfer
https://whois.gandi.net/en/results?search=elderlycareacademy.com
https://help.gandi.net/en
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://www.gandi.net/en/domain
http://www.hpsaddlerock.com/46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3
https://www.gandi.net/en/cloud
https://www.gandi.net/en/simple-hosting
https://www.gandi.net/en/security
https://news.gandi.net/en
https://shop.gandi.net/en/domain/suggest?search=elderlycareacademy.com&source=parking
https://www.gandi.net/en

Dropped files

Name	File Type	Hashes	Detection
C:\Users\user\AppData\Local\Temp\tmp3FD.tmp	XML 1.0 document, ASCII text	#
C:\Users\user\AppData\Roaming\AnsPejV.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
Click to see the 7 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ic10stv.gry.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3vwogde.4ck.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt5nzkl2.tah.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys5lr1qk.smh.psm1	very short file (no magic)	#
C:\Users\user\AppData\Roaming\AnsPejV.exe:Zone.Identifier	ASCII text, with CRLF line terminators	#
C:\Users\user\Documents\20211125\PowerShell_transcript.767668.c7I805VN.20211125173008.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20211125\PowerShell_transcript.767668.vc7f5t7q.20211125173011.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#