flash

TT_SWIFT_Export Order_noref S10SMG00318021.exe

Status: finished
Submission Time: 25.11.2021 17:29:11
Malicious
Trojan
Evader
FormBook

Comments

Tags

  • exe
  • Formbook

Details

  • Analysis ID:
    528704
  • API (Web) ID:
    896226
  • Analysis Started:
    25.11.2021 17:29:12
  • Analysis Finished:
    25.11.2021 17:40:29
  • MD5:
    fff91c58119d3cd7f68457e8565f7116
  • SHA1:
    4201eb7214bd3658889739e4856412b8063e0405
  • SHA256:
    f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
10/28

malicious

IPs

IP Country Detection
23.227.38.74
Canada
156.226.250.165
Seychelles
209.17.116.163
United States
Click to see the 1 hidden entries
34.102.136.180
United States

Domains

Name IP Detection
www.oki-net.com
154.196.11.204
www.wamhsh.com
156.226.250.165
www.aarondecker.online
209.17.116.163
Click to see the 9 hidden entries
shops.myshopify.com
23.227.38.74
www.innovativepropsolutions.com
0.0.0.0
www.754711.com
0.0.0.0
www.pyjama-france.com
0.0.0.0
www.hpsaddlerock.com
0.0.0.0
www.elderlycareacademy.com
0.0.0.0
www.blueharepress.com
0.0.0.0
webredir.vip.gandi.net
217.70.184.50
hpsaddlerock.com
34.102.136.180

URLs

Name Detection
http://www.wamhsh.com/46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3
http://www.aarondecker.online/46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y
www.liberia-infos.net/46uq/
Click to see the 14 hidden entries
http://www.pyjama-france.com/46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB
https://shop.gandi.net/en/domain/transfer
https://www.gandi.net/en
https://shop.gandi.net/en/domain/suggest?search=elderlycareacademy.com&source=parking
https://news.gandi.net/en
https://www.gandi.net/en/security
https://www.gandi.net/en/simple-hosting
https://www.gandi.net/en/cloud
http://www.hpsaddlerock.com/46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3
https://www.gandi.net/en/domain
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://help.gandi.net/en
https://whois.gandi.net/en/results?search=elderlycareacademy.com
https://shop.gandi.net/en

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
XML 1.0 document, ASCII text
#
C:\Users\user\AppData\Roaming\AnsPejV.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
Click to see the 7 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ic10stv.gry.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3vwogde.4ck.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt5nzkl2.tah.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys5lr1qk.smh.psm1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\AnsPejV.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\Documents\20211125\PowerShell_transcript.767668.c7I805VN.20211125173008.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20211125\PowerShell_transcript.767668.vc7f5t7q.20211125173011.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#