Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

G2M18C6INV0ICERECEIPT.vbs

Status: finished
Submission Time: 2022-01-14 13:34:22 +01:00
Malicious
Phishing
Trojan
Evader
Nanocore HTMLPhisher

Comments

Tags

  • NanoCore
  • RAT
  • vbs

Details

  • Analysis ID:
    553203
  • API (Web) ID:
    920726
  • Analysis Started:
    2022-01-14 13:34:24 +01:00
  • Analysis Finished:
    2022-01-14 13:45:47 +01:00
  • MD5:
    e193dff484ce89bc7ba5ae2022ab7227
  • SHA1:
    49d652b6e0fe6071b99fa9a7e891cc5187ebc4db
  • SHA256:
    1b8775fa633e04edf24411129b02074e4a9b8a79c28896908ff57dafe7cde968
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

IPs

IP Country Detection
185.140.53.10
 Sweden
107.180.25.2
 United States

Domains

Name IP Detection
testalienscy9090.duckdns.org
 185.140.53.10
swmen.com
 107.180.25.2

URLs

Name Detection
testalienscy9090.duckdns.org
HttP://swmen.com/ben/PS1vedy.txt
https://contoso.com/
Click to see the 14 hidden entries
https://github.com/Pester/Pester
http://swmen.com/ben/ServerATEVN.txt
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://swmen.com
https://contoso.com/Icon
https://contoso.com/License
https://nuget.org/nuget.exe
http://swmen.com/ben/PS1vedy.txt
http://swmen.com/ben/ServerATEVN.txt%27%3B%24
https://go.micro
http://crl.microsoft.co
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://nuget.org/NuGet.exe

Dropped files

Name File Type Hashes Detection
C:\ProgramData\5197349279415287975939\5197349279415287975939.HTA
 HTML document, ASCII text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
 International EBCDIC text, with no line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
Click to see the 7 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axtvtxvy.mrw.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvx5tmpj.e0j.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
 data
 #
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
 data
 #
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
 data
 #
C:\Users\user\Documents\20220114\PowerShell_transcript.210979.BVPagTEC.20220114133521.txt
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #