=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

Wire-84844663637346665.PDF.vbs

Status: finished
Submission Time: 2022-01-21 17:12:41 +01:00
Malicious
Trojan
Spyware
Evader
FormBook GuLoader

Comments

Tags

  • GuLoader
  • vbs

Details

  • Analysis ID:
    557834
  • API (Web) ID:
    925353
  • Analysis Started:
    2022-01-21 17:19:23 +01:00
  • Analysis Finished:
    2022-01-21 17:33:56 +01:00
  • MD5:
    2eb1625e8d4e3f9b19ab947d188d0be8
  • SHA1:
    7aad4e8d8f521d1c36a7468418047c8a5751b7e9
  • SHA256:
    354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
5/43

IPs

IP Country Detection
133.242.141.149
Japan

Domains

Name IP Detection
research.the-miyanichi.co.jp
133.242.141.149
canonicalizer.ucsuri.tcs
0.0.0.0

URLs

Name Detection
https://research.the-miyanichi.co.jp/
https://research.the-miyanichi.co.jp/wp-^
www.recountsol.xyz/ty13/
Click to see the 15 hidden entries
https://research.the-miyanichi.co.jp/wp-content/uploads/bin_GuOImF134.bin5
http://www.autoitscript.com/autoit3/J
http://nuget.org/NuGet.exe
https://research.the-miyanichi.co.jp/wp-content/uploads/bin_GuOImF134.binT
http://pesterbdd.com/images/Pester.png
http://canonicalizer.ucsuri.tcs/680074007400700073003a002f002f00700069006e0067002e002e006e0061007600
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
https://contoso.com/License
https://contoso.com/Icon
https://research.the-miyanichi.co.jp/P
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester
https://research.the-miyanichi.co.jp/wp-content/uploads/bin_GuOImF134.bin

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\N6AQ8R9T\N6Alogri.ini
data
#
C:\Users\user\AppData\Roaming\N6AQ8R9T\N6Alogrv.ini
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Temp\DB1
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\Temp\RES843C.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3s1041w.3ng.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twf0pup4.skl.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\lmt3yvf4\CSC3B7445246D634A3891EBDF5913136B1.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\myste.dat
data
#
C:\Users\user\AppData\Roaming\N6AQ8R9T\N6Alogim.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
#
C:\Users\user\AppData\Roaming\N6AQ8R9T\N6Alogrg.ini
data
#
C:\Users\user\Documents\20220121\PowerShell_transcript.980108.L7PrKMB+.20220121172145.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#