=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

Remittance Information (MT-103).vbs

Status: finished
Submission Time: 2022-01-24 15:40:26 +01:00
Malicious
Trojan
Spyware
Evader
FormBook GuLoader

Comments

Tags

  • vbs

Details

  • Analysis ID:
    558870
  • API (Web) ID:
    926391
  • Analysis Started:
    2022-01-24 15:44:07 +01:00
  • Analysis Finished:
    2022-01-24 15:59:24 +01:00
  • MD5:
    d693624e3d9614a0dc9cf5a5cd1bb8ef
  • SHA1:
    9c50c26e8b2f9c9acfa3192385df88d3144f351c
  • SHA256:
    dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
108.175.14.116
United States
151.106.117.33
Germany

Domains

Name IP Detection
www.dentalbatonrouge.com
108.175.14.116
bulkwhatsappsender.in
151.106.117.33
www.bulkwhatsappsender.in
0.0.0.0
Click to see the 1 hidden entries
www.yzicpa.com
0.0.0.0

URLs

Name Detection
http://www.dentalbatonrouge.com/k6sm/
https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1
1,0,350726710,000000A51B2F5000,00000104,00000010,00020000,00000000,1,0
Click to see the 32 hidden entries
www.usyeslogistics.com/k6sm/
https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin
http://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2
http://www.autoitscript.com/autoit3/J
http://nuget.org/NuGet.exe
https://www.bulkwhatsappsender.in/bin_FlDFmmV154.binhttps://madecosmetics.store/bin_FlDFmmV154.bin
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/License
https://contoso.com/Icon
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
https://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51
http://www.msn.com/ocid=iehp
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
https://github.com/Pester/Pester
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
https://madecosmetics.store/bin_FlDFmmV154.bin
https://www.google.com/chrome/
http://www.msn.com/de-ch/?ocid=iehpMicrosoftEdge_DNTExceptionLMEM8P
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
https://www.google.com/chrome/https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservi
https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0o
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
https://contoso.com/
https://nuget.org/nuget.exe
http://www.msn.com/de-ch/ocid=iehpD
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/?ocid=iehp

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogri.ini
data
#
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrv.ini
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\Champag6.dat
data
#
C:\Users\user\AppData\Local\Temp\DB1
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Local\Temp\RES4377.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jebmlly.2vw.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcpbiel0.fg2.ps1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogim.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
#
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrg.ini
data
#
C:\Users\user\Documents\20220124\PowerShell_transcript.284992.XtWh3q5P.20220124154518.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#