=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

PO-AWE9934.docx

Status: finished
Submission Time: 2022-01-28 11:12:33 +01:00
Malicious
Trojan
Exploiter
Evader
GuLoader

Comments

Tags

  • doc
  • docx
  • Invoice

Details

  • Analysis ID:
    562071
  • API (Web) ID:
    929589
  • Analysis Started:
    2022-01-28 11:25:11 +01:00
  • Analysis Finished:
    2022-01-28 11:32:32 +01:00
  • MD5:
    41d90bec5e345b3f4a7086158e236730
  • SHA1:
    5a179b748a9523ac4cd1b4010f294e5497b5329e
  • SHA256:
    76772145ed4ca48917df45363d450652cba0605b307d85937166c3042ea85609
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

malicious
100/100

malicious
17/63

malicious
7/43

malicious

IPs

IP Country Detection
66.29.141.207
United States
107.172.93.32
United States

Domains

Name IP Detection
onebztip.club
66.29.141.207

URLs

Name Detection
https://www.konutmarket.com/2022file_iz
https://onebztip.club/index.php/x
http://107.172.93.32/invoice/dhl_shp.wbk
Click to see the 3 hidden entries
http://107.172.93.32/309/vbc.exe
http://107.172.93.32/invoice/
http://nsis.sf.net/NSIS_ErrorError

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp
Composite Document File V2 Document, Cannot read section info
#
C:\Users\Public\vbc.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
Click to see the 23 hidden entries
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A7237623-5E03-4814-94FE-7F3CA262EA81}.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D52C8A6F-38F1-4102-9EE5-ECDCF6278B29}.FSD
data
#
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dhl_shp[1].wbk
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DCC5A3.wbk
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AF71696C-9FFE-4094-80B8-5D87621A22A7}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C73D7E24-0695-475A-9EE3-0951BA4BA5FE}.tmp
dBase III DBT, version number 0, next free block index 7536653
#
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB971226-827B-47B0-8F41-C98C9532A108}.tmp
data
#
C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\racehorse.dat
data
#
C:\Users\user\AppData\Local\Temp\secur32.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\sxsstore.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\{CD1AE7DA-2A17-41D2-8189-9C674B582013}
data
#
C:\Users\user\AppData\Local\Temp\{E15EED8A-E489-447C-AA78-2010F2F4B9A5}
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-AWE9934.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Fri Jan 28 18:25:16 2022, length=10338, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\invoice on 107.172.93.32.url
MS Windows 95 Internet shortcut text (URL=<http://107.172.93.32/invoice/>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\x.url
MS Windows 95 Internet shortcut text (URL=<https://onebztip.club/index.php/x>), ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\Desktop\~$-AWE9934.docx
data
#