=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

WWVN_INVOICE_8363567453.vbs

Status: finished
Submission Time: 2022-05-10 14:02:14 +02:00
Malicious
Trojan
Evader
Spyware
FormBook, GuLoader

Comments

Tags

Details

  • Analysis ID:
    623396
  • API (Web) ID:
    990905
  • Analysis Started:
    2022-05-10 14:02:15 +02:00
  • Analysis Finished:
    2022-05-10 14:40:02 +02:00
  • MD5:
    9f8e253fd51c33a2f874942ebc0d3795
  • SHA1:
    6868a9005489e56542cf0df063985132fef50f3d
  • SHA256:
    c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
84/100

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

malicious
100/100

malicious
10/41

malicious

IPs

IP Country Detection
68.65.122.211
United States
217.160.0.18
Germany
209.99.40.222
United States
Click to see the 5 hidden entries
199.192.29.215
United States
198.23.49.173
United States
180.76.247.231
China
185.53.179.171
Germany
203.170.86.89
Australia

Domains

Name IP Detection
www.dujh.xyz
180.76.247.231
www.borneadomicile.com
217.160.0.18
schnellekreditfinanz.com
68.65.122.211
Click to see the 16 hidden entries
www.repaircilinic.com
185.53.179.171
www.getsuzamtir.xyz
199.192.29.215
barsam.com.au
203.170.86.89
www.linqxw.com
209.99.40.222
www.clickleaser.com
198.23.49.173
www.shantelleketodietofficial.site
0.0.0.0
www.schnellekreditfinanz.com
0.0.0.0
www.tandelawnmaintenance.com
0.0.0.0
www.revboxx.com
0.0.0.0
www.actu-infomail.com
0.0.0.0
www.thebeautystore.store
0.0.0.0
www.projectduckling.com
0.0.0.0
www.gpusforfun.com
0.0.0.0
www.liesdevocalist.store
0.0.0.0
dual-a-0001.a-msedge.net
13.107.21.200
e-0009.e-msedge.net
13.107.5.88

URLs

Name Detection
http://barsam.com.au/
http://www.schnellekreditfinanz.com/wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp
http://www.borneadomicile.com/wn19/
Click to see the 91 hidden entries
http://www.repaircilinic.com/wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp
http://www.borneadomicile.com/wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp
http://www.repaircilinic.com/wn19/
http://barsam.com.au/bin_FCWtLoO90.bin
http://www.schnellekreditfinanz.com/wn19/
www.shantelleketodietofficial.site/wn19/
http://www.linqxw.com/wn19/
http://pesterbdd.com/images/Pester.png
http://www.getsuzamtir.xyz/wn19/
http://www.clickleaser.com/wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp
http://www.clickleaser.com/wn19/
https://api.msn.com/
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
https://windows.msn.com:443/shell
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
http://go.microsoft.ce
http://i3.cdn-image.com/__media__/js/min.js?v2.3
http://www.linqxw.com/display.cfm
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
https://www.msn.com:443/en-us/feed
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
https://mozilla.org0
http://doma813348.china.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&
http://purlorg/dc/elements/1.1/
https://aka.ms/pscore6lB2l
https://api.msn.com/v1/news/Feed/Windows?
http://barsam.com.au/bin_FCWtLoO90.binzs
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
https://wns.windows.com/ClassId
https://api.msn.com:443/v1/news/Feed/Windows?
https://contoso.com/License
http://www.linqxw.com/Accident_Lawyers.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
http://barsam.com.au/bin_FCWtLoO90.binf
https://outlook.comjU
http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
https://excel.office.com
http://barsam.com.au/bin_FCWtLoO90.bink
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
http://schemas.micro
http://www.linqxw.com/wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX
http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
https://www.msn.com/en-us/news/politics/white-house-chaos-as-video-shows-joe-biden-aides-stop-report
http://barsam.com.au/bin_FCWtLoO90.bin4
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
http://i3.cdn-image.com/__media__/pics/12471/logo.png)
https://contoso.com/
https://nuget.org/nuget.exe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
http://www.linqxw.com/sk-logabpstatus.php?a=endjMmRmQ2JsNGxkU0gxbkFJUVVyVlRxZ1c3ZnhHTGFGdFNIOFdpSjRR
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.linqxw.com/px.js?ch=1
http://www.linqxw.com/px.js?ch=2
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
https://aka.ms/odirm%
http://nuget.org/NuGet.exe
http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
http://www.linqxw.com/song_lyrics.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%2
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
https://www.msn.
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
http://www.linqxw.com/Healthy_Weight_Loss.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSy
https://crash-reports.mozilla.com/submit?id=
http://www.apache.org/licenses/LICENSE-2.0.html
https://go.micro
http://www.linqxw.com
http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
https://contoso.com/Icon
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
http://www.linqxw.com/find_a_tutor.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
http://www.linqxw.com/Designer_Apparel.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
http://www.dujh.xyz/
http://www.foreca.com
https://github.com/Pester/Pester
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
http://www.dujh.xyz/wn19/?AVnXAh=a63aDXt/KdVd8/vhoA3n5O0XH1EsSnoV0YHdqlzRS6BKHLBCb088tgqJ
http://i3.cdn-image.com/__media__/pics/12471/libg.png)
https://android.notify.windows.com/iOS
http://barsam.com.au/bin_FCWtLoO90.binC:
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
http://www.linqxw.com/Work_from_Home.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
http://www.linqxw.com/Contact_Lens.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
http://go.microsoft.c
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrf.ini
data
#
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini
data
#
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrv.ini
data
#
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\DB1
SQLite 3.x database, last written using SQLite version 3036000
#
C:\Users\user\AppData\Local\Temp\Hetero3.dat
data
#
C:\Users\user\AppData\Local\Temp\RES2E9C.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0xsdwy4.l4z.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjjzqpmp.eor.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogim.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1920x1080, frames 3
#
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrg.ini
data
#