Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

WWVN_INVOICE_8363567453.vbs

Status: finished
Submission Time: 2022-05-10 14:02:14 +02:00
Malicious
Trojan
Evader
Spyware
GuLoader, FormBook

Comments

Tags

Details

  • Analysis ID:
    623396
  • API (Web) ID:
    990905
  • Analysis Started:
    2022-05-10 14:02:15 +02:00
  • Analysis Finished:
    2022-05-10 14:40:02 +02:00
  • MD5:
    9f8e253fd51c33a2f874942ebc0d3795
  • SHA1:
    6868a9005489e56542cf0df063985132fef50f3d
  • SHA256:
    c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
Full Report Management Report IOC Report
malicious
Score: 84
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

Third Party Analysis Engines

malicious
Score: 10/41
malicious

IPs

IP Country Detection
68.65.122.211
 United States
217.160.0.18
 Germany
209.99.40.222
 United States
Click to see the 5 hidden entries
199.192.29.215
 United States
198.23.49.173
 United States
180.76.247.231
 China
185.53.179.171
 Germany
203.170.86.89
 Australia

Domains

Name IP Detection
www.clickleaser.com
 198.23.49.173
www.liesdevocalist.store
 0.0.0.0
www.gpusforfun.com
 0.0.0.0
Click to see the 16 hidden entries
www.projectduckling.com
 0.0.0.0
www.thebeautystore.store
 0.0.0.0
www.actu-infomail.com
 0.0.0.0
www.revboxx.com
 0.0.0.0
www.tandelawnmaintenance.com
 0.0.0.0
www.schnellekreditfinanz.com
 0.0.0.0
www.shantelleketodietofficial.site
 0.0.0.0
www.dujh.xyz
 180.76.247.231
www.linqxw.com
 209.99.40.222
barsam.com.au
 203.170.86.89
www.getsuzamtir.xyz
 199.192.29.215
www.repaircilinic.com
 185.53.179.171
schnellekreditfinanz.com
 68.65.122.211
www.borneadomicile.com
 217.160.0.18
e-0009.e-msedge.net
 13.107.5.88
dual-a-0001.a-msedge.net
 13.107.21.200

URLs

Name Detection
http://barsam.com.au/
http://barsam.com.au/bin_FCWtLoO90.bin
http://www.linqxw.com/wn19/
Click to see the 91 hidden entries
http://www.schnellekreditfinanz.com/wn19/
http://www.repaircilinic.com/wn19/
http://www.borneadomicile.com/wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp
http://www.schnellekreditfinanz.com/wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp
http://pesterbdd.com/images/Pester.png
http://www.getsuzamtir.xyz/wn19/
http://www.repaircilinic.com/wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp
http://www.clickleaser.com/wn19/
http://www.borneadomicile.com/wn19/
www.shantelleketodietofficial.site/wn19/
http://www.clickleaser.com/wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
http://barsam.com.au/bin_FCWtLoO90.binC:
https://android.notify.windows.com/iOS
http://i3.cdn-image.com/__media__/pics/12471/libg.png)
http://www.dujh.xyz/wn19/?AVnXAh=a63aDXt/KdVd8/vhoA3n5O0XH1EsSnoV0YHdqlzRS6BKHLBCb088tgqJ
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
https://github.com/Pester/Pester
http://www.foreca.com
http://www.dujh.xyz/
http://go.microsoft.c
http://www.linqxw.com/Designer_Apparel.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
http://www.linqxw.com/find_a_tutor.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
https://contoso.com/Icon
http://go.microsoft.ce
https://api.msn.com/v1/news/Feed/Windows?
http://purlorg/dc/elements/1.1/
http://doma813348.china.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&
https://mozilla.org0
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
https://www.msn.com:443/en-us/feed
https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
http://www.linqxw.com/display.cfm
http://i3.cdn-image.com/__media__/js/min.js?v2.3
http://www.linqxw.com/Work_from_Home.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
https://windows.msn.com:443/shell
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
https://api.msn.com/
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
https://aka.ms/pscore6lB2l
http://www.linqxw.com/Contact_Lens.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
http://barsam.com.au/bin_FCWtLoO90.bin4
https://www.msn.com/en-us/news/politics/white-house-chaos-as-video-shows-joe-biden-aides-stop-report
http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
http://www.linqxw.com/wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX
http://schemas.micro
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
http://barsam.com.au/bin_FCWtLoO90.bink
https://excel.office.com
http://i3.cdn-image.com/__media__/pics/12471/logo.png)
https://outlook.comjU
http://barsam.com.au/bin_FCWtLoO90.binf
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
http://www.linqxw.com/Accident_Lawyers.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
https://contoso.com/License
https://api.msn.com:443/v1/news/Feed/Windows?
https://wns.windows.com/ClassId
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
http://barsam.com.au/bin_FCWtLoO90.binzs
http://nuget.org/NuGet.exe
http://www.linqxw.com
https://go.micro
http://www.apache.org/licenses/LICENSE-2.0.html
https://crash-reports.mozilla.com/submit?id=
http://www.linqxw.com/Healthy_Weight_Loss.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSy
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
https://www.msn.
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
http://www.linqxw.com/song_lyrics.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%2
http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
https://aka.ms/odirm%
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
http://www.linqxw.com/px.js?ch=2
http://www.linqxw.com/px.js?ch=1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.linqxw.com/sk-logabpstatus.php?a=endjMmRmQ2JsNGxkU0gxbkFJUVVyVlRxZ1c3ZnhHTGFGdFNIOFdpSjRR
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
https://nuget.org/nuget.exe
https://contoso.com/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrf.ini
 data
 #
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini
 data
 #
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrv.ini
 data
 #
Click to see the 13 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\Users\user\AppData\Local\Temp\DB1
 SQLite 3.x database, last written using SQLite version 3036000
 #
C:\Users\user\AppData\Local\Temp\Hetero3.dat
 data
 #
C:\Users\user\AppData\Local\Temp\RES2E9C.tmp
 Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0xsdwy4.l4z.ps1
 ASCII text, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjjzqpmp.eor.psm1
 ASCII text, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.0.cs
 UTF-8 Unicode (with BOM) text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
 #
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogim.jpeg
 JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1920x1080, frames 3
 #
C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrg.ini
 data
 #