=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

aSsc9zh1ex.exe

Status: finished
Submission Time: 2022-05-12 10:25:30 +02:00
Malicious
Trojan
Evader
FormBook, GuLoader

Comments

Tags

  • 32
  • exe
  • trojan

Details

  • Analysis ID:
    625008
  • API (Web) ID:
    992512
  • Analysis Started:
    2022-05-12 10:30:45 +02:00
  • Analysis Finished:
    2022-05-12 10:57:38 +02:00
  • MD5:
    d5e55a57372bcad45fbb260105179caf
  • SHA1:
    9b1935a927c072dd31017362ff1739bf1ea2aaf7
  • SHA256:
    3c27c2aa1bc826faa65ab4038eb385cabd6db50108410e6f674d455aa1dc5532
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
72/100

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

malicious
100/100

malicious
24/64

malicious
5/35

malicious
14/41

IPs

IP Country Detection
41.203.18.177
South Africa
68.65.122.211
United States
23.227.38.74
Canada
Click to see the 4 hidden entries
3.64.163.50
United States
192.64.117.165
United States
203.170.86.89
Australia
93.184.220.29
European Union

Domains

Name IP Detection
www.intelios.xyz
3.64.163.50
herbalsfixng.xyz
192.64.117.165
schnellekreditfinanz.com
68.65.122.211
Click to see the 19 hidden entries
www.fungismartgrid.com
41.203.18.177
barsam.com.au
203.170.86.89
shops.myshopify.com
23.227.38.74
www.kbcoastalproperties.com
0.0.0.0
www.sura.ooo
0.0.0.0
www.shantelleketodietofficial.site
0.0.0.0
www.threads34.store
0.0.0.0
www.taakyif.com
0.0.0.0
www.schnellekreditfinanz.com
0.0.0.0
www.hokasneakeruse.xyz
0.0.0.0
www.perrobravostudio.com
0.0.0.0
www.reionsbank.com
0.0.0.0
www.nelvashop.com
0.0.0.0
www.rnrr.xyz
0.0.0.0
www.ayanaslifeinmalaysia.com
0.0.0.0
www.thebeautystore.store
0.0.0.0
www.herbalsfixng.xyz
0.0.0.0
www.gpusforfun.com
0.0.0.0
www.liesdevocalist.store
0.0.0.0

URLs

Name Detection
http://barsam.com.au/bin_QuCucbUMda229.bin
http://www.intelios.xyz/wn19/?jZf=QQL+SjwgUyPYxJnw2qa+Hze/zpoAw1vY2ZXVt5QHdkoKCL+B47r8V4uCmI0quTqEBnpn&1biX=C2MPnN
http://www.threads34.store/wn19/?jZf=rv1HgXCmNvTRWnk0t/PWMZTArWSxwY6VToXu23C5wd0SYVqo5hbnUnFufPtPTohMYlmc&k0=p8cH
Click to see the 46 hidden entries
www.shantelleketodietofficial.site/wn19/
http://www.nelvashop.com/wn19/?jZf=74kz/+Omydv/tJV+ps5/T47bI5nxKh+DjdkrvIsUcwHn/m5f3NJjyQUUG1A7gP1GNjyQ&k0=p8cH
http://www.herbalsfixng.xyz/wn19/?jZf=/aPRIOivZv/SK3yyBSrwMHS3aEcDnGoJdVwaw0Jv+PFvpIBjQ3dFVdba2CvjMIDrv82h&1biX=C2MPnN
http://www.fungismartgrid.com/wn19/?jZf=NS202dJbEEETcB12VfvBfMMdjzaMJ2P7TP19ar/APX8BBmPLqx20W3tmhoszgkcRlb4O&1biX=C2MPnN
http://www.schnellekreditfinanz.com/wn19/?jZf=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&1biX=C2MPnN
https://api.msn.com/v1/news/Feed/Windows?
https://powerpoint.office.comeu
http://ocsp.sectigo.com0
http://barsam.com.au/bin_QuCucbUMda229.bin?
https://api.msn.com:443/v1/news/Feed/Windows?
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
https://android.notify.windows.com/iOSG
https://excel.office.com
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
http://schemas.micro
http://www.gopher.ftp://ftp.
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
https://sectigo.com/CPS0C
http://barsam.com.au/bin_QuCucbUMda229.bing
https://www.msn.com/en-us/news/politics/graham-tries-t
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
https://word.office.com
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://nsis.sf.net/NSIS_ErrorError
http://www.foreca.com
https://word.office.com-C
https://outlook.com
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppf
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
https://aka.ms/odirmO
https://wns.windows.com/).dlll
https://android.notify.windows.com/iOS
https://api.msn.com:443/v1/news/Feed/Windows?Microsoft
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
https://api.msn.com/
https://windows.msn.com:443/shell
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
https://www.msn.com:443/en-us/feed
http://crl3.d
https://www.msn.com/en-us/music/celebrity/the-voice-ariana-grande-and-john-legend-walk-off-when-blak

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest
XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
Click to see the 5 hidden entries
C:\Users\user\AppData\Local\Temp\Strepera.wad
data
#
C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png
PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
#
C:\Users\user\AppData\Local\Temp\face-crying.png
PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
#
C:\Users\user\AppData\Local\Temp\nso8B47.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll
PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
#