=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

SD 2477.exe

Status: finished
Submission Time: 2022-05-12 13:23:05 +02:00
Malicious
Trojan
Evader
Phishing
Spyware
GuLoader, Remcos

Comments

Tags

  • exe
  • signed

Details

  • Analysis ID:
    625173
  • API (Web) ID:
    992677
  • Analysis Started:
    2022-05-12 13:27:00 +02:00
  • Analysis Finished:
    2022-05-12 13:58:00 +02:00
  • MD5:
    746317ad3672cbd82d6c27c85259157a
  • SHA1:
    4e7456b6ca4e428e169f77de9c1e6cc05f409058
  • SHA256:
    7f8c325a18b7d3705bb19aa6db444a42dc69a03dd1ae79bdbfcb9405ecd83584
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
72/100

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

malicious
100/100

malicious
23/68

malicious
14/41

malicious

IPs

IP Country Detection
185.20.186.103
Ukraine
142.251.36.65
United States
142.250.184.206
United States

Domains

Name IP Detection
dwilsonson23.sytes.net
185.20.186.103
dual-a-0001.dc-msedge.net
131.253.33.200
drive.google.com
142.250.184.206
Click to see the 3 hidden entries
e-0009.e-msedge.net
13.107.5.88
googlehosted.l.googleusercontent.com
142.251.36.65
doc-10-20-docs.googleusercontent.com
0.0.0.0

URLs

Name Detection
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.js
http://www.imvu.comr
https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpg
Click to see the 97 hidden entries
https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.png
https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.js
https://csp.withgoogle.com/csp/ads-programmable
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
http://www.nirsoft.net
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684
https://deff.nelreports.net/api/report?cat=msn
http://www.gopher.ftp://ftp.
https://www.google.com/chrome/
http://cdp.thawte.com/ThawteRSACA2018.crl0L
https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7
https://csp.withgoogle.com/csp/botguard-scs
https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl
https://s1.adform.net/Banners/Elements/Files/2070608/10170131/10170131.js?ADFassetID=10170131&bv=258
http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
https://www.msn.com
https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80
https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
https://btloader.com/tag?o=6208086025961472&upapi=true
http://www.imvu.comata
https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
https://eb2.3lift.com/synccompletion/adm/exitcode=0&type=install&workflow=323739368433491;gtm=2wg8g0
https://b1sync.zemanta.com/usersync/msn/?puid=101156F9176C6E98058F466E16B36FAC
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2
http://www.imvu.com/
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843
http://ocsp.sca1b.amazontrust.com06
https://77243bf109fbfd4c6540dfa32ce43b7d.clo.footprintdns.com/apc/trans.gif?acea25fcc08da24d4d717452
http://certs.godaddy.com/repository/1301
http://www.imvu.com
http://ocsp.rootca1.amazontrust.com0:
https://certs.godaddy.com/repository/0
https://pki.goog/repository/0
https://www.msn.com/
https://doc-10-20-docs.googleusercontent.com/
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480
http://cacerts.thawte.com/ThawteRSACA2018.crt0
http://crl.godaddy.com/gdroot-g2.crl0F
http://crl.rootg2.amazontrust.com/rootg2.crl0
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
https://fp-afd.azurefd.net/apc/trans.gif?cc0090b1d4f11396dcefd3282bde5f89
https://www.msn.com/?ocid=iehp
https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1id=77%2C18
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144
https://aefd.nelreports.net/api/report?cat=bingrms
https://www.google.com/accounts/servicelogin
http://trc.taboola.com/p3p.xml
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729
https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat
https://ow1.res.office365.com/apc/trans.gif?6ddaa1fdedee1687470f054f781e5afc
http://crl.pki.goog/gsr1/gsr1.crl0;
https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpg
http://crl.godaddy.com/gdig2s1-2558.crl0
http://ocsp.sectigo.com0
https://csp.withgoogle.com/csp/report-to/botguard-scs
https://doc-10-20-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4kt6kj4d0084526l7js9den2kr3jfv0g/1652355675000/13609515036127870368/*/15o_MQXwhHi1q2hB6HCot5QkKY25MLVec?e=download
http://certificates.godaddy.com/repository/0
https://www.msn.com/spartan/ientplo
https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626
https://eb2.3lift.com/sync?
https://acdn.adnxs.com/dmp/async_usersync.html
http://www.avast.com0/
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
https://csp.withgoogle.com/csp/report-to/adspam-signals-scs
http://pki.goog/repo/certs/gts1c3.der07
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.ms
https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3
https://www.msn.com/de-ch/?ocid=iehp
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
https://cdn.taboola.com/TaboolaCookieSyncScript.js
https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914
https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpeg
https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
https://www.google.com/pagead/drt/ui
https://www.msn.com/de-ch/ocid=iehpappid=0&re=0&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%
https://s1.adform.net/stoat/626/s1.adform.net/bootstrap.js
https://sb.scorecardresearch.com/beacon.js
http://pki.goog/gsr1/gsr1.crt02
http://pki.goog/repo/certs/gts1c3.der0$
https://doc-10-20-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rdk8vcmh
https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au
https://fp-afd.azureedge.us/apc/trans.gif?edd9ae41b7970a265a6dfb9c4956f1d7
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7ca
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\install.vbs
data
#
C:\Users\user\AppData\Roaming\ios.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Users\user\AppData\Roaming\ios.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
Click to see the 9 hidden entries
C:\Users\user\AppData\Local\Temp\Meniscotherium1.Sch7
data
#
C:\Users\user\AppData\Local\Temp\bhvE86E.tmp
Extensible storage engine DataBase, version 0x620, checksum 0x03d82694, page size 32768, DirtyShutdown, Windows version 10.0
#
C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png
PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
#
C:\Users\user\AppData\Local\Temp\lang-1026.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\llgguleakcnppfakdibd
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\network-cellular-hardware-disabled-symbolic.svg
SVG Scalable Vector Graphics image
#
C:\Users\user\AppData\Local\Temp\nseF43E.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nsg85A6.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\logs.dat
data
#