=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

doc_65398086_4190362045539.pdf.vbs

Status: finished
Submission Time: 2022-05-12 13:23:10 +02:00
Malicious
Trojan
Evader
Phishing
Spyware
AgentTesla, GuLoader, Remcos

Comments

Tags

  • GuLoader
  • vbs

Details

  • Analysis ID:
    625179
  • API (Web) ID:
    992680
  • Analysis Started:
    2022-05-12 13:30:24 +02:00
  • Analysis Finished:
    2022-05-12 14:36:52 +02:00
  • MD5:
    2fc6f3477035823ff7864187b5b2a5cc
  • SHA1:
    8e6db7c18a5725e795d7421baf84cae637fbcc53
  • SHA256:
    74e1b9fa91b0840706b7418b8604d76efab886fec1704b8810ad389aa6a9cb9b
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
88/100

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

malicious
100/100

malicious
11/59

malicious
8/41

malicious

IPs

IP Country Detection
185.19.85.162
Switzerland
148.66.138.165
Singapore
13.107.43.12
United States
Click to see the 2 hidden entries
13.107.43.13
United States
149.154.167.220
United Kingdom

Domains

Name IP Detection
myfrontmannyfour.ddns.net
185.19.85.162
vegproworld.com
148.66.138.165
l-0003.l-dc-msedge.net
13.107.43.12
Click to see the 5 hidden entries
l-0004.l-dc-msedge.net
13.107.43.13
api.telegram.org
149.154.167.220
srod3g.dm.files.1drv.com
0.0.0.0
onedrive.live.com
0.0.0.0
srqeug.dm.files.1drv.com
0.0.0.0

URLs

Name Detection
https://vegproworld.com/wp-content/Medalj.vbsL5
http://pesterbdd.com/images/Pester.png
https://vegproworld.com/
Click to see the 41 hidden entries
https://vegproworld.com/wp-content/Medalj.vbs
https://srod3g.dm.files.1drv.com/E(
https://srod3g.dm.files.1drv.com/y4m_w_TYZR6G948D0zxHbGIPmcNEAsiCr-h7u8jiKbgtUzAGOf6HCSyuDMew_yzc9ES
http://127.0.0.1:HTTP/1.1
http://nuget.org/NuGet.exe
https://api.telegram.org
https://api.telegram.org/bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocumentdocument-----
http://www.apache.org/licenses/LICENSE-2.0.html
https://go.micro
https://srqeug.dm.files.1drv.com/y4mQ5yJoi4Y6HcwNbCc6pUgdD-mITQ7kZEuD91b6ItEUlOdCsX5pbb6sRhAFyyW0rsi
https://api.telegram.org/bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocument
https://contoso.com/License
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
https://contoso.com/Icon
https://srqeug.dm.files.1drv.com/y4mWmfXrC7pY_5e5zLdKHGbqTRTY7ru3PzSbuunLusBV8qDfu1gh_BHmiBYNt80W1VE
https://support.google.com/chrome/?p=plugin_flash
https://onedrive.live.com/download?cid=B6AB3B5EAFD51867&resid=B6AB3B5EAFD51867%21312&authkey=AJEiJ04sJsNkOJM
https://srod3g.dm.files.1drv.com/z
http://www.nirsoft.net
https://onedrive.live.com/download?cid=B6AB3B5EAFD51867&resid=B6AB3B5EAFD51867%21312&authkey=AJEiJ04sJsNk
https://srqeug.dm.files.1drv.com/
https://srod3g.dm.files.1drv.com/y4m1P90Kk2H-cNQxXOJmqK2HftFgWGvGMYnAecew4IQelLJRvEs3Mvm9AZePLE-7ycBADDM9gjChXojaUAFvzvY-Cy423yGwrUlC_bcoe1JiYKCw2nHeJm1x3gw-2YaAOTwF9stB2Fe3I_Q9EF5DHXKtmNsHMwqvsJEU4eUPPpWM4bTgczCUMzY-aeTL5nEBZP9w9o-E6QNqLbkLX7BveYa8g/asorem_uGQzQlB204.bin?download&psid=1
https://github.com/Pester/Pester
https://onedrive.live.com/
https://srqeug.dm.files.1drv.com/J
https://srqeug.dm.files.1drv.com/y4mQ5yJoi4Y6HcwNbCc6pUgdD-mITQ7kZEuD91b6ItEUlOdCsX5pbb6sRhAFyyW0rsiikZIYNIG3aN6ru2QI2Jocl96QMckoKGjZLRdv33V4FgJlT3eaTuEf_wqTXNdhutLMwhMLh-VKMkO_LprFAOjs6TmBR3J7sRcYsKdRqB40Ocy23CLaBXHZNwliA1rPOqAP9E2b6fOWIjj8SBiqNoMxg/asonewstub_sILUK5.bin?download&psid=1
https://srod3g.dm.files.1drv.com/
https://onedrive.live.com/download?cid=B6AB3B5EAFD51867&resid=B6AB3B5EAFD51867%21312&authkey=AJEiJ04
https://aka.ms/pscore6lB
https://contoso.com/
https://nuget.org/nuget.exe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
http://mHPdOL.com
https://www.google.com/accounts/servicelogin
https://login.yahoo.com/config/login
https://VaZy5Ui1fWtrw.com
https://srod3g.dm.files.1drv.com/y4m1P90Kk2H-cNQxXOJmqK2HftFgWGvGMYnAecew4IQelLJRvEs3Mvm9AZePLE-7ycB
https://onedrive.live.com/download?cid=B6AB3B5EAFD51867&resid=B6AB3B5EAFD51867%21315&authkey=AOvGd5g
http://www.nirsoft.net/
http://api.telegram.org
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\15yt3nse\15yt3nse.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\15yt3nse\15yt3nse.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\15yt3nse\15yt3nse.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\15yt3nse\15yt3nse.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\15yt3nse\CSC6AB740706204464FA33B93DBB15436C9.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\5gap5ezo\5gap5ezo.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\5gap5ezo\5gap5ezo.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\5gap5ezo\5gap5ezo.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5gap5ezo\5gap5ezo.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\5gap5ezo\CSCC8BD0ABCCBE4C73AB31B0DCB5E94165.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\Medalj.vbs
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RES8878.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESF835.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\Troldes.dat
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fu5ipelj.u5l.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqeymjvc.kdh.psm1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqh2gi34.byq.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuh0lgm1.yl0.ps1
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\bhv46D6.tmp
Extensible storage engine DataBase, version 0x620, checksum 0xf8b2a747, page size 32768, DirtyShutdown, Windows version 10.0
#
C:\Users\user\AppData\Local\Temp\bhv8863.tmp
Extensible storage engine DataBase, version 0x620, checksum 0xf8b2a747, page size 32768, DirtyShutdown, Windows version 10.0
#
C:\Users\user\AppData\Local\Temp\msjsdp
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\rettetast.dat
data
#
C:\Users\user\AppData\Local\Temp\xxulbm
Little-endian UTF-16 Unicode text, with no line terminators
#
C:\Users\user\AppData\Roaming\ugvgydy0.1al\Chrome\Default\Cookies
SQLite 3.x database, last written using SQLite version 3036000
#
C:\Users\user\AppData\Roaming\ugvgydy0.1al\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
SQLite 3.x database, user version 12, last written using SQLite version 3036000
#
\Device\ConDrv
ASCII text, with CRLF line terminators
#