Excel File Executes PowerShell to Download/Execute .Net Key Logger | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2007 | ms_office
Classification: Trojan, Dropper, Keylogger, Downloader

49d9e68dbb6a4bfc5122545b2150adfc3b0ac99f717a1676a5de1e6865c8143b (SHA256)

share.cgissid07Ua3Tpfid07Ua3TpfilenameRFQ0332.xlsopenfolderforcedownloadep.xls

Excel Document

Created at 2018-04-18 14:33:00

...

Notifications (1/1)

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Indicators

File (65)
»
Filename Hash Operations
C:\ - Access
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe - Access
C:\Program Files (x86)\Flock\nss3.dll - Access
C:\Program Files (x86)\jDownloader\config\database.script - Access
C:\Program Files (x86)\Mozilla Firefox\ - Access
C:\Program Files (x86)\Mozilla Firefox\\ - Access
C:\Program Files (x86)\Mozilla Firefox\nss3.dll - Access
C:\Program Files (x86)\Mozilla Thunderbird\nss3.dll - Access
C:\Program Files (x86)\Postbox\nss3.dll - Access
C:\Program Files (x86)\SeaMonkey\nss3.dll - Access
C:\ProgramData\DynDNS\Updater\config.dyndns - Access
C:\Users - Access
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat - Access
C:\Users\kFT6uTQW - Access
C:\Users\kFT6uTQW\AppData - Access
C:\Users\kFT6uTQW\AppData\Local\Chromium\User Data\Default\Login Data - Access
C:\Users\kFT6uTQW\AppData\Local\Comodo\Dragon\User Data\Default\Login Data - Access
C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data - Access, Read
C:\Users\kFT6uTQW\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data - Access
C:\Users\kFT6uTQW\AppData\Local\Torch\User Data\Default\Login Data - Access
C:\Users\kFT6uTQW\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data - Access
C:\Users\kFT6uTQW\AppData\Roaming - Access
C:\Users\kFT6uTQW\AppData\Roaming\.purple\accounts.xml - Access
C:\Users\kFT6uTQW\AppData\Roaming\aap6.exe - Access
C:\Users\kFT6uTQW\AppData\Roaming\aap6.exe.config - Access
C:\Users\kFT6uTQW\AppData\Roaming\CoreFTP\sites.idx - Access
C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\ - Access
C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\DURA Automotive Systems Inc.exe MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		Access
C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\DURA Automotive Systems Inc.exe.config - Access
C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\DURA Automotive Systems Inc.exe:Zone.Identifier - Access
C:\Users\kFT6uTQW\AppData\Roaming\FileZilla\recentservers.xml - Access
C:\Users\kFT6uTQW\AppData\Roaming\Flock\Browser\profiles.ini - Access
C:\Users\kFT6uTQW\AppData\Roaming\Flock\Browser\signons3.txt - Access
C:\Users\kFT6uTQW\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini - Access
C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini - Access, Read
C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\logins.json - Access
C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\SeaMonkey\logins.json - Access
C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini - Access
C:\Users\kFT6uTQW\AppData\Roaming\Opera Mail\Opera Mail\wand.dat - Access
C:\Users\kFT6uTQW\AppData\Roaming\Opera Software\Opera Stable\Login Data - Access
C:\Users\kFT6uTQW\AppData\Roaming\Pocomail\accounts.ini - Access
C:\Users\kFT6uTQW\AppData\Roaming\Postbox\profiles.ini - Access
C:\Users\kFT6uTQW\AppData\Roaming\Postbox\signons.sqlite - Access
C:\Users\kFT6uTQW\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ - Access
C:\Users\kFT6uTQW\AppData\Roaming\The Bat! - Access
C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\logins.json - Access
C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\profiles.ini - Access
C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\signons.sqlite - Access
C:\Users\kFT6uTQW\Desktop - Access
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config - Access, Read
C:\Windows\system32\Ftplist.txt - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0 - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml - Access, Read
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
Registry (57)
»
Registry Key Name Operations
8804558B-B773-11d1-BC3E-0000F87552E7 Read
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access, Read
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC Access
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview Access
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 Access
HKEY_CURRENT_USER\Software\DownloadManager\Passwords Access
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Access
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Access
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 Access
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Access
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Access, Read, Write
HKEY_CURRENT_USER\Software\Paltalk Access
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access, Read
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access, Read
Mutex (1)
»
Mutex Name Operations
Global\.net clr networking Access, Delete
URL (2)
»
URL Operations
3lionsfactory.ga/out/linit.exe GET
checkip.dyndns.org/ GET
IP (5)
»
IP Protocols
164.160.128.121 HTTP, DNS, TCP
216.146.43.70 HTTP, DNS, TCP
91.198.22.70 HTTP, DNS, TCP
216.146.43.71 HTTP, DNS, TCP
216.146.38.70 HTTP, DNS, TCP
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image