Excel File Executes PowerShell to Download/Execute .Net Key Logger | Network
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2007 | ms_office
Classification: Trojan, Dropper, Keylogger, Downloader

49d9e68dbb6a4bfc5122545b2150adfc3b0ac99f717a1676a5de1e6865c8143b (SHA256)

share.cgissid07Ua3Tpfid07Ua3TpfilenameRFQ0332.xlsopenfolderforcedownloadep.xls

Excel Document

Created at 2018-04-18 14:33:00

...

Notifications (1/1)

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Connection Overview

Contacted Hosts (2)
»
Hostname IP Address Location Protocols Reputation Status WHOIS Data
3lionsfactory.ga 164.160.128.121 Nigeria HTTP, DNS, TCP
Has Blacklisted URL
Show WHOIS
checkip.dyndns.org 216.146.43.70, 91.198.22.70, 216.146.43.71, 216.146.38.70 Manchester (United States) HTTP, DNS, TCP
Unknown
Show WHOIS
Contacted URLs (2)
»
URL Categories Names HTTP Status Code Reputation Status
3lionsfactory.ga/out/linit.exe Phishing - -
Blacklisted
checkip.dyndns.org/ - - HTTP_STATUS_OK (200)
Unknown

Connections

DNS (3)
»
Operation Additional Information Success Count Logfile
Resolve Name host = 3lionsfactory.ga, address_out = 164.160.128.121 True 1
Fn
Resolve Name host = checkip.dyndns.org, address_out = 216.146.43.70, 91.198.22.70, 216.146.43.71, 216.146.38.70 True 1
Fn
Resolve Name host = checkip.dyndns.org, address_out = 216.146.38.70, 216.146.43.71, 91.198.22.70, 216.146.43.70 True 1
Fn
HTTP Sessions (3)
»
Information Value
Total Data Sent 0.23 KB
Total Data Received 240.76 KB
Contacted Host Count 2
Contacted Hosts checkip.dyndns.org, 3lionsfactory.ga
HTTP Session #1
»
Information Value
Server Name checkip.dyndns.org
Server Port 80
Data Sent 0.07 KB
Data Received 0.25 KB
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = checkip.dyndns.org, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = / True 1
Fn
Send HTTP Request headers = host: checkip.dyndns.org, connection: Keep-Alive, url = checkip.dyndns.org/ True 1
Fn
Data
Read Response size = 4096, size_out = 260 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
User Agent USR-KL
Server Name 3lionsfactory.ga
Server Port 80
Data Sent 0.10 KB
Data Received 240.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = USR-KL, access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = 3lionsfactory.ga, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /out/linit.exe True 1
Fn
Send HTTP Request headers = host: 3lionsfactory.ga, connection: Keep-Alive, user-agent: USR-KL, url = 3lionsfactory.ga/out/linit.exe True 1
Fn
Data
Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Read Response size = 65536, size_out = 44 True 1
Fn
Data
Read Response size = 65536, size_out = 53820 True 1
Fn
Data
Read Response size = 65536, size_out = 2760 True 1
Fn
Data
Read Response size = 65536, size_out = 34500 True 1
Fn
Data
Read Response size = 65536, size_out = 65536 True 1
Fn
Data
Read Response size = 65536, size_out = 704 True 1
Fn
Data
Read Response size = 65536, size_out = 28980 True 1
Fn
Data
Read Response size = 55575, size_out = 27600 True 1
Fn
Data
Read Response size = 27975, size_out = 15180 True 1
Fn
Data
Read Response size = 12795, size_out = 12795 True 1
Fn
Data
HTTP Session #3
»
Information Value
Server Name checkip.dyndns.org
Server Port 80
Data Sent 0.07 KB
Data Received 0.26 KB
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Open Connection protocol = http, server_name = checkip.dyndns.org, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = / True 1
Fn
Send HTTP Request headers = host: checkip.dyndns.org, connection: Keep-Alive, url = checkip.dyndns.org/ True 1
Fn
Data
Read Response size = 4096, size_out = 262 True 1
Fn
Data
Close Session - True 1
Fn
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image