=
Joe Sandbox Cloud Basic
Register Login
sloganpng
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

628df1368bdb5.dll

Status: finished
Submission Time: 2022-05-25 11:07:13 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • BRT
  • dll
  • gozi
  • isfb
  • ita
  • ursnif

Details

  • Analysis ID:
    633910
  • API (Web) ID:
    1001413
  • Analysis Started:
    2022-05-25 11:16:12 +02:00
  • Analysis Finished:
    2022-05-25 11:30:18 +02:00
  • MD5:
    2ced3a825a7b8d9ad0153b2f8566b357
  • SHA1:
    4b6484602c29c298b5270f2c95e9aeeabb162737
  • SHA256:
    f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious

IPs

IP Country Detection
176.10.119.68
 Switzerland

Domains

Name IP Detection
l-0007.l-dc-msedge.net
 13.107.43.16

URLs

Name Detection
http://176.10.119.68/
http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlk
http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlk
Click to see the 17 hidden entries
http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2Fxy
http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/
http://176.10.119.68/=i_
http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlk
http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4V
http://nuget.org/NuGet.exe
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2f670449314c9cbe26f2787fed1eece2045eb75_7cac0383_1a8a9c09\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_895e5a36908a521ee0a162e13575c3f3aee3817c_7cac0383_00b9f588\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8f579be425d8a5cc6392bac965f2eeac594eed7_7cac0383_14da83fd\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
Click to see the 28 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER27A.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C69.tmp.dmp
 Mini DuMP crash report, 15 streams, Wed May 25 09:18:06 2022, 0x1205a4 type
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9081.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER92B4.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF019.tmp.dmp
 Mini DuMP crash report, 15 streams, Wed May 25 09:17:26 2022, 0x1205a4 type
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF337.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF461.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDF4.tmp.dmp
 Mini DuMP crash report, 15 streams, Wed May 25 09:17:29 2022, 0x1205a4 type
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #
C:\Users\user\AppData\Local\Temp\RES10A0.tmp
 Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
 #
C:\Users\user\AppData\Local\Temp\RES20CD.tmp
 Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ltvm2t1.11d.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mv15gf43.tzv.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.0.cs
 UTF-8 Unicode (with BOM) text
 #
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
 #
C:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.0.cs
 UTF-8 Unicode (with BOM) text
 #
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
 #
C:\Users\user\Documents\20220525\PowerShell_transcript.414408.cCtJuFkM.20220525111811.txt
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\TestLocal.ps1
 ASCII text, with no line terminators
 #
C:\Users\user\WhiteBook.lnk
 MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
 #