628df1368bdb5.dll

Status: finished

Submission Time: 2022-05-25 11:07:13 +02:00

Malicious

E-Banking Trojan

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
633910
API (Web) ID:
1001413
Analysis Started:

2022-05-25 11:16:12 +02:00
Analysis Finished:

2022-05-25 11:30:18 +02:00
MD5:
2ced3a825a7b8d9ad0153b2f8566b357
SHA1:
4b6484602c29c298b5270f2c95e9aeeabb162737
SHA256:
f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

IPs

IP	Country	Detection
176.10.119.68	Switzerland

Domains

Name	IP	Detection
l-0007.l-dc-msedge.net	13.107.43.16

URLs

Name	Detection
http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4V
http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlk
http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlk
Click to see the 17 hidden entries
http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlk
http://176.10.119.68/=i_
http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/
http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2Fxy
http://176.10.119.68/
https://contoso.com/License
https://github.com/Pester/Pester
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://https://file://USER.ID%lu.exe/upd
https://contoso.com/Icon
http://constitution.org/usdeclar.txtC:
https://nuget.org/nuget.exe
https://contoso.com/
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
http://constitution.org/usdeclar.txt
http://nuget.org/NuGet.exe

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\RES20CD.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\WhiteBook.lnk	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized	#
C:\Users\user\TestLocal.ps1	ASCII text, with no line terminators	#
Click to see the 28 hidden entries
C:\Users\user\Documents\20220525\PowerShell_transcript.414408.cCtJuFkM.20220525111811.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mv15gf43.tzv.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ltvm2t1.11d.psm1	very short file (no magic)	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2f670449314c9cbe26f2787fed1eece2045eb75_7cac0383_1a8a9c09\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\RES10A0.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDF4.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 25 09:17:29 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF461.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF337.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF019.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 25 09:17:26 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER92B4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9081.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C69.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 25 09:18:06 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER27A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8f579be425d8a5cc6392bac965f2eeac594eed7_7cac0383_14da83fd\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_895e5a36908a521ee0a162e13575c3f3aee3817c_7cac0383_00b9f588\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#

628df1368bdb5.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

628df1368bdb5.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

Yara Super Rule creation started

628df1368bdb5.dll