Edit tour
Windows
Analysis Report
N00LMS9L.dll
Overview
General Information
Sample name: | N00LMS9L.dllrenamed because original name is a hash value |
Original sample name: | cABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZVEQHR_8fXkKXWPAGKGxDIDS4ecHu7OEOFapBAVfIASDJfWjN00LMS9L.dll |
Analysis ID: | 1417190 |
MD5: | 4befc07c9e0c2d120a2b82319aa4fa30 |
SHA1: | 9cee2c423f7a7981ace327ce8c42c19c8d814d7b |
SHA256: | 1c5cf7130d85a0350c1e152d64cda0d5e6cf8c7013810b8d0c9ef8da8d20ce6a |
Tags: | dllJupyterPolazertSolarMarkerYellowCockatoo |
Infos: | |
Detection
Jupyter
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Jupyter
Sample uses string decryption to hide its real strings
Creates a process in suspended mode (likely to inject code)
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Classification
- System is w10x64
- loaddll32.exe (PID: 5976 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\N00 LMS9L.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 6084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5128 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\N00 LMS9L.dll" ,#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 6492 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\N00L MS9L.dll", #1 MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
solarmarker, Jupyter | Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search user optimization (SEO) manipulation to convince users to download malicious documents.Some of SolarMarkers capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.The malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Jupyter_1 | Yara detected Jupyter | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | String decryptor: |