Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RasTls.dll

Overview

General Information

Sample name:RasTls.dll
Analysis ID:1561846
MD5:f1c9f093d5479560e83a0759201210b7
SHA1:9553567e231a172c69f0ef8800a927193b9cbd49
SHA256:1906e7d5a745a364c91f5e230e16e1566721ace1183a57e8d25ff437664c7d02
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6616 cmdline: loaddll32.exe "C:\Users\user\Desktop\RasTls.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1252 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6548 cmdline: rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6348 cmdline: rundll32.exe C:\Users\user\Desktop\RasTls.dll,GetOfficeDatatal MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5284 cmdline: rundll32.exe "C:\Users\user\Desktop\RasTls.dll",GetOfficeDatatal MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: RasTls.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: RasTls.dllReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: RasTls.dllJoe Sandbox ML: detected
Source: RasTls.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: RasTls.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 65.20.90.139 443Jump to behavior
Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: swiftandfast.net
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987

System Summary

barindex
PE file contains section with special chars
Source: RasTls.dllStatic PE information: section name: .X:T
Source: RasTls.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal88.evad.winDLL@10/0@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_03
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RasTls.dll,GetOfficeDatatal
Source: RasTls.dllReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\RasTls.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RasTls.dll,GetOfficeDatatal
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",GetOfficeDatatal
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RasTls.dll,GetOfficeDatatalJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",GetOfficeDatatalJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: RasTls.dllStatic file information: File size 6302208 > 1048576
Source: RasTls.dllStatic PE information: Raw size of .WFm is bigger than: 0x100000 < 0x601800
Source: RasTls.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section where entry point is pointing to: .WFm
Source: RasTls.dllStatic PE information: section name: .X:T
Source: RasTls.dllStatic PE information: section name: .BXf
Source: RasTls.dllStatic PE information: section name: .WFm

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6616 base: 1240005 value: E9 8B 2F CB 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: PID: 6616 base: 76EF2F90 value: E9 7A D0 34 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6348 base: 2B80005 value: E9 8B 2F 37 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6348 base: 76EF2F90 value: E9 7A D0 C8 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6548 base: 3220005 value: E9 8B 2F CD 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6548 base: 76EF2F90 value: E9 7A D0 32 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5284 base: 29F0005 value: E9 8B 2F 50 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5284 base: 76EF2F90 value: E9 7A D0 AF 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C86454B
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C865B49
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C72132F
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C6B3714
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 6C58745C second address: 6C587467 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 movsx dx, bh 0x00000007 mov bp, 091Bh 0x0000000b rdtsc
Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 6C58745C second address: 6C587467 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 movsx dx, bh 0x00000007 mov bp, 091Bh 0x0000000b rdtsc
Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 6C5C5B71 second address: 6C5C5B75 instructions: 0x00000000 rdtsc 0x00000002 pop ebx 0x00000003 cdq 0x00000004 rdtsc
Source: C:\Windows\System32\loaddll32.exeRDTSC instruction interceptor: First address: 6C659216 second address: 6C65921A instructions: 0x00000000 rdtsc 0x00000002 pop ebx 0x00000003 cdq 0x00000004 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 5454Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 4535Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 5470Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 4519Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 9989Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156Thread sleep count: 5454 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156Thread sleep time: -5454000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156Thread sleep count: 4535 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156Thread sleep time: -4535000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480Thread sleep count: 5470 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480Thread sleep time: -5470000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480Thread sleep count: 4519 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480Thread sleep time: -4519000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5672Thread sleep count: 9989 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5672Thread sleep time: -9989000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 00000003.00000002.4512491078.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4512315310.000000000306A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4512544852.0000000002A1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 65.20.90.139 443Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		1
Rundll32		1
Credential API Hooking		21
Security Software Discovery		Remote Services1
Credential API Hooking		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets21
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.