Loading ...

Play interactive tourEdit tour

Analysis Report UW8crpbpg0

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:210245
Start date:23.02.2020
Start time:00:43:37
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:UW8crpbpg0 (renamed file extension from none to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.winDLL@9/0@0/0
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 92.9%)
  • Quality average: 79.1%
  • Quality standard deviation: 31.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, CompatTelRunner.exe
Errors:
  • Sigma syntax error: One detector has no map or list, Rule: Discovery of a System Time
  • Sigma syntax error: One detector has no map or list, Rule: File or Folder Permissions Modifications

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold720 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsRundll321Winlogon Helper DLLProcess Injection2Process Injection2Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData CompressedRemote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting1Port MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API2Accessibility FeaturesPath InterceptionRundll321Input CaptureSecurity Software Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingScripting1Credentials in FilesSystem Information Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: UW8crpbpg0.dllAvira: detection malicious, Label: HEUR/AGEN.1001761
Multi AV Scanner detection for domain / URLShow sources
Source: http://down.0814ok.info:8888/ok.txtVirustotal: Detection: 6%Perma Link
Source: http://wmi.0814ok.info:8888/kill.htmlVirustotal: Detection: 8%Perma Link
Source: http://js.0814ok.info:280/v.sctVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: UW8crpbpg0.dllVirustotal: Detection: 81%Perma Link
Source: UW8crpbpg0.dllReversingLabs TitaniumCloud: Detection: 79%
Machine Learning detection for sampleShow sources
Source: UW8crpbpg0.dllJoe Sandbox ML: detected

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC1FE0 InternetOpenA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpSendRequestA,_memset,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_73EC1FE0
Urls found in memory or binary dataShow sources
Source: rundll32.exe, rundll32.exe, 00000002.00000002.2221636089.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.2223441643.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.2225299754.0000000073ECE000.00000002.00020000.sdmp, UW8crpbpg0.dllString found in binary or memory: http://down.0814ok.info:8888/ok.txt
Source: rundll32.exe, 00000001.00000002.2219785861.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.2221636089.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.2223441643.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.2225299754.0000000073ECE000.00000002.00020000.sdmp, UW8crpbpg0.dllString found in binary or memory: http://down.0814ok.info:8888/ok.txtvector
Source: rundll32.exe, 00000001.00000002.2219785861.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.2221636089.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.2223441643.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.2225299754.0000000073ECE000.00000002.00020000.sdmp, UW8crpbpg0.dllString found in binary or memory: http://js.0814ok.info:280/v.sct
Source: rundll32.exe, rundll32.exe, 00000001.00000002.2219785861.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.2221636089.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.2223441643.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.2225299754.0000000073ECE000.00000002.00020000.sdmp, UW8crpbpg0.dllString found in binary or memory: http://wmi.0814ok.info:8888/kill.html
Source: rundll32.exe, 00000001.00000002.2219785861.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.2221636089.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.2223441643.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.2225299754.0000000073ECE000.00000002.00020000.sdmp, UW8crpbpg0.dllString found in binary or memory: http://wmi.0814ok.info:8888/test.html

System Summary:

barindex
Dynamically executes javascript script codeShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC1080 inWMI,CoInitialize,CLSIDFromProgID,CoCreateInstance,_wprintf,SysAllocString,SysAllocString,_wprintf,_wprintf,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,CoUninitialize,1_2_73EC1080
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 73EC5650 appears 34 times
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal72.winDLL@9/0@0/0
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC1080 inWMI,CoInitialize,CLSIDFromProgID,CoCreateInstance,_wprintf,SysAllocString,SysAllocString,_wprintf,_wprintf,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,CoUninitialize,1_2_73EC1080
PE file has an executable .text section and no other executable sectionShow sources
Source: UW8crpbpg0.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\UW8crpbpg0.dll',DllRegisterServer
Sample is known by AntivirusShow sources
Source: UW8crpbpg0.dllVirustotal: Detection: 81%
Source: UW8crpbpg0.dllReversingLabs TitaniumCloud: Detection: 79%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\UW8crpbpg0.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\UW8crpbpg0.dll',DllRegisterServer
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UW8crpbpg0.dll,DllMain
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UW8crpbpg0.dll,inWMI
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UW8crpbpg0.dll,test
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\UW8crpbpg0.dll',DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UW8crpbpg0.dll,DllMainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UW8crpbpg0.dll,inWMIJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UW8crpbpg0.dll,testJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: UW8crpbpg0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UW8crpbpg0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UW8crpbpg0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UW8crpbpg0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UW8crpbpg0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UW8crpbpg0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: UW8crpbpg0.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: UW8crpbpg0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\down10\Release\down10.pdb ? source: rundll32.exe, 00000001.00000002.2219785861.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.2221636089.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.2223441643.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.2225299754.0000000073ECE000.00000002.00020000.sdmp, UW8crpbpg0.dll
Source: Binary string: D:\down10\Release\down10.pdb source: rundll32.exe, 00000001.00000002.2219785861.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.2221636089.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.2223441643.0000000073ECE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.2225299754.0000000073ECE000.00000002.00020000.sdmp, UW8crpbpg0.dll
PE file contains a valid data directory to section mappingShow sources
Source: UW8crpbpg0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UW8crpbpg0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UW8crpbpg0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UW8crpbpg0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UW8crpbpg0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73ECB731 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_73ECB731
PE file contains an invalid checksumShow sources
Source: UW8crpbpg0.dllStatic PE information: real checksum: 0x1caf3 should be: 0x1caf6
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC5695 push ecx; ret 1_2_73EC56A8

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-7813
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-6653
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-6837
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-6838

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC3106 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_73EC3106
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73ECB731 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_73ECB731
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73ECBA9C __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_73ECBA9C
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC3106 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_73EC3106
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC5432 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_73EC5432

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rundll32.exe, 00000001.00000002.2218691686.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.2220666256.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2222541357.00000000038E0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2224361880.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: rundll32.exe, 00000001.00000002.2218691686.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.2220666256.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2222541357.00000000038E0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2224361880.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000001.00000002.2218691686.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.2220666256.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2222541357.00000000038E0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2224361880.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000001.00000002.2218691686.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.2220666256.0000000002CD0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2222541357.00000000038E0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2224361880.0000000002CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73EC83A4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_73EC83A4

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 210245 Sample: UW8crpbpg0 Startdate: 23/02/2020 Architecture: WINDOWS Score: 72 17 Multi AV Scanner detection for domain / URL 2->17 19 Antivirus detection for sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Machine Learning detection for sample 2->23 6 loaddll32.exe 1 2->6         started        process3 process4 8 rundll32.exe 6->8         started        11 rundll32.exe 6->11         started        13 rundll32.exe 6->13         started        15 rundll32.exe 6->15         started        signatures5 25 Dynamically executes javascript script code 8->25

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UW8crpbpg0.dll81%VirustotalBrowse
UW8crpbpg0.dll79%ReversingLabs TitaniumCloud FileReputationWin32.Trojan.Zusy
UW8crpbpg0.dll100%AviraHEUR/AGEN.1001761
UW8crpbpg0.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.rundll32.exe.73ec0000.2.unpack100%AviraHEUR/AGEN.1001761Download File
1.2.rundll32.exe.73ec0000.2.unpack100%AviraHEUR/AGEN.1001761Download File
2.2.rundll32.exe.73ec0000.2.unpack100%AviraHEUR/AGEN.1001761Download File
4.2.rundll32.exe.73ec0000.2.unpack100%AviraHEUR/AGEN.1001761Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://down.0814ok.info:8888/ok.txt7%VirustotalBrowse
http://down.0814ok.info:8888/ok.txt0%Avira URL Cloudsafe
http://wmi.0814ok.info:8888/kill.html8%VirustotalBrowse
http://wmi.0814ok.info:8888/kill.html0%Avira URL Cloudsafe
http://wmi.0814ok.info:8888/test.html6%VirustotalBrowse
http://wmi.0814ok.info:8888/test.html0%Avira URL Cloudsafe
http://js.0814ok.info:280/v.sct8%VirustotalBrowse
http://js.0814ok.info:280/v.sct0%Avira URL Cloudsafe
http://down.0814ok.info:8888/ok.txtvector0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.