Analysis Report JbVn44CzFw

Overview

General Information

Sample Name: JbVn44CzFw (renamed file extension from none to dll)
Analysis ID: 324360
MD5: ac716ad4ce2461246e783bda05ba40a4
SHA1: bf3a28737bb643e478021b279aec7213e5216666
SHA256: 1c2d38dda5eb14c8870b4ef6a95f054f30a88dda3474712b956094c65d063103

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Creates a DirectInput object (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: JbVn44CzFw.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: JbVn44CzFw.dll Virustotal: Detection: 65% Perma Link
Source: JbVn44CzFw.dll ReversingLabs: Detection: 66%

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.244753510.0000000000F3B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
PE file contains strange resources
Source: JbVn44CzFw.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: JbVn44CzFw.dll Binary or memory string: OriginalFilenameplay1.dllF vs JbVn44CzFw.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: mal56.winDLL@5/0@0/0
Source: JbVn44CzFw.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\JbVn44CzFw.dll,Continentmark
Source: JbVn44CzFw.dll Virustotal: Detection: 65%
Source: JbVn44CzFw.dll ReversingLabs: Detection: 66%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\JbVn44CzFw.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\JbVn44CzFw.dll,Continentmark
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\JbVn44CzFw.dll,Thankclaim
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\JbVn44CzFw.dll,Continentmark Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\JbVn44CzFw.dll,Thankclaim Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: JbVn44CzFw.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Hunt\Dad\Stick\Hope\Gold\whichchart.pdb source: JbVn44CzFw.dll
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll32.exe TID: 992 Thread sleep time: -60000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324360 Sample: JbVn44CzFw Startdate: 29/11/2020 Architecture: WINDOWS Score: 56 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 6 loaddll32.exe 1 2->6         started        process3 process4 8 rundll32.exe 6->8         started        10 rundll32.exe 6->10         started       
No contacted IP infos