Source: qkT9fgtS2x.dll | Virustotal: Detection: 51% | Perma Link |
Source: qkT9fgtS2x.dll | Metadefender: Detection: 21% | Perma Link |
Source: qkT9fgtS2x.dll | ReversingLabs: Detection: 60% |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://ocsp.digicert.com0C |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://ocsp.digicert.com0O |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://s2.symcb.com0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://solarwinds.s3.amazonaws.com/solarwinds/Release/MIB-Database/MIBs.zip |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://sv.symcb.com/sv.crl0a |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://sv.symcd.com0& |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://thwackfeeds.solarwinds.com/blogs/orion-product-team-blog/rss.aspxT |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetDataRespo |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetDataT |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09/IMaintUpdateNotifySvc/GetLocalized |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09L |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://www.solarwinds.com/contracts/IMaintUpdateNotifySvc/2009/09T |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://www.symauth.com/cps0( |
Source: qkT9fgtS2x.dll | String found in binary or memory: http://www.symauth.com/rpa00 |
Source: qkT9fgtS2x.dll | String found in binary or memory: https://d.symcb.com/cps0% |
Source: qkT9fgtS2x.dll | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: qkT9fgtS2x.dll | String found in binary or memory: https://www.solarwinds.com/documentation/kbloader.aspx?lang= |
Source: qkT9fgtS2x.dll | String found in binary or memory: https://www.solarwinds.com/embedded_in_products/productLink.aspx?id=online_quote |
Source: qkT9fgtS2x.dll | Binary or memory string: OriginalFilenameSolarWinds.Orion.Core.BusinessLayer.dllh$ vs qkT9fgtS2x.dll |
Source: qkT9fgtS2x.dll, type: SAMPLE | Matched rule: APT_Backdoor_SUNBURST_1 date = 2020-12-14, author = FireEye, description = This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services., reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, score = |
Source: qkT9fgtS2x.dll, type: SAMPLE | Matched rule: APT_Backdoor_SUNBURST_2 date = 2020-12-14, author = FireEye, description = The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services., reference = https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, score = |
Source: classification engine | Classification label: mal48.winDLL@1/0@0/0 |
Source: qkT9fgtS2x.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: qkT9fgtS2x.dll | Virustotal: Detection: 51% |
Source: qkT9fgtS2x.dll | Metadefender: Detection: 21% |
Source: qkT9fgtS2x.dll | ReversingLabs: Detection: 60% |
Source: qkT9fgtS2x.dll | Static PE information: certificate valid |
Source: qkT9fgtS2x.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: qkT9fgtS2x.dll | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Source: qkT9fgtS2x.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\buildAgent\temp\buildTmp\Obj\SolarWinds.Orion.Core.BusinessLayer\Release\SolarWinds.Orion.Core.BusinessLayer.pdb source: qkT9fgtS2x.dll |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: qkT9fgtS2x.dll | Binary or memory string: SNMPPort#VMwareProductName)VMwareProductVersion |
Source: qkT9fgtS2x.dll | Binary or memory string: GetAllVMwareServiceURIs |
Source: qkT9fgtS2x.dll | Binary or memory string: for VMWare ESX |
Source: qkT9fgtS2x.dll | Binary or memory string: vmwareCredentialsID |
Source: qkT9fgtS2x.dll | Binary or memory string: GetVMwareCredential |
Source: qkT9fgtS2x.dll | Binary or memory string: ActionTypeIDYSending request for BlogItemDAL.GetBlogById.QError obtaining blog notification item: SSending request for BlogItemDAL.GetItems.]Error when obtaining blog notification items: sSending request for CoreHelper.CheckOrionProductTeamBlog.]Error forcing blog notification items update: eSending request for BlogItemDAL.GetBlogItemForPos.cError obtaining blog notification item for post: /GetAllVMwareServiceURIs'GetVMwareCredential-InsertUpdateVMHostNode |
Source: qkT9fgtS2x.dll | Binary or memory string: get_VMwareESXJobTimeout |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.