Analysis Report sample3.bin

Overview

General Information

Sample Name: sample3.bin (renamed file extension from bin to dll)
Analysis ID: 339445
MD5: b4164149ffc43c2bf55cb66922e738b0
SHA1: 78c01aa4f88d35acfbc3d7142232cd1aa7682a6e
SHA256: 800e1192e5ec3d2d9b17a3e2d8996cadbdd96ac6d8c59dfcf989264a956eb8d4

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Creates a DirectInput object (often for capturing keystrokes)
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: sample3.dll Virustotal: Detection: 56% Perma Link
Source: sample3.dll ReversingLabs: Detection: 68%

Compliance:

barindex
Uses 32bit PE files
Source: sample3.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: sample3.dll Static PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /campo/z/z HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 207.154.235.218Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknown TCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknown TCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknown TCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknown TCP traffic detected without corresponding DNS query: 207.154.235.218
Source: global traffic HTTP traffic detected: GET /campo/z/z HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 207.154.235.218Connection: Keep-Alive
Source: sample3.dll String found in binary or memory: http://207.154.235.218/campo/z/z
Source: sample3.dll String found in binary or memory: http://207.154.235.218/campo/z/zC:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000001.00000002.210657283.000000000105B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: sample3.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal56.evad.winDLL@4/0@0/1
Source: sample3.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sample3.dll,D
Source: sample3.dll Virustotal: Detection: 56%
Source: sample3.dll ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\sample3.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sample3.dll,D
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sample3.dll,D Jump to behavior
Source: sample3.dll Static PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT
Source: sample3.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00F2EB77 push eax; iretd 2_2_00F2EBC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00F2EE61 push eax; iretd 2_2_00F2EEE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00F2EA91 push eax; iretd 2_2_00F2EBC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00F2CE94 pushad ; iretd 2_2_00F2CEB1
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 207.154.235.218 80 Jump to behavior

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339445 Sample: sample3.bin Startdate: 14/01/2021 Architecture: WINDOWS Score: 56 14 Multi AV Scanner detection for submitted file 2->14 6 loaddll32.exe 1 2->6         started        process3 process4 8 rundll32.exe 13 6->8         started        dnsIp5 12 207.154.235.218, 49715, 80 DIGITALOCEAN-ASNUS United States 8->12 16 System process connects to network (likely due to code injection or exploit) 8->16 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.154.235.218
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://207.154.235.218/campo/z/z true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown