Analysis Report A8xYhQFvXo

Overview

General Information

Sample Name: A8xYhQFvXo (renamed file extension from none to dll)
Analysis ID: 346331
MD5: 83dd317c95f4acb8623d1f024945cfdb
SHA1: 04f9227cc3bfde5626be669be106a5d38f4416b1
SHA256: 5b2f060f1512100a0d500312fa579cdad9d3ea101778838173aa7215cd39700a
Tags: Mingloa

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
One or more processes crash
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: A8xYhQFvXo.dll Virustotal: Detection: 17% Perma Link
Source: A8xYhQFvXo.dll Metadefender: Detection: 18% Perma Link
Source: A8xYhQFvXo.dll ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: A8xYhQFvXo.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: A8xYhQFvXo.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Binary contains paths to debug symbols
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10147900 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose, 1_2_10147900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10145A40 FindFirstFileA,FindClose, 1_2_10145A40
Source: A8xYhQFvXo.dll String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dll String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dll String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: A8xYhQFvXo.dll String found in binary or memory: https://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: A8xYhQFvXo.dll String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://ocsp.digicert.com0I
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://ocsp.digicert.com0P
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://ocsp.digicert.com0R
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: A8xYhQFvXo.dll String found in binary or memory: http://www.interestvideo.com/video1.php
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://01%s08%s15%s22%sWebGL%d%02d%s.club/http://01%s08%s15%s22%sFrankLin%d%02d%s.xyz/post_info.
Source: A8xYhQFvXo.dll String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: A8xYhQFvXo.dll String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: A8xYhQFvXo.dll String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: A8xYhQFvXo.dll String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: rundll32.exe, 00000001.00000002.230642928.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235936438.0000000010171000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245392829.0000000010171000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://twitter.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: A8xYhQFvXo.dll String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://twitter.com/ookie:
Source: A8xYhQFvXo.dll String found in binary or memory: https://twitter.comReferer:
Source: A8xYhQFvXo.dll String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.digicert.com/CPS0
Source: A8xYhQFvXo.dll String found in binary or memory: https://www.instagram.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.instagram.com/accept:
Source: A8xYhQFvXo.dll String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: A8xYhQFvXo.dll String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.messenger.com
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.messenger.com/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.messenger.com/accept:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.messenger.com/login/nonce/
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.messenger.com/login/nonce/ookie:
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll String found in binary or memory: https://www.messenger.com/origin:

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: A8xYhQFvXo.dll, type: SAMPLE Matched rule: APT34_PICKPOCKET Author: unknown
Source: 1.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
Source: 7.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10033BFE 1_2_10033BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10023C51 1_2_10023C51
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_1002E58A 1_2_1002E58A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10042F70 1_2_10042F70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10040780 1_2_10040780
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
PE file contains executable resources (Code or Archives)
Source: A8xYhQFvXo.dll Static PE information: Resource name: CRX type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dll Static PE information: Resource name: FF type: 7-zip archive data, version 0.3
Source: A8xYhQFvXo.dll Static PE information: Resource name: FRIENDS type: 7-zip archive data, version 0.3
Sample file is different than original file name gathered from version info
Source: A8xYhQFvXo.dll Binary or memory string: OriginalFilenameFsFilter.sys vs A8xYhQFvXo.dll
Uses 32bit PE files
Source: A8xYhQFvXo.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: A8xYhQFvXo.dll, type: SAMPLE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 00000004.00000002.236067014.000000001028B000.00000008.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000007.00000002.245505715.000000001028B000.00000008.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000001.00000002.230780419.000000001028B000.00000008.00020000.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 1.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 7.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: A8xYhQFvXo.dll Static PE information: Section: .rsrc ZLIB complexity 0.999259599673
Source: classification engine Classification label: mal60.winDLL@10/12@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6896
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6652
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DB2.tmp Jump to behavior
Source: A8xYhQFvXo.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
Source: A8xYhQFvXo.dll Virustotal: Detection: 17%
Source: A8xYhQFvXo.dll Metadefender: Detection: 18%
Source: A8xYhQFvXo.dll ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\A8xYhQFvXo.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 712
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 712
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 712
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello001 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello002 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A8xYhQFvXo.dll,Hello003 Jump to behavior
Source: A8xYhQFvXo.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: A8xYhQFvXo.dll Static file information: File size 4890624 > 1048576
Source: A8xYhQFvXo.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x170000
Source: A8xYhQFvXo.dll Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x118000
Source: A8xYhQFvXo.dll Static PE information: Raw size of .data is bigger than: 0x100000 < 0x179000
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll
Source: A8xYhQFvXo.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: A8xYhQFvXo.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: A8xYhQFvXo.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: A8xYhQFvXo.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: A8xYhQFvXo.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10037541 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 1_2_10037541
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_1002EB91 push ecx; ret 1_2_1002EBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10028D9A push ecx; ret 1_2_10028DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_1014BE00 _memset,SHGetSpecialFolderPathA,_strcat_s,PathFileExistsA,_memset,GetPrivateProfileStringA,_strlen,_strlen,PathRemoveFileSpecA,_strcat_s,_strcat_s,PathFileExistsA,PathFindFileNameA, 1_2_1014BE00
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10147900 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose, 1_2_10147900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10145A40 FindFirstFileA,FindClose, 1_2_10145A40

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10023315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_10023315
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10037541 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 1_2_10037541
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_1003AFFE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_1003AFFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10023315 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_10023315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10026CE8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_10026CE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10028D22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_10028D22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_101456A0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError, 1_2_101456A0

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_1003585F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_10035CD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_10035D3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 1_2_10035D79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_xtoa_s@20, 1_2_1002B5DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_10035F69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_10145D10 _malloc,_memset,GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,__aulldiv, 1_2_10145D10
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346331 Sample: A8xYhQFvXo Startdate: 30/01/2021 Architecture: WINDOWS Score: 60 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Machine Learning detection for sample 2->25 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 WerFault.exe 23 9 9->15         started        17 WerFault.exe 9 11->17         started        19 WerFault.exe 2 9 13->19         started       
No contacted IP infos