Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Overview

General Information

Sample Name:	SecuriteInfo.com.Mal.EncPk-APW.3323.dll
Analysis ID:	382278
MD5:	937e2c551368757c5e3c3598c41ea7d9
SHA1:	599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256:	cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Virustotal: Detection: 28%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.loaddll32.exe.10000000.3.unpack

Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

System Summary:

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10002375 NtQueryVirtualMemory,

1_2_10002375

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002154	1_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16	3_2_023D5F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5A25	3_2_023D5A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D1B1E	3_2_023D1B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D3A14	3_2_023D3A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D150C	3_2_023D150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5378	3_2_023D5378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2A69	3_2_023D2A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D1967	3_2_023D1967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2566	3_2_023D2566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5262	3_2_023D5262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D88BA	3_2_023D88BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D31B3	3_2_023D31B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D92B2	3_2_023D92B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2FAF	3_2_023D2FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D3FAB	3_2_023D3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D43D8	3_2_023D43D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D27D4	3_2_023D27D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D1CD0	3_2_023D1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D13C5	3_2_023D13C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045F16	4_2_03045F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0304150C	4_2_0304150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03043A14	4_2_03043A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03041B1E	4_2_03041B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045A25	4_2_03045A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042566	4_2_03042566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03041967	4_2_03041967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045262	4_2_03045262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042A69	4_2_03042A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03045378	4_2_03045378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042FAF	4_2_03042FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03043FAB	4_2_03043FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030492B2	4_2_030492B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030431B3	4_2_030431B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030488BA	4_2_030488BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030413C5	4_2_030413C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030427D4	4_2_030427D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03041CD0	4_2_03041CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030443D8	4_2_030443D8

Uses 32bit PE files

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal60.troj.winDLL@7/0@0/0

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Virustotal: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1	Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001745 LoadLibraryA,GetProcAddress,

1_2_10001745

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002143 push ecx; ret	1_2_10002153
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020F0 push ecx; ret	1_2_100020F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx	3_2_023D5F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D5F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D5FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D604B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D6124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D614F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx	3_2_023D625E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D62B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D6343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D635D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], ebp	3_2_023D6368
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D6385
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx	3_2_023D63B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D6483
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D64F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_023D64FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D650A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D6567
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D65A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], eax	3_2_023D6610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D6685
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	3_2_023D66C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D66E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi	3_2_023D6781
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx	3_2_023D67B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D684C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_023D6858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx	3_2_023D6926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_023D6945

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001745 LoadLibraryA,GetProcAddress,

1_2_10001745

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_023D2A69 xor edi, dword ptr fs:[00000030h]		3_2_023D2A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03042A69 xor edi, dword ptr fs:[00000030h]		4_2_03042A69

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_1000163F

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_10001850

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	382278
Product:	CloudBasic
Start time:	00:57:29
Start date:	06.04.2021
Sample:	SecuriteInfo.com.Mal.EncPk-APW.3323.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	937e2c551368757c5e3c3598c41ea7d9
SHA1:	599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256:	cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map