Loading ...

Play interactive tourEdit tour

Analysis Report LbSpXJz6Ey.dll

Overview

General Information

Sample Name:LbSpXJz6Ey.dll
Analysis ID:388620
MD5:d6904948ae99d7bf84e6af9a978c3ae6
SHA1:a272ccd04db93604874c8606e4f41ad8bb212540
SHA256:938f890613dc8526bb828c3de5d5c612b7c13515062fb6ca15f8abc1424f2835
Tags:dllnutZLoader
Infos:

Most interesting Screenshot:

Detection

ZLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected ZLoader
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6548 cmdline: loaddll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6588 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6636 cmdline: rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6624 cmdline: rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Drawmorning@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6684 cmdline: rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_ExpectRemember@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6708 cmdline: rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Offmark@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6724 cmdline: rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Providesea@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: ZLoader

{"C2 list": ["https://jiaayanu.com/post.php", "https://investinszeklerland.eu/post.php", "https://iqs-sac.com/post.php", "https://jciems.in/post.php", "https://jinnahofficersschool.com/post.php", "https://kancagh.com/post.php"], "RC4 Key": "dh8f3@3hdf#hsf23", "Botnet": "nut", "Campaign": "13/04"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.583049899.0000000002740000.00000040.00000001.sdmpJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
    00000005.00000003.585834648.0000000004960000.00000040.00000001.sdmpJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
      00000006.00000002.647580754.000000006E191000.00000020.00020000.sdmpJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
        00000004.00000002.656327415.000000006E191000.00000020.00020000.sdmpJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
          00000005.00000002.612647390.000000006E191000.00000020.00020000.sdmpJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.3.rundll32.exe.4975cf4.0.raw.unpackJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
              5.3.rundll32.exe.4975cf4.0.unpackJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
                5.2.rundll32.exe.6e190000.1.unpackJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
                  4.3.rundll32.exe.2755cf4.0.raw.unpackJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
                    4.3.rundll32.exe.2755cf4.0.unpackJoeSecurity_ZLoader_2Yara detected ZLoaderJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.3.rundll32.exe.4975cf4.0.raw.unpackMalware Configuration Extractor: ZLoader {"C2 list": ["https://jiaayanu.com/post.php", "https://investinszeklerland.eu/post.php", "https://iqs-sac.com/post.php", "https://jciems.in/post.php", "https://jinnahofficersschool.com/post.php", "https://kancagh.com/post.php"], "RC4 Key": "dh8f3@3hdf#hsf23", "Botnet": "nut", "Campaign": "13/04"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: LbSpXJz6Ey.dllVirustotal: Detection: 39%Perma Link
                      Source: LbSpXJz6Ey.dllMetadefender: Detection: 26%Perma Link
                      Source: LbSpXJz6Ey.dllReversingLabs: Detection: 44%
                      Source: LbSpXJz6Ey.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: LbSpXJz6Ey.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\position\Trade\Hair than\Sight.pdb source: loaddll32.exe, 00000001.00000002.646001738.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000004.00000002.661497710.000000006E217000.00000004.00020000.sdmp, rundll32.exe, 00000005.00000002.612708689.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.655853498.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.610813810.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000008.00000002.628765478.000000006E212000.00000004.00020000.sdmp, LbSpXJz6Ey.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then movzx eax, word ptr [ebp+0Ch]4_2_6E19FA10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, dword ptr [edi-08h]4_2_6E1AB200
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, esi4_2_6E1AFA40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then test bl, bl4_2_6E1AAE80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then push 68653F5Eh4_2_6E19F420
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then test ebx, ebx4_2_6E1A5C80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov byte ptr [ebp+eax-50h], cl4_2_6E1A04E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then push ebx4_2_6E1A9DA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then lea ebx, dword ptr [ebp-34h]4_2_6E1AC9E0

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: https://jiaayanu.com/post.php
                      Source: Malware configuration extractorIPs: https://investinszeklerland.eu/post.php
                      Source: Malware configuration extractorIPs: https://iqs-sac.com/post.php
                      Source: Malware configuration extractorIPs: https://jciems.in/post.php
                      Source: Malware configuration extractorIPs: https://jinnahofficersschool.com/post.php
                      Source: Malware configuration extractorIPs: https://kancagh.com/post.php
                      Source: loaddll32.exe, 00000001.00000002.646024059.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.661511442.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.613754347.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.658068139.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.610821067.000000006E232000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.628771772.000000006E232000.00000002.00020000.sdmp, LbSpXJz6Ey.dllString found in binary or memory: http://openspot.de
                      Source: loaddll32.exe, 00000001.00000002.644850329.0000000000A7B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected ZLoaderShow sources
                      Source: Yara matchFile source: 00000004.00000003.583049899.0000000002740000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.585834648.0000000004960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.647580754.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.656327415.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.612647390.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.4975cf4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4975cf4.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.2755cf4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.2755cf4.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1A9EA41_2_6E1A9EA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1AA7F01_2_6E1AA7F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1A9C631_2_6E1A9C63
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1AA57C1_2_6E1AA57C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1A9A311_2_6E1A9A31
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1AAA551_2_6E1AAA55
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1C72911_2_6E1C7291
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1AA3171_2_6E1AA317
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E19DBDC1_2_6E19DBDC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1AA0D61_2_6E1AA0D6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1C71711_2_6E1C7171
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1A02304_2_6E1A0230
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E197C204_2_6E197C20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1938804_2_6E193880
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E198CA04_2_6E198CA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1925504_2_6E192550
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1961F04_2_6E1961F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1BDF304_2_6E1BDF30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C976C4_2_6E1C976C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1BE4504_2_6E1BE450
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C72914_2_6E1C7291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1BE8804_2_6E1BE880
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C71714_2_6E1C7171
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C19BF4_2_6E1C19BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1BDF305_2_6E1BDF30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1C976C5_2_6E1C976C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1BE4505_2_6E1BE450
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1C72915_2_6E1C7291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1BE8805_2_6E1BE880
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1C71715_2_6E1C7171
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1C19BF5_2_6E1C19BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1BDF306_2_6E1BDF30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1C976C6_2_6E1C976C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1BE4506_2_6E1BE450
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1C72916_2_6E1C7291
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1BE8806_2_6E1BE880
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1C71716_2_6E1C7171
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1C19BF6_2_6E1C19BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E19AAE0 appears 41 times
                      Source: LbSpXJz6Ey.dllBinary or memory string: OriginalFilenameSight.dllj% vs LbSpXJz6Ey.dll
                      Source: LbSpXJz6Ey.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal68.troj.winDLL@13/0@0/1
                      Source: LbSpXJz6Ey.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Drawmorning@8
                      Source: LbSpXJz6Ey.dllVirustotal: Detection: 39%
                      Source: LbSpXJz6Ey.dllMetadefender: Detection: 26%
                      Source: LbSpXJz6Ey.dllReversingLabs: Detection: 44%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Drawmorning@8
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_ExpectRemember@0
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Offmark@0
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Providesea@8
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Drawmorning@8Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_ExpectRemember@0Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Offmark@0Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LbSpXJz6Ey.dll,_Providesea@8Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1Jump to behavior
                      Source: LbSpXJz6Ey.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: LbSpXJz6Ey.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: LbSpXJz6Ey.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: LbSpXJz6Ey.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: LbSpXJz6Ey.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: LbSpXJz6Ey.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: LbSpXJz6Ey.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: LbSpXJz6Ey.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\position\Trade\Hair than\Sight.pdb source: loaddll32.exe, 00000001.00000002.646001738.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000004.00000002.661497710.000000006E217000.00000004.00020000.sdmp, rundll32.exe, 00000005.00000002.612708689.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.655853498.000000006E204000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.610813810.000000006E212000.00000004.00020000.sdmp, rundll32.exe, 00000008.00000002.628765478.000000006E212000.00000004.00020000.sdmp, LbSpXJz6Ey.dll
                      Source: LbSpXJz6Ey.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: LbSpXJz6Ey.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: LbSpXJz6Ey.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: LbSpXJz6Ey.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: LbSpXJz6Ey.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: LbSpXJz6Ey.dllStatic PE information: real checksum: 0xb66e2 should be: 0xab31a
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1CAD03 push ecx; ret 1_2_6E1CAD16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1AC720 push eax; ret 4_2_6E1AC72A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1CAD03 push ecx; ret 4_2_6E1CAD16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1CAD03 push ecx; ret 5_2_6E1CAD16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1CAD03 push ecx; ret 6_2_6E1CAD16
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E19AE86 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E19AE86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1ADFA0 mov eax, dword ptr fs:[00000030h]1_2_6E1ADFA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B726E mov eax, dword ptr fs:[00000030h]1_2_6E1B726E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E19F2B0 mov eax, dword ptr fs:[00000030h]4_2_6E19F2B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2144D9 mov eax, dword ptr fs:[00000030h]4_2_6E2144D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E21440F mov eax, dword ptr fs:[00000030h]4_2_6E21440F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E214016 push dword ptr fs:[00000030h]4_2_6E214016
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E2144D9 mov eax, dword ptr fs:[00000030h]5_2_6E2144D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E21440F mov eax, dword ptr fs:[00000030h]5_2_6E21440F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E214016 push dword ptr fs:[00000030h]5_2_6E214016
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E19AE86 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E19AE86
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1AD780 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E1AD780
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E19A7A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6E19A7A8
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\LbSpXJz6Ey.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: loaddll32.exe, 00000001.00000002.645863904.0000000000F00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.651085141.0000000002C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.612600311.0000000003550000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.646520208.0000000002C80000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.610686780.0000000002C20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.628677755.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E19ACA6 cpuid 1_2_6E19ACA6
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1B1254
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1B1154
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6E1C26FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_6E1C1F54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E1C25D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E1C225F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E1C22FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_6E1C2385
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E1C2804
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6E1C28D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E1C21F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_6E1C26FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_6E1C1F54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,5_2_6E1C25D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,5_2_6E1C225F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,5_2_6E1C22FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_6E1C2385
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,5_2_6E1C2804
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_6E1C28D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,5_2_6E1C21F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_6E1C26FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_6E1C1F54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,6_2_6E1C25D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E1C225F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E1C22FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_6E1C2385
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,6_2_6E1C2804
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_6E1C28D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E1C21F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E19B08B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_6E19B08B

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected ZLoaderShow sources
                      Source: Yara matchFile source: 00000004.00000003.583049899.0000000002740000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.585834648.0000000004960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.647580754.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.656327415.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.612647390.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.4975cf4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4975cf4.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.2755cf4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.2755cf4.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected ZLoaderShow sources
                      Source: Yara matchFile source: 00000004.00000003.583049899.0000000002740000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.585834648.0000000004960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.647580754.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.656327415.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.612647390.000000006E191000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.4975cf4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4975cf4.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.2755cf4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.2755cf4.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6e190000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET