Analysis Report qMus8K6kXx.dll

Overview

General Information

Sample Name:	qMus8K6kXx.dll
Analysis ID:	392881
MD5:	a789cbe1be2a6e99de90f65c5213c992
SHA1:	d70b6c72da60fa4dc4c2b0ec32bcc41887721535
SHA256:	01c6da823713aeb976fea61d010524859d104cba25fe2570855f21828df32086
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

AV Detection:

Machine Learning detection for sample

Source: qMus8K6kXx.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.ec0000.1.unpack

Avira: Label: TR/ATRAPS.Gen2

Compliance:

Uses 32bit PE files

Source: qMus8K6kXx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: qMus8K6kXx.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.552765546.0000000000DAB000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp, qMus8K6kXx.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb\ source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: a1pjr4pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.575659374.0000000000A92000.00000004.00000010.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.551204253.0000000000DAB000.00000004.00000001.sdmp

Source: qMus8K6kXx.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

E-Banking Fraud:

Dridex dropper found

Source: Initial file

Signature Results: Dridex dropper behavior

System Summary:

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

One or more processes crash

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 416

Sample file is different than original file name gathered from version info

Source: qMus8K6kXx.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs qMus8K6kXx.dll

Uses 32bit PE files

Source: qMus8K6kXx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: qMus8K6kXx.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal60.bank.evad.winDLL@8/4@0/1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1536

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CA2.tmp

Jump to behavior

Source: qMus8K6kXx.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 416
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1	Jump to behavior

Source: qMus8K6kXx.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: qMus8K6kXx.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.552765546.0000000000DAB000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp, qMus8K6kXx.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb\ source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp
Source:	Binary string: a1pjr4pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.575659374.0000000000A92000.00000004.00000010.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.551204253.0000000000DAB000.00000004.00000001.sdmp

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 1603

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 916			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 684			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

ID:	392881
Product:	CloudBasic
Start time:	23:43:30
Start date:	19.04.2021
Sample:	qMus8K6kXx.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a789cbe1be2a6e99de90f65c5213c992
SHA1:	d70b6c72da60fa4dc4c2b0ec32bcc41887721535
SHA256:	01c6da823713aeb976fea61d010524859d104cba25fe2570855f21828df32086
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_f940423413aeee195ae8a7e3bd18fce80b8b52f_160cf2be_16f7718f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	966824EFBF856BB59479BC30B6AF2ED3	28C2BA9D059D8D329EF3F6D37FC234089E36F9B8	4B32DB4C094AF59556D65A7785273DF98C638F9A306B7DB5F33771BCC2066A4E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CA2.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Apr 20 06:47:03 2021, 0x1205a4 type	F80F9A52DED7BAAE6BFAEFBCFF536896	104C03D205AEE6A139474758470393D6B8D36451	A9EBDB5A762C4695A9541E9AAF50F86BB5CC2DC69F8B97FE187D360AE7033262
C:\ProgramData\Microsoft\Windows\WER\Temp\WER530B.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	8D7126D39B56CA77FA5940BCCB47815E	BFCE41016E6FDBD70C13525460E84DA6AB59AE61	7AF4E915E3CA39BDE972CA28DB62E10DD66DBE820B80B98540F608006087D471
C:\ProgramData\Microsoft\Windows\WER\Temp\WER57EE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4483C95BA3FBD0C4BB13B9CD5207EE06	38D8DE818281A494A320F029C3C17CD0B2AEEE5D	F7EC05C774D1B8D58A5E25DDB355B91FA54CD18B12DE7C4F4817A14A12346BA9

Analysis Report qMus8K6kXx.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private