Source: 2.2.rundll32.exe.10000000.3.unpack |
Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["203.114.109.124:443", "82.165.145.100:6601", "94.177.255.18:8172"], "RC4 keys": ["BwjTiXD0nMT8wuL0lzuDMT1lwajgYLnSPMpMch1H2fk8H", "Zn2kewZlGvQs4cF0q7SiWd3gnwzXSWs561WqoqBWjN3RtNQTcvkRtcHJba3Ed"]} |
Source: 931f389a_by_Libranalysis.dll |
ReversingLabs: Detection: 61% |
Source: 931f389a_by_Libranalysis.dll |
Joe Sandbox ML: detected |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.209159569.0000000010024000.00000002.00020000.sdmp, 931f389a_by_Libranalysis.dll |
Source: Malware configuration extractor |
IPs: 203.114.109.124:443 |
Source: Malware configuration extractor |
IPs: 82.165.145.100:6601 |
Source: Malware configuration extractor |
IPs: 94.177.255.18:8172 |
Source: Joe Sandbox View |
IP Address: 94.177.255.18 94.177.255.18 |
Source: Joe Sandbox View |
IP Address: 203.114.109.124 203.114.109.124 |
Source: Joe Sandbox View |
IP Address: 82.165.145.100 82.165.145.100 |
Source: Joe Sandbox View |
ASN Name: ARUBACLOUDLTD-ASNGB ARUBACLOUDLTD-ASNGB |
Source: Joe Sandbox View |
ASN Name: TOT-LLI-AS-APTOTPublicCompanyLimitedTH TOT-LLI-AS-APTOTPublicCompanyLimitedTH |
Source: Joe Sandbox View |
ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE |
Source: 931f389a_by_Libranalysis.dll |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: 931f389a_by_Libranalysis.dll |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: 931f389a_by_Libranalysis.dll |
String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s |
Source: 931f389a_by_Libranalysis.dll |
String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# |
Source: 931f389a_by_Libranalysis.dll |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: 931f389a_by_Libranalysis.dll |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: 931f389a_by_Libranalysis.dll |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: loaddll32.exe, 00000000.00000002.209125681.0000000000C4B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 00000002.00000002.278464354.0000000010001000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10011460 |
2_2_10011460 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_1000846C |
2_2_1000846C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10001494 |
2_2_10001494 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_1000A52C |
2_2_1000A52C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10011D58 |
2_2_10011D58 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10019348 |
2_2_10019348 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10010754 |
2_2_10010754 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_100090CC |
2_2_100090CC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 764 |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: invalid certificate |
Source: 931f389a_by_Libranalysis.dll |
Binary or memory string: OriginalFilenamex2otfb.dllN vs 931f389a_by_Libranalysis.dll |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal76.troj.evad.winDLL@6/4@0/3 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6332 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D67.tmp |
Jump to behavior |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1 |
Source: 931f389a_by_Libranalysis.dll |
ReversingLabs: Detection: 61% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 764 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.209159569.0000000010024000.00000002.00020000.sdmp, 931f389a_by_Libranalysis.dll |
Source: 931f389a_by_Libranalysis.dll |
Static PE information: real checksum: 0x2a3c3 should be: 0x3227e |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10007685 push DA598020h; ret |
0_2_1000768B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100030DC push edi; iretd |
0_2_100030DD |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h |
2_2_1000F6CD |
Source: initial sample |
Static PE information: section name: .text entropy: 7.58875564719 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Section loaded: \KnownDlls32\TESTAPP.exe |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_10006D50 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_10006D50 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_10006D50 |