Analysis Report a98ab505_by_Libranalysis.dll
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Dridex |
---|
{"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["BwjTiXD0nMT8wuL0lzuDMT1lwajgYLnSPMpMch1H2fk8H", "duBYwiNAKNjPWhQIWm9t4nFdK0AZ0qg5qRVUphxjgPm8fOpLdTGQDOkY8vper"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | String found in binary or memory: |
E-Banking Fraud: |
---|
Yara detected Dridex unpacked file | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 2_2_10011460 | |
Source: | Code function: | 2_2_1000846C | |
Source: | Code function: | 2_2_10001494 | |
Source: | Code function: | 2_2_1000A52C | |
Source: | Code function: | 2_2_10011D58 | |
Source: | Code function: | 2_2_10019348 | |
Source: | Code function: | 2_2_10010754 | |
Source: | Code function: | 2_2_100090CC |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_100073E8 | |
Source: | Code function: | 0_2_1000483B | |
Source: | Code function: | 0_2_100088AD | |
Source: | Code function: | 0_2_100090ED | |
Source: | Code function: | 0_2_100070E8 | |
Source: | Code function: | 0_2_1000690C | |
Source: | Code function: | 0_2_10007548 | |
Source: | Code function: | 0_2_1000516B | |
Source: | Code function: | 0_2_1000918D | |
Source: | Code function: | 0_2_10007D8E | |
Source: | Code function: | 0_2_100079C1 | |
Source: | Code function: | 0_2_1000761D | |
Source: | Code function: | 0_2_10005248 | |
Source: | Code function: | 0_2_10004380 | |
Source: | Code function: | 0_2_1000269F | |
Source: | Code function: | 0_2_100036A3 | |
Source: | Code function: | 0_2_100066A5 | |
Source: | Code function: | 0_2_100036A6 | |
Source: | Code function: | 0_2_10007F2D | |
Source: | Code function: | 0_2_10003746 | |
Source: | Code function: | 0_2_10004380 | |
Source: | Code function: | 0_2_100073E8 | |
Source: | Code function: | 0_2_1000772E | |
Source: | Code function: | 0_2_1000269F | |
Source: | Code function: | 0_2_10004366 | |
Source: | Code function: | 0_2_1000476C | |
Source: | Code function: | 0_2_10004380 | |
Source: | Code function: | 0_2_100073E8 | |
Source: | Code function: | 0_2_100063E8 | |
Source: | Code function: | 0_2_100067D1 | |
Source: | Code function: | 2_2_1000F6CD |
Source: | Static PE information: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect sandboxes / dynamic malware analysis system (file name check) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 2_2_10006D50 |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 2_2_10006D50 |
Source: | Code function: | 2_2_10006D50 |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection11 | Virtualization/Sandbox Evasion11 | OS Credential Dumping | Query Registry1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection11 | LSASS Memory | Security Software Discovery121 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Virtualization/Sandbox Evasion11 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Rundll321 | NTDS | Account Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing2 | LSA Secrets | System Owner/User Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery11 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
49% | ReversingLabs | Win32.Trojan.Convagent | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
82.209.17.209 | unknown | Czech Republic | 30764 | PODA-ASCZ | true | |
162.241.209.225 | unknown | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
43.229.206.212 | unknown | Indonesia | 24532 | INET-AS-IDPTInetGlobalIndoID | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 413039 |
Start date: | 13.05.2021 |
Start time: | 06:54:07 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | a98ab505_by_Libranalysis.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.troj.evad.winDLL@6/4@0/3 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
82.209.17.209 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
162.241.209.225 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
PODA-ASCZ | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
UNIFIEDLAYER-AS-1US | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12680 |
Entropy (8bit): | 3.768336391710609 |
Encrypted: | false |
SSDEEP: | 192:u7EbZiN0oXruHBUZMX4jed+sQR/u7sHS274ItWci:SKZiDXaBUZMX4jea/u7sHX4ItWci |
MD5: | E08CBB1D441D88BDE4065ACAF4011018 |
SHA1: | F3484E678D6F0365DEC61113308FC2B73786EBBA |
SHA-256: | 2CC5AA0258F78DBA838ACE173AB8661168795596EF822389C57AE0213BE3A78D |
SHA-512: | B4346D751029D57B6A8D038475C45B348C760730CBF15C5DE49771892206E7E28B01C2453763D7D0BB2BBAAD8F14284BFBFF82D852283B0B2F147A1E58989E95 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 41624 |
Entropy (8bit): | 2.4051390385270874 |
Encrypted: | false |
SSDEEP: | 192:JbEHKHzvZNzNUNNN6qAmWtjjRNnD9NZWWAogMboc/MyO7/5p0EMZmVzZVjnkwEnz:KHkZNzNUNNNJEpV3ZWWhF1anXZVjnHEz |
MD5: | 5D86A78862C271FFAA90AF0B090594CD |
SHA1: | 75C3193765597FC6EBE2855FAACB36866FF7571F |
SHA-256: | 8FFF2A44A9EE0A10E2E764F4DA7073546711C70E742A7EDB20A6266A623548AB |
SHA-512: | 95F7A2DC53E22210017F17FE32DB6BDDAB314ECA9C3C21B5906169D225EAFF6A64D298A7AB8F10601AD2371376CF7A9BC711D3024265F298EE2AA92BB1153176 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8294 |
Entropy (8bit): | 3.6953177362699807 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiO36XX6Yr66pQgmfTpvS++prm89b0ysfHEY8m:RrlsNi26n6Ym6pQgmfTBSt0xfHV |
MD5: | CF068ADA221E4144E98A7872F3875885 |
SHA1: | C754910C932EF8CDD8DA8910C5FD06DA571933F8 |
SHA-256: | D326B9BE4CD1C7E1BADFEBABF355930A4A46FDC3646888A686D93EC73815AF73 |
SHA-512: | E76CF7FB5666E54C6233CFD6F1A46DBB5EB9903F74CC553E5F4B5432438CC329A8B069CD57DB6CEDD88EF9F98723F88A08B976D3E26C73B982D0FFBC56623CC7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4663 |
Entropy (8bit): | 4.475899785195257 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs4JgtWI9K1yWSC8Bu8fm8M4JCdsHNbF9V2+q8/KNFVBn4SrSmd:uITf+tVSNZJ9NN2NNlDWmd |
MD5: | C2832FDD823216C133067E69989034B6 |
SHA1: | 86AF26EB5AAE25548EF6B32DF32AA407F57CCE02 |
SHA-256: | E8125B9BCB4F2AF73338A4B3A7F5B93480FE172C75E42BDBB9B03F1890E396F3 |
SHA-512: | CF57A45D53AC98FFF9652C27F48600583753A42E4DC1191E2229792C45BA64A4A17A6E5E8F1F6FFF6050004F8CA70ACAE166DBD04551250189755B4362844F1B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.567246231271622 |
TrID: |
|
File name: | a98ab505_by_Libranalysis.dll |
File size: | 160256 |
MD5: | a98ab505ecc3ec9d5c5d4571f4a2b5fe |
SHA1: | ff5d7193d073303d7821ea418a7fdede1a62d384 |
SHA256: | cf3a3944a4a37b5c13842e1acc85b10a69dddb1b1c9c7de2a432b4ba32bb1781 |
SHA512: | 0b085611813d868957edd720be45332ee6ebf1b8ce86111880a29181657c02395ed5e3b2745cf356ff910bbab0ed7b6c5084544f8fbaf4b21a32302134bcbcbc |
SSDEEP: | 3072:dyqDAKfnwLu67wJfAXzgAV12yo1DxbJ6rcKyMYK4f:3aiuwJ6zLV1/Sll5KM |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L.. |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10022f50 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x609C7F8E [Thu May 13 01:23:26 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | c9d8b256fabdf7ec02ac0e021f0f72c6 |
Entrypoint Preview |
---|
Instruction |
---|
xor eax, eax |
add eax, 00002234h |
cmpss xmm1, xmm2, 03h |
sub eax, 00002233h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
cmpss xmm1, xmm2, 03h |
cmp eax, 02h |
jne 00007F1360D795A9h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2672a | 0x5b | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x267f8 | 0x59 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2b000 | 0x3a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2c000 | 0x1220 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x10018 | 0x38 | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x24000 | 0x58 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x220cc | 0x22200 | False | 0.762248168498 | data | 7.58982753446 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x24000 | 0x2a76 | 0x2c00 | False | 0.791548295455 | data | 7.46837367369 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.pdata | 0x27000 | 0x3324 | 0x1800 | False | 0.7353515625 | MMDF mailbox | 7.23030774842 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x2b000 | 0x3a0 | 0x400 | False | 0.423828125 | data | 3.05991849143 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x2c000 | 0x240 | 0x400 | False | 0.5078125 | data | 4.04632895522 | IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x2b060 | 0x33c | data |
Imports |
---|
DLL | Import |
---|---|
CLUSAPI.dll | ClusterEnum |
ADVAPI32.dll | RegOverridePredefKey |
RASAPI32.dll | RasGetConnectionStatistics |
KERNEL32.dll | LoadLibraryExA, LoadLibraryW, GetProfileSectionW, GetProfileSectionA, OpenSemaphoreW, CreateFileW, CloseHandle, OutputDebugStringA |
OPENGL32.dll | glTexSubImage1D |
USER32.dll | TranslateMessage |
ole32.dll | CreateStreamOnHGlobal, CreatePointerMoniker |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2018 |
InternalName | x2otfb |
FileVersion | 7.2.5422.00 |
Full Version | 7.2.5_000-b00 |
CompanyName | Oracle Corporation |
ProductName | Xhot(BM) Ltloehey YO 8 |
ProductVersion | 7.2.5422.00 |
FileDescription | Java(TM) Platform SE binary |
OriginalFilename | x2otfb.dll |
Translation | 0x0000 0x04b0 |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 13, 2021 06:54:54.167156935 CEST | 59123 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:54:54.198420048 CEST | 54531 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:54:54.216065884 CEST | 53 | 59123 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:54:54.263489008 CEST | 53 | 54531 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:54:55.249706984 CEST | 49714 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:54:55.313155890 CEST | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:54:56.890480042 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:54:56.939775944 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:54:57.243531942 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:54:57.301326990 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:54:58.328294992 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:54:58.377069950 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:54:59.805485010 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:54:59.858119965 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:01.073297024 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:01.124840975 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:01.915004015 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:01.966907024 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:03.454873085 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:03.506932020 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:04.271562099 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:04.320266008 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:05.399990082 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:05.462759972 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:06.794656038 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:06.843369007 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:07.569686890 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:07.618385077 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:08.429094076 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:08.477752924 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:10.104027987 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:10.155740976 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:11.468683004 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:11.517378092 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:12.531749010 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:12.580511093 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:13.800578117 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:13.852796078 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:18.835875988 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:18.886480093 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:19.925559044 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:19.976767063 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:30.666755915 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:30.725814104 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:40.182075024 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:40.240514040 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:43.561554909 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:43.613298893 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:55:48.212294102 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:55:48.276665926 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:00.218456984 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:00.305618048 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:00.896776915 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:01.003010035 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:01.596420050 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:01.653580904 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:02.005770922 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:02.070842028 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:02.083420992 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:02.170087099 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:02.737278938 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:02.795300961 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:03.457828045 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:03.514831066 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:03.961601019 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:04.018767118 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:04.774547100 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:04.831553936 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:05.651005983 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:05.749567032 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:06.284044027 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:06.341527939 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:11.352149010 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:11.411710024 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:47.638673067 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:47.695739031 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
May 13, 2021 06:56:49.312550068 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
May 13, 2021 06:56:49.377916098 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 06:54:59 |
Start date: | 13/05/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe20000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 06:55:00 |
Start date: | 13/05/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x11d0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 06:55:00 |
Start date: | 13/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd10000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 06:55:31 |
Start date: | 13/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xae0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 03491178, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 227memoryCOMMON
C-Code - Quality: 42% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
C-Code - Quality: 78% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 31% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10011460, Relevance: .6, Instructions: 572COMMONCrypto
C-Code - Quality: 90% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10011D58, Relevance: .3, Instructions: 282COMMONCrypto
C-Code - Quality: 89% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10006D50, Relevance: .0, Instructions: 36COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53COMMON
C-Code - Quality: 83% |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |