Play interactive tour

Edit tour

Analysis Report a98ab505_by_Libranalysis.dll

Overview

General Information

Sample Name:	a98ab505_by_Libranalysis.dll
Analysis ID:	413039
MD5:	a98ab505ecc3ec9d5c5d4571f4a2b5fe
SHA1:	ff5d7193d073303d7821ea418a7fdede1a62d384
SHA256:	cf3a3944a4a37b5c13842e1acc85b10a69dddb1b1c9c7de2a432b4ba32bb1781
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6636 cmdline: loaddll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6644 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6656 cmdline: rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6688 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["BwjTiXD0nMT8wuL0lzuDMT1lwajgYLnSPMpMch1H2fk8H", "duBYwiNAKNjPWhQIWm9t4nFdK0AZ0qg5qRVUphxjgPm8fOpLdTGQDOkY8vper"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.755906569.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["BwjTiXD0nMT8wuL0lzuDMT1lwajgYLnSPMpMch1H2fk8H", "duBYwiNAKNjPWhQIWm9t4nFdK0AZ0qg5qRVUphxjgPm8fOpLdTGQDOkY8vper"]}

Multi AV Scanner detection for submitted file

Show sources

Source: a98ab505_by_Libranalysis.dll

ReversingLabs: Detection: 48%

Machine Learning detection for sample

Show sources

Source: a98ab505_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: a98ab505_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: a98ab505_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.725980115.0000000004634000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb4 source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 0000000E.00000003.725980115.0000000004634000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: HD`lbase.pdb source: WerFault.exe, 0000000E.00000003.726295606.0000000004635000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb? source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb& source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb< source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000E.00000003.734209164.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.655496338.0000000010024000.00000002.00020000.sdmp, a98ab505_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb< source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb* source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: WerFault.exe, 0000000E.00000003.748855263.000000000456C000.00000004.00000001.sdmp

String found in binary or memory: http://crl.micro

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.755906569.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 764

Source: a98ab505_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs a98ab505_by_Libranalysis.dll

Source: a98ab505_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: a98ab505_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6656

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF22.tmp

Jump to behavior

Source: a98ab505_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1

Source: a98ab505_by_Libranalysis.dll

ReversingLabs: Detection: 48%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1

Source: a98ab505_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: a98ab505_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.725980115.0000000004634000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb4 source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: lbase.pdb source: WerFault.exe, 0000000E.00000003.725980115.0000000004634000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: HD`lbase.pdb source: WerFault.exe, 0000000E.00000003.726295606.0000000004635000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb? source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb& source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb< source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000E.00000003.734209164.0000000004BF0000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.655496338.0000000010024000.00000002.00020000.sdmp, a98ab505_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb< source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.734170143.0000000004BE0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.734096122.0000000004AC1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb* source: WerFault.exe, 0000000E.00000003.734183815.0000000004BE6000.00000004.00000040.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000742D push ebx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004836 push esp; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000888E push ds; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100090C5 push ds; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100070CF push ebx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006909 push ds; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007540 push bx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005168 push ds; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000918C push es; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007D8D push es; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100079B5 push ecx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000762B push ds; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000523E push esi; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000428B push FFFFFFA0h; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002691 push edx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100036A2 push ecx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100066A4 push ecx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100036A5 push ds; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007ECA push ds; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100036ED push ds; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100042EE push FFFFFFA0h; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007307 push ebx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000772D push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10022F50 push edx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000435C push ebx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000476B push es; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004389 push FFFFFFA0h; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100073B5 push ebx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100063C9 push esi; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100067CB push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h

Source: initial sample

Static PE information: section name: .text entropy: 7.58982753446

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: \KnownDlls32\TESTAPP.exe

Source: WerFault.exe, 0000000E.00000002.753015700.0000000004830000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000E.00000003.748950202.0000000004648000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000E.00000002.753015700.0000000004830000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000E.00000002.753015700.0000000004830000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000E.00000002.753015700.0000000004830000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\SysWOW64\rundll32.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
a98ab505_by_Libranalysis.dll	49%	ReversingLabs	Win32.Trojan.Convagent
a98ab505_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.rundll32.exe.3490000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.micro	WerFault.exe, 0000000E.00000003.748855263.000000000456C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
82.209.17.209	unknown	Czech Republic	30764	PODA-ASCZ	true
162.241.209.225	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
43.229.206.212	unknown	Indonesia	24532	INET-AS-IDPTInetGlobalIndoID	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	413039
Start date:	13.05.2021
Start time:	06:54:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	a98ab505_by_Libranalysis.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@6/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 68.1% (good quality ratio 48.1%) Quality average: 49.5% Quality standard deviation: 39.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
82.209.17.209	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	ce9a5575_by_Libranalysis.dll	Get hash	malicious	Browse
	1bbde683_by_Libranalysis.dll	Get hash	malicious	Browse
	514b5b51_by_Libranalysis.dll	Get hash	malicious	Browse
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse
	d310ebba_by_Libranalysis.dll	Get hash	malicious	Browse
162.241.209.225	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	ce9a5575_by_Libranalysis.dll	Get hash	malicious	Browse
	1bbde683_by_Libranalysis.dll	Get hash	malicious	Browse
	514b5b51_by_Libranalysis.dll	Get hash	malicious	Browse
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse
	d310ebba_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PODA-ASCZ	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	ce9a5575_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	1bbde683_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	514b5b51_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	d310ebba_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
UNIFIEDLAYER-AS-1US	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	ce9a5575_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	1bbde683_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	514b5b51_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	d310ebba_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_d1933e54dec77ed372db99aebc0b4554f9da850_82810a17_1a60e121\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12680
Entropy (8bit):	3.768336391710609
Encrypted:	false
SSDEEP:	192:u7EbZiN0oXruHBUZMX4jed+sQR/u7sHS274ItWci:SKZiDXaBUZMX4jea/u7sHX4ItWci
MD5:	E08CBB1D441D88BDE4065ACAF4011018
SHA1:	F3484E678D6F0365DEC61113308FC2B73786EBBA
SHA-256:	2CC5AA0258F78DBA838ACE173AB8661168795596EF822389C57AE0213BE3A78D
SHA-512:	B4346D751029D57B6A8D038475C45B348C760730CBF15C5DE49771892206E7E28B01C2453763D7D0BB2BBAAD8F14284BFBFF82D852283B0B2F147A1E58989E95
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.3.5.5.3.3.5.2.5.3.0.0.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.3.5.5.3.4.2.2.5.2.9.8.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.f.f.1.c.7.c.-.a.6.5.a.-.4.c.3.1.-.b.f.8.a.-.f.b.e.d.a.5.8.4.5.2.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.8.9.3.9.2.3.-.8.b.8.9.-.4.6.3.8.-.8.5.6.3.-.4.3.8.0.a.7.2.1.5.3.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.0.0.-.0.0.0.1.-.0.0.1.b.-.b.d.7.7.-.f.5.2.0.b.4.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF22.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 13 04:55:36 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	41624
Entropy (8bit):	2.4051390385270874
Encrypted:	false
SSDEEP:	192:JbEHKHzvZNzNUNNN6qAmWtjjRNnD9NZWWAogMboc/MyO7/5p0EMZmVzZVjnkwEnz:KHkZNzNUNNNJEpV3ZWWhF1anXZVjnHEz
MD5:	5D86A78862C271FFAA90AF0B090594CD
SHA1:	75C3193765597FC6EBE2855FAACB36866FF7571F
SHA-256:	8FFF2A44A9EE0A10E2E764F4DA7073546711C70E742A7EDB20A6266A623548AB
SHA-512:	95F7A2DC53E22210017F17FE32DB6BDDAB314ECA9C3C21B5906169D225EAFF6A64D298A7AB8F10601AD2371376CF7A9BC711D3024265F298EE2AA92BB1153176
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......H..`...................U...........B......P ......GenuineIntelW...........T...........$..`.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC695.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8294
Entropy (8bit):	3.6953177362699807
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiO36XX6Yr66pQgmfTpvS++prm89b0ysfHEY8m:RrlsNi26n6Ym6pQgmfTBSt0xfHV
MD5:	CF068ADA221E4144E98A7872F3875885
SHA1:	C754910C932EF8CDD8DA8910C5FD06DA571933F8
SHA-256:	D326B9BE4CD1C7E1BADFEBABF355930A4A46FDC3646888A686D93EC73815AF73
SHA-512:	E76CF7FB5666E54C6233CFD6F1A46DBB5EB9903F74CC553E5F4B5432438CC329A8B069CD57DB6CEDD88EF9F98723F88A08B976D3E26C73B982D0FFBC56623CC7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9B3.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4663
Entropy (8bit):	4.475899785195257
Encrypted:	false
SSDEEP:	48:cvIwSD8zs4JgtWI9K1yWSC8Bu8fm8M4JCdsHNbF9V2+q8/KNFVBn4SrSmd:uITf+tVSNZJ9NN2NNlDWmd
MD5:	C2832FDD823216C133067E69989034B6
SHA1:	86AF26EB5AAE25548EF6B32DF32AA407F57CCE02
SHA-256:	E8125B9BCB4F2AF73338A4B3A7F5B93480FE172C75E42BDBB9B03F1890E396F3
SHA-512:	CF57A45D53AC98FFF9652C27F48600583753A42E4DC1191E2229792C45BA64A4A17A6E5E8F1F6FFF6050004F8CA70ACAE166DBD04551250189755B4362844F1B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="987246" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.567246231271622
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	a98ab505_by_Libranalysis.dll
File size:	160256
MD5:	a98ab505ecc3ec9d5c5d4571f4a2b5fe
SHA1:	ff5d7193d073303d7821ea418a7fdede1a62d384
SHA256:	cf3a3944a4a37b5c13842e1acc85b10a69dddb1b1c9c7de2a432b4ba32bb1781
SHA512:	0b085611813d868957edd720be45332ee6ebf1b8ce86111880a29181657c02395ed5e3b2745cf356ff910bbab0ed7b6c5084544f8fbaf4b21a32302134bcbcbc
SSDEEP:	3072:dyqDAKfnwLu67wJfAXzgAV12yo1DxbJ6rcKyMYK4f:3aiuwJ6zLV1/Sll5KM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10022f50
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609C7F8E [Thu May 13 01:23:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c9d8b256fabdf7ec02ac0e021f0f72c6

Entrypoint Preview

Instruction
xor eax, eax
add eax, 00002234h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 02h
jne 00007F1360D795A9h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2012 UPD3 build 60610
[LNK] VS2005 build 50727
[EXP] VS2005 build 50727
[ C ] VS2012 UPD4 build 61030
[IMP] VS2013 UPD2 build 30501

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2672a	0x5b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x267f8	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2c000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x24000	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x220cc	0x22200	False	0.762248168498	data	7.58982753446	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x24000	0x2a76	0x2c00	False	0.791548295455	data	7.46837367369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x27000	0x3324	0x1800	False	0.7353515625	MMDF mailbox	7.23030774842	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2b000	0x3a0	0x400	False	0.423828125	data	3.05991849143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2c000	0x240	0x400	False	0.5078125	data	4.04632895522	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2b060	0x33c	data

Imports

DLL	Import
CLUSAPI.dll	ClusterEnum
ADVAPI32.dll	RegOverridePredefKey
RASAPI32.dll	RasGetConnectionStatistics
KERNEL32.dll	LoadLibraryExA, LoadLibraryW, GetProfileSectionW, GetProfileSectionA, OpenSemaphoreW, CreateFileW, CloseHandle, OutputDebugStringA
OPENGL32.dll	glTexSubImage1D
USER32.dll	TranslateMessage
ole32.dll	CreateStreamOnHGlobal, CreatePointerMoniker

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	x2otfb
FileVersion	7.2.5422.00
Full Version	7.2.5_000-b00
CompanyName	Oracle Corporation
ProductName	Xhot(BM) Ltloehey YO 8
ProductVersion	7.2.5422.00
FileDescription	Java(TM) Platform SE binary
OriginalFilename	x2otfb.dll
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2021 06:54:54.167156935 CEST	59123	53	192.168.2.4	8.8.8.8
May 13, 2021 06:54:54.198420048 CEST	54531	53	192.168.2.4	8.8.8.8
May 13, 2021 06:54:54.216065884 CEST	53	59123	8.8.8.8	192.168.2.4
May 13, 2021 06:54:54.263489008 CEST	53	54531	8.8.8.8	192.168.2.4
May 13, 2021 06:54:55.249706984 CEST	49714	53	192.168.2.4	8.8.8.8
May 13, 2021 06:54:55.313155890 CEST	53	49714	8.8.8.8	192.168.2.4
May 13, 2021 06:54:56.890480042 CEST	58028	53	192.168.2.4	8.8.8.8
May 13, 2021 06:54:56.939775944 CEST	53	58028	8.8.8.8	192.168.2.4
May 13, 2021 06:54:57.243531942 CEST	53097	53	192.168.2.4	8.8.8.8
May 13, 2021 06:54:57.301326990 CEST	53	53097	8.8.8.8	192.168.2.4
May 13, 2021 06:54:58.328294992 CEST	49257	53	192.168.2.4	8.8.8.8
May 13, 2021 06:54:58.377069950 CEST	53	49257	8.8.8.8	192.168.2.4
May 13, 2021 06:54:59.805485010 CEST	62389	53	192.168.2.4	8.8.8.8
May 13, 2021 06:54:59.858119965 CEST	53	62389	8.8.8.8	192.168.2.4
May 13, 2021 06:55:01.073297024 CEST	49910	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:01.124840975 CEST	53	49910	8.8.8.8	192.168.2.4
May 13, 2021 06:55:01.915004015 CEST	55854	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:01.966907024 CEST	53	55854	8.8.8.8	192.168.2.4
May 13, 2021 06:55:03.454873085 CEST	64549	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:03.506932020 CEST	53	64549	8.8.8.8	192.168.2.4
May 13, 2021 06:55:04.271562099 CEST	63153	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:04.320266008 CEST	53	63153	8.8.8.8	192.168.2.4
May 13, 2021 06:55:05.399990082 CEST	52991	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:05.462759972 CEST	53	52991	8.8.8.8	192.168.2.4
May 13, 2021 06:55:06.794656038 CEST	53700	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:06.843369007 CEST	53	53700	8.8.8.8	192.168.2.4
May 13, 2021 06:55:07.569686890 CEST	51726	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:07.618385077 CEST	53	51726	8.8.8.8	192.168.2.4
May 13, 2021 06:55:08.429094076 CEST	56794	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:08.477752924 CEST	53	56794	8.8.8.8	192.168.2.4
May 13, 2021 06:55:10.104027987 CEST	56534	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:10.155740976 CEST	53	56534	8.8.8.8	192.168.2.4
May 13, 2021 06:55:11.468683004 CEST	56627	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:11.517378092 CEST	53	56627	8.8.8.8	192.168.2.4
May 13, 2021 06:55:12.531749010 CEST	56621	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:12.580511093 CEST	53	56621	8.8.8.8	192.168.2.4
May 13, 2021 06:55:13.800578117 CEST	63116	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:13.852796078 CEST	53	63116	8.8.8.8	192.168.2.4
May 13, 2021 06:55:18.835875988 CEST	64078	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:18.886480093 CEST	53	64078	8.8.8.8	192.168.2.4
May 13, 2021 06:55:19.925559044 CEST	64801	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:19.976767063 CEST	53	64801	8.8.8.8	192.168.2.4
May 13, 2021 06:55:30.666755915 CEST	61721	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:30.725814104 CEST	53	61721	8.8.8.8	192.168.2.4
May 13, 2021 06:55:40.182075024 CEST	51255	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:40.240514040 CEST	53	51255	8.8.8.8	192.168.2.4
May 13, 2021 06:55:43.561554909 CEST	61522	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:43.613298893 CEST	53	61522	8.8.8.8	192.168.2.4
May 13, 2021 06:55:48.212294102 CEST	52337	53	192.168.2.4	8.8.8.8
May 13, 2021 06:55:48.276665926 CEST	53	52337	8.8.8.8	192.168.2.4
May 13, 2021 06:56:00.218456984 CEST	55046	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:00.305618048 CEST	53	55046	8.8.8.8	192.168.2.4
May 13, 2021 06:56:00.896776915 CEST	49612	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:01.003010035 CEST	53	49612	8.8.8.8	192.168.2.4
May 13, 2021 06:56:01.596420050 CEST	49285	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:01.653580904 CEST	53	49285	8.8.8.8	192.168.2.4
May 13, 2021 06:56:02.005770922 CEST	50601	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:02.070842028 CEST	53	50601	8.8.8.8	192.168.2.4
May 13, 2021 06:56:02.083420992 CEST	60875	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:02.170087099 CEST	53	60875	8.8.8.8	192.168.2.4
May 13, 2021 06:56:02.737278938 CEST	56448	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:02.795300961 CEST	53	56448	8.8.8.8	192.168.2.4
May 13, 2021 06:56:03.457828045 CEST	59172	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:03.514831066 CEST	53	59172	8.8.8.8	192.168.2.4
May 13, 2021 06:56:03.961601019 CEST	62420	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:04.018767118 CEST	53	62420	8.8.8.8	192.168.2.4
May 13, 2021 06:56:04.774547100 CEST	60579	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:04.831553936 CEST	53	60579	8.8.8.8	192.168.2.4
May 13, 2021 06:56:05.651005983 CEST	50183	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:05.749567032 CEST	53	50183	8.8.8.8	192.168.2.4
May 13, 2021 06:56:06.284044027 CEST	61531	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:06.341527939 CEST	53	61531	8.8.8.8	192.168.2.4
May 13, 2021 06:56:11.352149010 CEST	49228	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:11.411710024 CEST	53	49228	8.8.8.8	192.168.2.4
May 13, 2021 06:56:47.638673067 CEST	59794	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:47.695739031 CEST	53	59794	8.8.8.8	192.168.2.4
May 13, 2021 06:56:49.312550068 CEST	55916	53	192.168.2.4	8.8.8.8
May 13, 2021 06:56:49.377916098 CEST	53	55916	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6636 Parent PID: 5860

General

Start time:	06:54:59
Start date:	13/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll'
Imagebase:	0xe20000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6644 Parent PID: 6636

General

Start time:	06:55:00
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6656 Parent PID: 6644

General

Start time:	06:55:00
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\a98ab505_by_Libranalysis.dll',#1
Imagebase:	0xd10000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.755906569.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 6688 Parent PID: 6656

General

Start time:	06:55:31
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 764
Imagebase:	0xae0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report a98ab505_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6636 Parent PID: 5860

General

Analysis Process: cmd.exe PID: 6644 Parent PID: 6636

General