Analysis Report 5322b76c_by_Libranalysis.dll

Overview

General Information

Sample Name:	5322b76c_by_Libranalysis.dll
Analysis ID:	413041
MD5:	5322b76cdba29bb2ad297a41294d0c44
SHA1:	9138b9ac4b35bb14bdf419415afb1d03faab2a61
SHA256:	2bcaa45180a112b958dfc32888d626b12629efed8ff5eaf2e521797d6270d90e
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 3.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22202, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "UlufoCqJDohDzGOdBY6ldd1IbFW5KV8BqCAnkqwdDzvq0CsZOOngL"]}

Multi AV Scanner detection for submitted file

Source: 5322b76c_by_Libranalysis.dll

ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: 5322b76c_by_Libranalysis.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 5322b76c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 5322b76c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp, 5322b76c_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000003.00000002.287972689.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10021E90	1_2_10021E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011460	3_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000846C	3_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001494	3_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000A52C	3_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011D58	3_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019348	3_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010754	3_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100090CC	3_2_100090CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784

Sample file is different than original file name gathered from version info

Source: 5322b76c_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 5322b76c_by_Libranalysis.dll

Uses 32bit PE files

Source: 5322b76c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 5322b76c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.troj.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess808

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER25BB.tmp

Jump to behavior

Source: 5322b76c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1

Source: 5322b76c_by_Libranalysis.dll

ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1	Jump to behavior

Source: 5322b76c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 5322b76c_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp, 5322b76c_by_Libranalysis.dll

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10007550 push ebp; ret		1_2_10007557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h		3_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.52981613282

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_10006D50

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
82.209.17.209	unknown	Czech Republic	30764	PODA-ASCZ	true
162.241.209.225	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
43.229.206.212	unknown	Indonesia	24532	INET-AS-IDPTInetGlobalIndoID	true

ID:	413041
Product:	CloudBasic
Start time:	06:57:50
Start date:	13.05.2021
Sample:	5322b76c_by_Libranalysis.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5322b76cdba29bb2ad297a41294d0c44
SHA1:	9138b9ac4b35bb14bdf419415afb1d03faab2a61
SHA256:	2bcaa45180a112b958dfc32888d626b12629efed8ff5eaf2e521797d6270d90e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_c5ea5241a7456529d81b1bb9552dc4c465d26746_82810a17_186f300c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	34AC91A222DD3596422769E69F340599	AD95DA8B8EA3ABEBF64672342D240D133C928FF2	AD44501A1757166A0F61761A5D288DF5610B671FF9985307F553071BFE3C6058
C:\ProgramData\Microsoft\Windows\WER\Temp\WER25BB.tmp.dmp	Mini DuMP crash report, 14 streams, Thu May 13 13:59:42 2021, 0x1205a4 type	41E2AB157DB4BD65B2086ACD35A73D9B	9F12F924AAFACFCFF62062B6C5B9DC5CFDA17A83	AF70A06366EDC7075DEF719DD0FDF5F19273F5F1EE0169EB16A7D6E6988ACDC7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER29A4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	7E4EB8A3303D3ABB22E478C2A4BC5A5C	FE79B258FC883F6F94EB09C0F5E96889B4D20ED8	F29CC7AD352496A6784BE950512E515C5BBC5AA106F30A89D8FF268B19C6339F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A32.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9FB232500FE79D4237726E3F56DD9AE1	8D5BE37C9860883E167EBF86E2ACB2DEA1D91F8E	3719C07AF74DFF7CAB900DCA6A77E13E8088CA5202CF8F2161B5B749E6156C38

Analysis Report 5322b76c_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs