Play interactive tour

Edit tour

Analysis Report 5322b76c_by_Libranalysis.dll

Overview

General Information

Sample Name:	5322b76c_by_Libranalysis.dll
Analysis ID:	413041
MD5:	5322b76cdba29bb2ad297a41294d0c44
SHA1:	9138b9ac4b35bb14bdf419415afb1d03faab2a61
SHA256:	2bcaa45180a112b958dfc32888d626b12629efed8ff5eaf2e521797d6270d90e
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5840 cmdline: loaddll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5848 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 808 cmdline: rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22202, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "UlufoCqJDohDzGOdBY6ldd1IbFW5KV8BqCAnkqwdDzvq0CsZOOngL"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.287972689.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22202, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "UlufoCqJDohDzGOdBY6ldd1IbFW5KV8BqCAnkqwdDzvq0CsZOOngL"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 5322b76c_by_Libranalysis.dll

ReversingLabs: Detection: 29%

Machine Learning detection for sample

Show sources

Source: 5322b76c_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: 5322b76c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 5322b76c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp, 5322b76c_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000003.00000002.287972689.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10021E90	1_2_10021E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011460	3_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000846C	3_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001494	3_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000A52C	3_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011D58	3_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019348	3_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010754	3_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100090CC	3_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784

Source: 5322b76c_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 5322b76c_by_Libranalysis.dll

Source: 5322b76c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 5322b76c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.troj.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess808

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER25BB.tmp

Jump to behavior

Source: 5322b76c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1

Source: 5322b76c_by_Libranalysis.dll

ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1	Jump to behavior

Source: 5322b76c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 5322b76c_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp, 5322b76c_by_Libranalysis.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10007550 push ebp; ret		1_2_10007557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h		3_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.52981613282

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_10006D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5322b76c_by_Libranalysis.dll	30%	ReversingLabs	Win32.Trojan.Convagent
5322b76c_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.rundll32.exe.780000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
82.209.17.209	unknown	Czech Republic	30764	PODA-ASCZ	true
162.241.209.225	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
43.229.206.212	unknown	Indonesia	24532	INET-AS-IDPTInetGlobalIndoID	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	413041
Start date:	13.05.2021
Start time:	06:57:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	5322b76c_by_Libranalysis.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.winDLL@6/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 97.4% (good quality ratio 81.8%) Quality average: 61.5% Quality standard deviation: 36.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
82.209.17.209	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
162.241.209.225	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PODA-ASCZ	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
UNIFIEDLAYER-AS-1US	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a13bac07_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	634459e1_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_c5ea5241a7456529d81b1bb9552dc4c465d26746_82810a17_186f300c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12480
Entropy (8bit):	3.7672183188296966
Encrypted:	false
SSDEEP:	192:Y9id0oXDmsSHBUZMX4jed+5e/u7sxS274ItWc5:WizXypBUZMX4je9/u7sxX4ItWc5
MD5:	34AC91A222DD3596422769E69F340599
SHA1:	AD95DA8B8EA3ABEBF64672342D240D133C928FF2
SHA-256:	AD44501A1757166A0F61761A5D288DF5610B671FF9985307F553071BFE3C6058
SHA-512:	E0EFB3A31320EBBB0E452471314DBB2498D6F3906556A91CEAB5F22A943DA49817D576921D97D4B75EF173B2773759A45CADB38C03843FF8BC049D528DB9CAF3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.3.8.7.9.8.2.0.9.0.1.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.3.8.7.9.8.3.3.8.7.0.6.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.3.a.d.e.9.9.-.9.c.3.3.-.4.d.4.1.-.b.c.b.7.-.3.e.6.c.f.4.d.b.4.e.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.9.d.3.0.c.7.-.1.b.d.6.-.4.a.d.e.-.b.8.7.d.-.b.0.4.4.1.9.f.1.5.3.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.2.8.-.0.0.0.1.-.0.0.1.7.-.8.1.c.d.-.c.9.2.4.0.0.4.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25BB.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 13 13:59:42 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	54130
Entropy (8bit):	1.9752757481843382
Encrypted:	false
SSDEEP:	192:bI24/DR5zR459xLnapSp1juzUsI45vm5Ergzi3nGZh:Mf9w9lap+1sIj5ErgSs
MD5:	41E2AB157DB4BD65B2086ACD35A73D9B
SHA1:	9F12F924AAFACFCFF62062B6C5B9DC5CFDA17A83
SHA-256:	AF70A06366EDC7075DEF719DD0FDF5F19273F5F1EE0169EB16A7D6E6988ACDC7
SHA-512:	5F8B86A8A1E03155084273DDD1D2A227217DAAF5EAC19C4433E99BEE4388845592532681944F13BE8631658D38F69BFC643ACB3B7F681FB23C86F3DF209EBE65
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........0.`...................U...........B..............GenuineIntelW...........T.......(....0.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER29A4.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.6942962318643677
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiVm686Yip6BzgmfTMLSkCprm89blZsfJXm:RrlsNiE686Yk6BzgmfT2SjlyfE
MD5:	7E4EB8A3303D3ABB22E478C2A4BC5A5C
SHA1:	FE79B258FC883F6F94EB09C0F5E96889B4D20ED8
SHA-256:	F29CC7AD352496A6784BE950512E515C5BBC5AA106F30A89D8FF268B19C6339F
SHA-512:	4BFC80A87D56B00E276DD9BDC5C2955B4C3F79CF414A862F2ACBDF7F53A483E0B1FCF868724E0A54DA1CC2E4334D20F8089482564D468E434673D07892E8DE81
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.8.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A32.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4663
Entropy (8bit):	4.476384717902912
Encrypted:	false
SSDEEP:	48:cvIwSD8zsUJgtWI9x9WSC8BM8fm8M4JCdscNpFX+q8/9NFKU4SrSOd:uITfSeMSNXJKNj6NYUDWOd
MD5:	9FB232500FE79D4237726E3F56DD9AE1
SHA1:	8D5BE37C9860883E167EBF86E2ACB2DEA1D91F8E
SHA-256:	3719C07AF74DFF7CAB900DCA6A77E13E8088CA5202CF8F2161B5B749E6156C38
SHA-512:	DD9BF948B2C4EB39A6AEEFEFD8EC501EDA5FB12700B8F535FB8EE21642DC8794AB4265F66E620D9BDF2E3B902814B244A34FA94C96162E7D61C6F0BDFDF5DA50
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="987790" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.510312403801377
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5322b76c_by_Libranalysis.dll
File size:	167424
MD5:	5322b76cdba29bb2ad297a41294d0c44
SHA1:	9138b9ac4b35bb14bdf419415afb1d03faab2a61
SHA256:	2bcaa45180a112b958dfc32888d626b12629efed8ff5eaf2e521797d6270d90e
SHA512:	e87c0eaaeb5e7ecee02b9a61373f258844bdef1972b2aa784d87e644bd8e9659572928c3ecccf7ff5fbd997048bb20871ac00073ee58f74120364c117f3e9d77
SSDEEP:	3072:9ar6Ys6p54kfdo+APr0aYSbeO6aal8jeytFQTOpp2J:vs4p+ADxnSO6D2cOp
File Content Preview:	MZ......................@...................................\...........!..L.!This program cannot be run in DOS mode....$.......Xm.o...<...<...<.U!<...<..B<r..<...<...<rQ!<...<;..<...<;..<3..<au.<...<szt<"..<Rich...<.......................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10024b60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609C7F8E [Thu May 13 01:23:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a5d8d3bddce161fe65c4f476bd18c6da

Entrypoint Preview

Instruction
mov eax, 00000000h
cmpss xmm1, xmm2, 03h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 02h
mov eax, ebp
mov dword ptr [10029734h], eax
mov eax, ebx
mov dword ptr [10029730h], eax
mov eax, esi
mov dword ptr [10029728h], eax
jne 00007F7DC8A7E176h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2015 build 23026
[IMP] VS2013 UPD4 build 31101
[ C ] VS2010 build 30319
[RES] VS2015 UPD2 build 23918
[C++] VS2005 build 50727
[IMP] VS2010 SP1 build 40219
[RES] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2770a	0x5b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x277d8	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23c9e	0x23e00	False	0.753620426829	data	7.52981613282	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2a04	0x2c00	False	0.749112215909	data	7.3747682631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crt	0x28000	0x3aff	0x1800	False	0.8125	MMDF mailbox	7.51564718747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x3a0	0x400	False	0.4248046875	data	3.06187161643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x268	0x400	False	0.5439453125	data	4.2612921869	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x33c	data

Imports

DLL	Import
CLUSAPI.dll	ClusterEnum
USER32.dll	TranslateMessage
KERNEL32.dll	LoadLibraryW, GetProfileSectionW, GetProfileSectionA, OpenSemaphoreW, CreateFileW, OutputDebugStringA, CloseHandle
ole32.dll	CreatePointerMoniker, CreateStreamOnHGlobal
ADVAPI32.dll	RegOverridePredefKey
RASAPI32.dll	RasGetConnectionStatistics

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	x2otfb
FileVersion	7.2.5422.00
Full Version	7.2.5_000-b00
CompanyName	Oracle Corporation
ProductName	Xhot(BM) Ltloehey YO 8
ProductVersion	7.2.5422.00
FileDescription	Java(TM) Platform SE binary
OriginalFilename	x2otfb.dll
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2021 06:58:59.021887064 CEST	60985	53	192.168.2.3	8.8.8.8
May 13, 2021 06:58:59.079118013 CEST	53	60985	8.8.8.8	192.168.2.3
May 13, 2021 06:58:59.162964106 CEST	50200	53	192.168.2.3	8.8.8.8
May 13, 2021 06:58:59.228063107 CEST	53	50200	8.8.8.8	192.168.2.3
May 13, 2021 06:58:59.507615089 CEST	51281	53	192.168.2.3	8.8.8.8
May 13, 2021 06:58:59.560559988 CEST	53	51281	8.8.8.8	192.168.2.3
May 13, 2021 06:58:59.780359983 CEST	49199	53	192.168.2.3	8.8.8.8
May 13, 2021 06:58:59.828932047 CEST	53	49199	8.8.8.8	192.168.2.3
May 13, 2021 06:59:00.693008900 CEST	50620	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:00.744590998 CEST	53	50620	8.8.8.8	192.168.2.3
May 13, 2021 06:59:01.490242004 CEST	64938	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:01.542931080 CEST	53	64938	8.8.8.8	192.168.2.3
May 13, 2021 06:59:02.068949938 CEST	60152	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:02.130801916 CEST	53	60152	8.8.8.8	192.168.2.3
May 13, 2021 06:59:02.459481001 CEST	57544	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:02.511130095 CEST	53	57544	8.8.8.8	192.168.2.3
May 13, 2021 06:59:03.472611904 CEST	55984	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:03.525840044 CEST	53	55984	8.8.8.8	192.168.2.3
May 13, 2021 06:59:04.552237034 CEST	64185	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:04.602551937 CEST	53	64185	8.8.8.8	192.168.2.3
May 13, 2021 06:59:05.680509090 CEST	65110	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:05.737715006 CEST	53	65110	8.8.8.8	192.168.2.3
May 13, 2021 06:59:11.584981918 CEST	58361	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:11.642551899 CEST	53	58361	8.8.8.8	192.168.2.3
May 13, 2021 06:59:12.914382935 CEST	63492	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:12.963160992 CEST	53	63492	8.8.8.8	192.168.2.3
May 13, 2021 06:59:14.579339981 CEST	60831	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:14.636606932 CEST	53	60831	8.8.8.8	192.168.2.3
May 13, 2021 06:59:15.526638985 CEST	60100	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:15.575519085 CEST	53	60100	8.8.8.8	192.168.2.3
May 13, 2021 06:59:17.231559992 CEST	53195	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:17.284518003 CEST	53	53195	8.8.8.8	192.168.2.3
May 13, 2021 06:59:18.168112040 CEST	50141	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:18.216876030 CEST	53	50141	8.8.8.8	192.168.2.3
May 13, 2021 06:59:19.272708893 CEST	53023	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:19.323227882 CEST	53	53023	8.8.8.8	192.168.2.3
May 13, 2021 06:59:20.844261885 CEST	49563	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:20.894123077 CEST	53	49563	8.8.8.8	192.168.2.3
May 13, 2021 06:59:21.656652927 CEST	51352	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:21.705487967 CEST	53	51352	8.8.8.8	192.168.2.3
May 13, 2021 06:59:27.820846081 CEST	59349	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:27.869651079 CEST	53	59349	8.8.8.8	192.168.2.3
May 13, 2021 06:59:28.778141975 CEST	57084	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:28.826797009 CEST	53	57084	8.8.8.8	192.168.2.3
May 13, 2021 06:59:29.707597017 CEST	58823	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:29.756351948 CEST	53	58823	8.8.8.8	192.168.2.3
May 13, 2021 06:59:34.552437067 CEST	57568	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:34.611371040 CEST	53	57568	8.8.8.8	192.168.2.3
May 13, 2021 06:59:43.725922108 CEST	50540	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:43.776125908 CEST	53	50540	8.8.8.8	192.168.2.3
May 13, 2021 06:59:46.151310921 CEST	54366	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:46.208435059 CEST	53	54366	8.8.8.8	192.168.2.3
May 13, 2021 06:59:54.323864937 CEST	53034	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:54.382524967 CEST	53	53034	8.8.8.8	192.168.2.3
May 13, 2021 06:59:57.115967035 CEST	57762	53	192.168.2.3	8.8.8.8
May 13, 2021 06:59:57.174767017 CEST	53	57762	8.8.8.8	192.168.2.3
May 13, 2021 07:00:25.285979033 CEST	55435	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:25.355298996 CEST	53	55435	8.8.8.8	192.168.2.3
May 13, 2021 07:00:32.619581938 CEST	50713	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:32.680114985 CEST	53	50713	8.8.8.8	192.168.2.3
May 13, 2021 07:00:51.486949921 CEST	56132	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:51.639007092 CEST	53	56132	8.8.8.8	192.168.2.3
May 13, 2021 07:00:52.365362883 CEST	58987	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:52.425208092 CEST	53	58987	8.8.8.8	192.168.2.3
May 13, 2021 07:00:52.987045050 CEST	56579	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:53.043955088 CEST	53	56579	8.8.8.8	192.168.2.3
May 13, 2021 07:00:53.375999928 CEST	60633	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:53.447639942 CEST	53	60633	8.8.8.8	192.168.2.3
May 13, 2021 07:00:53.489736080 CEST	61292	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:53.588149071 CEST	53	61292	8.8.8.8	192.168.2.3
May 13, 2021 07:00:54.128810883 CEST	63619	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:54.188292027 CEST	53	63619	8.8.8.8	192.168.2.3
May 13, 2021 07:00:54.768987894 CEST	64938	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:54.829255104 CEST	53	64938	8.8.8.8	192.168.2.3
May 13, 2021 07:00:55.306356907 CEST	61946	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:55.368040085 CEST	53	61946	8.8.8.8	192.168.2.3
May 13, 2021 07:00:56.168409109 CEST	64910	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:56.225445986 CEST	53	64910	8.8.8.8	192.168.2.3
May 13, 2021 07:00:57.089153051 CEST	52123	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:57.148663998 CEST	53	52123	8.8.8.8	192.168.2.3
May 13, 2021 07:00:57.712493896 CEST	56130	53	192.168.2.3	8.8.8.8
May 13, 2021 07:00:57.769494057 CEST	53	56130	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5840 Parent PID: 5680

General

Start time:	06:59:07
Start date:	13/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll'
Imagebase:	0xab0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5848 Parent PID: 5840

General

Start time:	06:59:08
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 808 Parent PID: 5848

General

Start time:	06:59:08
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1
Imagebase:	0x8c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.287972689.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6180 Parent PID: 808

General

Start time:	06:59:40
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784
Imagebase:	0x1360000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5840 Parent PID: 5680 loaddll32.exeCOMMON

Executed Functions

Non-executed Functions

Function 10021E90, Relevance: 16.6, Strings: 13, Instructions: 306COMMON

Download Yara Rule

Strings

i, xrefs: 100221CD
o, xrefs: 100222A7
A, xrefs: 10022279
4, xrefs: 10021EB9
a, xrefs: 10022242
l, xrefs: 10022297
l, xrefs: 1002229F
V, xrefs: 100221C5
@[gK, xrefs: 10021F7B
u, xrefs: 1002220F
>', xrefs: 10022219
t, xrefs: 10022207
so, xrefs: 100222CF

Memory Dump Source

Source File: 00000001.00000002.209134391.0000000010021000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.209108435.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.209112658.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.209145017.0000000010028000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.209149964.000000001002C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 4$@[gK$A$V$a$i$l$l$o$so$t$u$>'
API String ID: 0-251563595
Opcode ID: 8c6a0cb916d1975cbaee22f14d8319245bb82350f48865ce1f001bcab666d540
Instruction ID: 3b069d31ac40e3f58d4bb2845281c26e8a5aaa3ce7ed3e664e92a20dc35ebd8c
Opcode Fuzzy Hash: 8c6a0cb916d1975cbaee22f14d8319245bb82350f48865ce1f001bcab666d540
Instruction Fuzzy Hash: C5F1F675A093908FE320CF69C880B8BFBE1BFD9754F19895DE88897351D774A806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100015D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87registrywindowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32 ref: 10001677
RegOverridePredefKey.ADVAPI32 ref: 1000169B

Strings

", xrefs: 10001633

Memory Dump Source

Source File: 00000001.00000002.209112658.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.209108435.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.209134391.0000000010021000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.209145017.0000000010028000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.209149964.000000001002C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageOverridePredefTranslate
String ID: "
API String ID: 2922720901-123907689
Opcode ID: 91911445310d9fc16460e7054386fe924f303fd29511699d931b9511f568b215
Instruction ID: f2f0c8b1251b093e8e159d7477b4886ac4e2ab534cee34cc20257ad2b3dbde62
Opcode Fuzzy Hash: 91911445310d9fc16460e7054386fe924f303fd29511699d931b9511f568b215
Instruction Fuzzy Hash: DB4132B49093409FD350DF28C99425BBBF1EF8A354F549A6DE9D98B3A4D3329840CB87

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 808 Parent PID: 5848 rundll32.exeCOMMON

Executed Functions

Non-executed Functions

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D50() {

				 *0x1001d280 = GetUserNameW;
				 *0x1001D284 = MessageBoxW;
				 *0x1001D288 = GetLastError;
				 *0x1001D28C = CreateFileA;
				 *0x1001D290 = DebugBreak;
				 *0x1001D294 = FlushFileBuffers;
				 *0x1001D298 = FreeEnvironmentStringsA;
				 *0x1001D29C = GetConsoleOutputCP;
				 *0x1001D2A0 = GetEnvironmentStrings;
				 *0x1001D2A4 = GetLocaleInfoA;
				 *0x1001D2A8 = GetStartupInfoA;
				 *0x1001D2AC = GetStringTypeA;
				 *0x1001D2B0 = HeapValidate;
				 *0x1001D2B4 = IsBadReadPtr;
				 *0x1001D2B8 = LCMapStringA;
				 *0x1001D2BC = LoadLibraryA;
				 *0x1001D2C0 = OutputDebugStringA;
				return 0x1001d280;
			}

0x10006d61
0x10006d69
0x10006d6c
0x10006d7b
0x10006d7e
0x10006d8d
0x10006d90
0x10006d9f
0x10006da2
0x10006db1
0x10006db4
0x10006dc3
0x10006dc6
0x10006dd5
0x10006dd8
0x10006de7
0x10006dea
0x10006ded

Memory Dump Source

Source File: 00000003.00000002.287972689.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.287967891.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.287987871.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.287993366.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.287998224.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction ID: 9a9f90be372116ce35b3bf57ca6adafecb814b37ff7dc50591bd4b03753dcc6b
Opcode Fuzzy Hash: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction Fuzzy Hash: 99110FB8A05620CFD34ACF09D5D49117BF2BB8E360312C19AD8098B376D734D985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000C218(void* __ecx, void* __edx) {
				char _v28;
				char _v33;
				char _v38;
				char _v43;
				void* _t24;
				char* _t25;
				char _t32;
				void* _t33;
				void* _t34;
				signed int _t38;
				char* _t40;

				_t40 = (_t38 & 0xfffffff0) - 0x2c;
				asm("movq xmm0, [edx]");
				_t32 = 0;
				 *_t40 = 0x7b;
				asm("movq [esp+0x1], xmm0");
				_v43 = 0x2d;
				do {
					 *((char*)(_t40 + _t32 + 0xa)) =  *((intOrPtr*)(_t32 + __edx + 8));
					_t32 = _t32 + 1;
				} while (_t32 < 4);
				_v38 = 0x2d;
				_t33 = 0;
				do {
					 *((char*)(_t40 + _t33 + 0xf)) =  *((intOrPtr*)(_t33 + __edx + 0xc));
					_t33 = _t33 + 1;
				} while (_t33 < 4);
				_v33 = 0x2d;
				_t34 = 0;
				do {
					 *((char*)(_t40 + _t34 + 0x14)) =  *((intOrPtr*)(_t34 + __edx + 0x10));
					_t34 = _t34 + 1;
				} while (_t34 < 4);
				_v28 = 0x2d;
				_t24 = 0;
				do {
					asm("movd xmm0, dword [eax+edx+0x14]");
					asm("movd [esp+eax+0x19], xmm0");
					_t24 = _t24 + 4;
				} while (_t24 < 0xc);
				_t25 = _t40;
				 *((char*)(_t25 + 0x25)) = 0x7d;
				 *((char*)(_t25 + 0x26)) = 0;
				E1000DFBC(__ecx, _t25, 0);
				return __ecx;
			}

0x1000c21f
0x1000c224
0x1000c228
0x1000c22a
0x1000c22e
0x1000c234
0x1000c239
0x1000c23d
0x1000c241
0x1000c242
0x1000c249
0x1000c24e
0x1000c250
0x1000c254
0x1000c258
0x1000c259
0x1000c260
0x1000c265
0x1000c267
0x1000c26b
0x1000c26f
0x1000c270
0x1000c275
0x1000c27a
0x1000c27c
0x1000c27c
0x1000c282
0x1000c288
0x1000c28b
0x1000c292
0x1000c295
0x1000c29b
0x1000c2a0
0x1000c2ae

Strings

-, xrefs: 1000C234
-, xrefs: 1000C260
-, xrefs: 1000C275
-, xrefs: 1000C249

Memory Dump Source

Source File: 00000003.00000002.287972689.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.287967891.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.287987871.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.287993366.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.287998224.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction ID: 6420cdf91b2b9fc5655fa5f82b4c53aa5eb92ddd4154ae73ebf41adf494228f8
Opcode Fuzzy Hash: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction Fuzzy Hash: C811252091C3C04CE749DB7C548462BFFD08F9A208F1886BEE4DA86B53E525D49683B7

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 5322b76c_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5840 Parent PID: 5680

General

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON