Analysis Report 042529de_by_Libranalysis.dll
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Dridex |
---|
{"Version": 22201, "C2 list": ["203.114.109.124:443", "82.165.145.100:6601", "94.177.255.18:8172"], "RC4 keys": ["BwjTiXD0nMT8wuL0lzuDMT1lwajgYLnSPMpMch1H2fk8H", "Zn2kewZlGvQs4cF0q7SiWd3gnwzXSWs561WqoqBWjN3RtNQTcvkRtcHJba3Ed"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud: |
---|
Yara detected Dridex unpacked file | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 2_2_10011460 | |
Source: | Code function: | 2_2_1000846C | |
Source: | Code function: | 2_2_10001494 | |
Source: | Code function: | 2_2_1000A52C | |
Source: | Code function: | 2_2_10011D58 | |
Source: | Code function: | 2_2_10019348 | |
Source: | Code function: | 2_2_10010754 | |
Source: | Code function: | 2_2_100090CC |
Source: | Process created: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Code function: | 0_2_1000768B | |
Source: | Code function: | 0_2_100030DD | |
Source: | Code function: | 2_2_1000F6CD |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect sandboxes / dynamic malware analysis system (file name check) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 2_2_10006D50 |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 2_2_10006D50 |
Source: | Code function: | 2_2_10006D50 |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection11 | Virtualization/Sandbox Evasion11 | OS Credential Dumping | Security Software Discovery121 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection11 | LSASS Memory | Virtualization/Sandbox Evasion11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Account Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Rundll321 | NTDS | System Owner/User Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing2 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery11 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
62% | ReversingLabs | Win32.Infostealer.Dridex | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
94.177.255.18 | unknown | Italy | 199883 | ARUBACLOUDLTD-ASNGB | true | |
203.114.109.124 | unknown | Thailand | 131293 | TOT-LLI-AS-APTOTPublicCompanyLimitedTH | true | |
82.165.145.100 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | true |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 413046 |
Start date: | 13.05.2021 |
Start time: | 07:04:28 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 11s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 042529de_by_Libranalysis.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 29 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.troj.evad.winDLL@6/4@0/4 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
94.177.255.18 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
203.114.109.124 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
82.165.145.100 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ONEANDONE-ASBrauerstrasse48DE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
TOT-LLI-AS-APTOTPublicCompanyLimitedTH | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
ARUBACLOUDLTD-ASNGB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12682 |
Entropy (8bit): | 3.769412796836492 |
Encrypted: | false |
SSDEEP: | 192:78Tiw0oXHGiYHBUZMX4jed+SgR/u7sHS274ItWcL:QTimXHkBUZMX4jes/u7sHX4ItWcL |
MD5: | 685C9AE5FB7F87883AC87C1C989F8245 |
SHA1: | 7588D0293343CBC0C4CAFA9A66595DD98A75FA7F |
SHA-256: | 84F66F008EB75624F3F1662C1587B417913843598E795469BCCBB345F5193F97 |
SHA-512: | 4284FF516422BE1554E678CCF80A9BA0A494E130BEA08B4DE7D198469A6C5B54644EF714B6FBA551144D92840FCC39F54F135C1D395280C7F6049884C972AE2F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45492 |
Entropy (8bit): | 2.33473603257435 |
Encrypted: | false |
SSDEEP: | 768:VR9jPjjjjj9Pjj/jjMjjp8fSGnTvVG5BX+3l1y:VRBnT8+3e |
MD5: | 61FFEA46E0DF90BC97646F82E9EC3709 |
SHA1: | 1D610E873D800F47100CECD841F966DCF3905A2C |
SHA-256: | D42C221458D1C09B41057F012F0B9A6500AD7F31335E51D6A2A4C7FA541CFAAC |
SHA-512: | 58BD5C9C89D515F216048B4305554D1132C6F78E94B09E061C870F26AB5FA9603B275796A26EB66DCFA38C59998E4D15011B708A184BC7D926EDBADEDA31FB0B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8292 |
Entropy (8bit): | 3.6966607809899927 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiWm6z6YBa6ctgmfT7ZSzCprd89b5ysfTzm:RrlsNiP6z6Ys6ctgmfTtSx5xfW |
MD5: | D584615D99FDC5256D5E2790E5B9929B |
SHA1: | 2EF972A105E7EC002C3D6D4B59DF904E07945490 |
SHA-256: | 46016A99F84E448C5AA32E64F3A6A80E1B2BA4035995B392899ECCFBF78E3DF9 |
SHA-512: | 23CB1CFC4CB2AA611BF52405BCF90919D89E7D67D8977FBD36765B7DA4D0388F7074E210398FB5AEFA3FCA5D5F454BAFFE69E1C90C4AF0A795C983601F32A1A1 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4663 |
Entropy (8bit): | 4.476814973382804 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs6JgtWI9lJWSC8Bj8fm8M4JCds/bNntF0+q8/MbNFnYF4SrSkd:uITfI64SNKJNbN89bNMDWkd |
MD5: | 6FD988026C145379CC99A9DBAFF5F70C |
SHA1: | 49652BDF931CD00B99700E52CD2057516CC7E050 |
SHA-256: | F00D88E9B8B07ED1E66D238DEE9BF3C6241779B2EEA2B7489C7F49CD8A087EE5 |
SHA-512: | D2688F7AAD106D6E7F59AD1F1AD00F758AD7E8ABF4FF8E707E074516B18B731D295909C972C38881EE85CA9762492854F44D3936995C49FA95341054AC7F5374 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.583613798367438 |
TrID: |
|
File name: | 042529de_by_Libranalysis.dll |
File size: | 166856 |
MD5: | 042529de19df790cdf8fe1a26ae1d5aa |
SHA1: | f9f73e973dda28b2b82fc3c3bb5f0740f6d28ea1 |
SHA256: | 430143aaf388f90ce6766480df547460ed3588347b4c58871accd32fa8a0961b |
SHA512: | 73381bf28bca8a5cca1f9675a13fd9d57ad9a004626e4d5e016efb614b95cb9768010fad774c56d738ddb75aa75c7007f6f5d5a1d9e75bc3bc31df17f4db37e4 |
SSDEEP: | 3072:F/FbrEzD9N+RiMB00c9/74DXE+JgaV7IPx+e6O/pPtaLOi:3brE1kvcB74DXZ2Mel3i |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L.. |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10023130 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x609C7F93 [Thu May 13 01:23:31 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 35893a758d71a4b313745582f88cfeb6 |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | BE49CFBB4B6B5F4638C9EC0872B04B7C |
Thumbprint SHA-1: | A5887C72B22F81884E714EDEC711E52FDC60EA37 |
Thumbprint SHA-256: | F680FAB6A9D21E8E76003C5C28B3C5084866D7AC85CF0CFB5AAA02F69EE99F1E |
Serial: | 3B777165B125BCCC181D0BAC3F5B55B3 |
Entrypoint Preview |
---|
Instruction |
---|
xor eax, eax |
add eax, 00002234h |
cmpss xmm1, xmm2, 03h |
sub eax, 00002233h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
cmpss xmm1, xmm2, 03h |
cmp eax, 02h |
jne 00007F2BACDAC9C9h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2672a | 0x5b | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x267f8 | 0x59 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2b000 | 0x3a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x27400 | 0x17c8 | .pdata |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2c000 | 0x1220 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x10018 | 0x38 | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x24000 | 0x58 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x222ac | 0x22400 | False | 0.761077212591 | data | 7.58875564719 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x24000 | 0x2a76 | 0x2c00 | False | 0.793323863636 | data | 7.44946265271 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.pdata | 0x27000 | 0x3390 | 0x1800 | False | 0.722330729167 | MMDF mailbox | 7.18721728982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x2b000 | 0x3a0 | 0x400 | False | 0.423828125 | data | 3.05991849143 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x2c000 | 0x250 | 0x400 | False | 0.517578125 | data | 4.09990016339 | IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x2b060 | 0x33c | data |
Imports |
---|
DLL | Import |
---|---|
CLUSAPI.dll | ClusterEnum |
OPENGL32.dll | glTexSubImage1D |
ADVAPI32.dll | RegOverridePredefKey |
KERNEL32.dll | LoadLibraryExA, LoadLibraryW, GetProfileSectionW, OpenSemaphoreW, GetProfileSectionA, CreateFileW, OutputDebugStringA, CloseHandle |
ole32.dll | CreateStreamOnHGlobal, CreatePointerMoniker |
USER32.dll | TranslateMessage |
RASAPI32.dll | RasGetConnectionStatistics |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2018 |
InternalName | x2otfb |
FileVersion | 7.2.5422.00 |
Full Version | 7.2.5_000-b00 |
CompanyName | Oracle Corporation |
ProductName | Xhot(BM) Ltloehey YO 8 |
ProductVersion | 7.2.5422.00 |
FileDescription | Java(TM) Platform SE binary |
OriginalFilename | x2otfb.dll |
Translation | 0x0000 0x04b0 |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 13, 2021 07:05:09.354912043 CEST | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:09.363559961 CEST | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:09.420923948 CEST | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:09.426100016 CEST | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:10.388051987 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:10.436961889 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:11.485776901 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:11.535058022 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:12.629898071 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:12.678925037 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:13.121753931 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:13.183329105 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:13.708045006 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:13.758330107 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:14.983783007 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:15.056713104 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:16.369827032 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:16.418688059 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:17.533807993 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:17.590817928 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:21.649884939 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:21.700161934 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:23.011254072 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:23.062768936 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:24.210843086 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:24.259689093 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:25.321502924 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:25.373011112 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:26.637322903 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:26.686052084 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:27.732897997 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:27.784516096 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:28.836460114 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:28.885278940 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:30.498236895 CEST | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:30.550440073 CEST | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:31.708836079 CEST | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:31.758939981 CEST | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:37.848170042 CEST | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:37.907937050 CEST | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:38.948725939 CEST | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:38.997530937 CEST | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:48.392863035 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:48.450272083 CEST | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:05:57.614438057 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:05:57.674642086 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:03.671592951 CEST | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:03.723169088 CEST | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:17.310728073 CEST | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:17.424305916 CEST | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:18.022453070 CEST | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:18.082550049 CEST | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:18.673141956 CEST | 62208 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:18.778727055 CEST | 53 | 62208 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:18.787117004 CEST | 57574 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:18.852119923 CEST | 53 | 57574 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:19.258569002 CEST | 51818 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:19.307123899 CEST | 53 | 51818 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:19.889930964 CEST | 56628 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:19.949183941 CEST | 53 | 56628 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:20.545150995 CEST | 60778 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:20.602189064 CEST | 53 | 60778 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:21.085773945 CEST | 53799 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:21.145895004 CEST | 53 | 53799 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:21.872468948 CEST | 54683 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:21.929668903 CEST | 53 | 54683 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:23.266446114 CEST | 59329 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:23.315305948 CEST | 53 | 59329 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:23.876497984 CEST | 64021 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:23.936302900 CEST | 53 | 64021 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:26.239993095 CEST | 56129 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:26.297805071 CEST | 53 | 56129 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:49.227180004 CEST | 58177 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:49.305634022 CEST | 53 | 58177 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:06:59.379746914 CEST | 50700 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:06:59.437091112 CEST | 53 | 50700 | 8.8.8.8 | 192.168.2.6 |
May 13, 2021 07:07:04.926002979 CEST | 54069 | 53 | 192.168.2.6 | 8.8.8.8 |
May 13, 2021 07:07:04.993700981 CEST | 53 | 54069 | 8.8.8.8 | 192.168.2.6 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 07:05:17 |
Start date: | 13/05/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x970000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:05:18 |
Start date: | 13/05/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:05:18 |
Start date: | 13/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 07:05:51 |
Start date: | 13/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1030000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Non-executed Functions |
---|
Function 100017B0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 141libraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
Function 031117F3, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225memoryCOMMON
C-Code - Quality: 42% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
C-Code - Quality: 78% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 31% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10011460, Relevance: .6, Instructions: 572COMMONCrypto
C-Code - Quality: 90% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10011D58, Relevance: .3, Instructions: 282COMMONCrypto
C-Code - Quality: 89% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10006D50, Relevance: .0, Instructions: 36COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53COMMON
C-Code - Quality: 83% |
|
Strings |
Memory Dump Source |
|
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |