Play interactive tour

Edit tour

Analysis Report 4e021da2_by_Libranalysis.dll

Overview

General Information

Sample Name:	4e021da2_by_Libranalysis.dll
Analysis ID:	413047
MD5:	4e021da22c2701ea547dbd96479f767f
SHA1:	e791b7c6b5b3a98ed405bc5379f3aca438341ed6
SHA256:	e39faf4e4460a28d67296e6ddcff40423569aa45ee7fb6cb68db7014429d8bd6
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5608 cmdline: loaddll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 5420 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5508 cmdline: rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 2308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.285424376.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 4e021da2_by_Libranalysis.dll

ReversingLabs: Detection: 31%

Machine Learning detection for sample

Show sources

Source: 4e021da2_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: 4e021da2_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 4e021da2_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.214339464.0000000010025000.00000002.00020000.sdmp, 4e021da2_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225
Source: Joe Sandbox View	IP Address: 43.229.206.212 43.229.206.212

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: INET-AS-IDPTInetGlobalIndoID INET-AS-IDPTInetGlobalIndoID

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.285424376.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100220F0	0_2_100220F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460	2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C	2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494	2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C	2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58	2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348	2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754	2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC	2_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 764

Source: 4e021da2_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 4e021da2_by_Libranalysis.dll

Source: 4e021da2_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 4e021da2_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.troj.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5508

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD45.tmp

Jump to behavior

Source: 4e021da2_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1

Source: 4e021da2_by_Libranalysis.dll

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1	Jump to behavior

Source: 4e021da2_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 4e021da2_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.214339464.0000000010025000.00000002.00020000.sdmp, 4e021da2_by_Libranalysis.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006207 push ebx; ret	0_2_10006208
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004E0F push 822377FAh; iretd	0_2_10004E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005813 push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006830 push 82235DBAh; iretd	0_2_10006855
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000585A push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005A7B push cs; iretd	0_2_10005B7E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006A80 push ebx; iretd	0_2_10006A85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000388E push 8223930Ah; iretd	0_2_10003893
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100048AF push 8223A1AEh; iretd	0_2_100048B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100066D0 push 8223737Ah; iretd	0_2_100066D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100054EF push 822385B2h; iretd	0_2_100054F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000530F push 82230D7Eh; iretd	0_2_10005314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002D4A push 0E950FD0h; iretd	0_2_10002D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000574F push 82238352h; iretd	0_2_10005754
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037A2 push cs; retf	0_2_100037DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100039C3 push edi; retf	0_2_100039C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005FD6 push 0E950020h; retf	0_2_10005FDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002DF3 push cs; iretd	0_2_10002E7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037F5 push cs; retf	0_2_100037DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h	2_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.53078515147

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rundll321	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4e021da2_by_Libranalysis.dll	32%	ReversingLabs	Win32.Trojan.Convagent
4e021da2_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.rundll32.exe.35c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
api.globalsign.cloud	0%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.globalsign.cloud	104.18.24.243	true	false	0%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
82.209.17.209	unknown	Czech Republic	30764	PODA-ASCZ	true
162.241.209.225	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
43.229.206.212	unknown	Indonesia	24532	INET-AS-IDPTInetGlobalIndoID	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	413047
Start date:	13.05.2021
Start time:	07:04:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	4e021da2_by_Libranalysis.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.winDLL@6/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 57% (good quality ratio 49.4%) Quality average: 67.4% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
82.209.17.209	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
162.241.209.225	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
43.229.206.212	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.globalsign.cloud	N6hkl66Jq5.dll	Get hash	malicious	Browse	104.18.24.243
	6f61bc36_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.24.243
	Telex.exe	Get hash	malicious	Browse	104.18.24.243
	263a35c3_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	POI09876OIUY.exe	Get hash	malicious	Browse	104.18.25.243
	Request Sample products.exe	Get hash	malicious	Browse	104.18.25.243
	6823a552_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.24.243
	3bc8e970_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	079c508f_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	80df624d_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.24.243
	8333bdd5e1560584a0302e2fe63cf9d81ebe5b48e7e2b.exe	Get hash	malicious	Browse	104.18.24.243
	7b73e459_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	lBmH1dux3rkWHAs.exe	Get hash	malicious	Browse	104.18.24.243
	INQUIRY.exe	Get hash	malicious	Browse	104.18.24.243
	0908000000.exe	Get hash	malicious	Browse	104.18.24.243
	urgent request fro quotation CONO GROUP LLC DK983746GT.exe	Get hash	malicious	Browse	104.18.25.243
	un6IVL1qYU.dll	Get hash	malicious	Browse	104.18.25.243
	dVMxk14XPULdlBw.exe	Get hash	malicious	Browse	104.18.25.243
	Purchase Order-1245102021.xls	Get hash	malicious	Browse	104.18.25.243
	SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe	Get hash	malicious	Browse	104.18.25.243

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PODA-ASCZ	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
INET-AS-IDPTInetGlobalIndoID	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
UNIFIEDLAYER-AS-1US	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0f6f2d53_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	c2b6efb1_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	62badb64_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0ee1d71e_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_f8f758f9c9ae6eac81fa9732924e44386348e_82810a17_0958c999\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12480
Entropy (8bit):	3.7664210837651564
Encrypted:	false
SSDEEP:	192:FRG3iy0oX5tcHBUZMX4jed+SG/u7ssS274ItWcC:DG3iUXwBUZMX4jee/u7ssX4ItWcC
MD5:	D1725958671FB6996996750B0AE9AE9F
SHA1:	6CA74AEA08CCA32C510BEE358116F03700792D73
SHA-256:	030A3377C2B02B9C9221FB12ECDDAA5055AD7B360D617A5F8C026590ED5A9BAA
SHA-512:	2C528D4FBF09708C18AF9CF931027C9D012F67EB387F2EE2BD8DAB81719CDABE29EDEDCA46E2AA1159829FD22E6A5072DDFD0CBB1E4FD54C0552509F2E1C081E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.3.8.8.4.0.9.2.7.0.8.0.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.3.8.8.4.1.0.8.6.4.5.5.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.0.c.6.a.d.1.-.d.2.c.e.-.4.b.e.1.-.b.3.5.4.-.5.b.a.0.4.4.9.a.9.1.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.d.f.2.6.8.1.-.4.4.5.0.-.4.5.9.a.-.9.e.f.7.-.7.2.1.6.f.c.c.f.f.3.9.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.4.-.0.0.0.1.-.0.0.1.7.-.f.9.9.8.-.e.9.2.5.0.1.4.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD45.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 13 14:06:50 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	57606
Entropy (8bit):	1.987366736077386
Encrypted:	false
SSDEEP:	192:uyVoozo2TUDgZiu8i5/jSjdltyAXTw20m8n9nkk:u8h9sj+ejdffw2b8n9kk
MD5:	06ED07EEBD8DC65CBF852E2021BF8BF8
SHA1:	3F2FA511DDEC164E69B77E73C1CFBE8B02EDF421
SHA-256:	ED0FE2F3009B09391CD0D90E7E6EE290699928F719030B653CF77C573D36D85B
SHA-512:	FAAD4EFADEE604FAB55B0F561443AE62396978B69A1704745A4951C8F59EB0AE4F329E1FEA401A530A9555AAA36DAE621E2548C75D2F87EDE2F4F4E4804BFCCA
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......z2.`...................U...........B....... ......GenuineIntelW...........T...........[2.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC19C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8292
Entropy (8bit):	3.693397822387037
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNid/6aG6Ywq625qGgmfTXVS/CprR389bCmsfdG1Wm:RrlsNi16D6YF62FgmfTFSEoCFfdG9
MD5:	3CE3F5F4CCADF8886692E6C44030658C
SHA1:	98B49C804923F2F336ABE8632E9338CD583CC836
SHA-256:	C65A9E5B7B8AA80E74E2F57F4C54171180759878208F56169C56B27D4F9327E6
SHA-512:	C071B9098CBF848F84B8E7D987178D1528D226ABCB0E1AD8D3786F49F7420A2D8B53A4D27BFFA5F593DCA52389F64955D0E000A1B619067BFC2C8CA01C17967F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2F4.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4663
Entropy (8bit):	4.4744082093595345
Encrypted:	false
SSDEEP:	48:cvIwSD8zsBJgtWI9UqWSC8B78fm8M4JCdsg4NrF2o+q8/d4NFk4SrSPd:uITfT/LSNeJtNp9NuDWPd
MD5:	D1B29C8EE9CBE7A41049F58427AA1415
SHA1:	DB6903F11F54AD98EE38B636D608E0F7A41EC1D5
SHA-256:	42AA2E5316673D64B432AF929AB74EA97ACCF09BC2D5670EA485E0D1B6A8D230
SHA-512:	4C9EF7C51BCE9D4A8BC7353BD3533EE1D3B39441339F9D1AE96A2E10BBB76D4F2B2066B75501B9CD4ECB924842F66CA3D087B38323E3988EBE6A540FD6872BE4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="987797" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.513886808236697
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4e021da2_by_Libranalysis.dll
File size:	167424
MD5:	4e021da22c2701ea547dbd96479f767f
SHA1:	e791b7c6b5b3a98ed405bc5379f3aca438341ed6
SHA256:	e39faf4e4460a28d67296e6ddcff40423569aa45ee7fb6cb68db7014429d8bd6
SHA512:	38b3c61516ffa07952b05171c3f4763946fcec65e778ef2e52e796d80ab73fdcbcbfc73d0fb3d5628a6f9d4cab21014dbf07ec269eb1ede0e375c7143cbec965
SSDEEP:	3072:K9F/oNrQb4xVubbXP/NTccbsFvCeLmXH57V30e8Pj:K9F6rQXvFczvYpQP
File Content Preview:	MZ......................@...................................\...........!..L.!This program cannot be run in DOS mode....$.......Xm.o...<...<...<.U!<...<..B<r..<...<...<rQ!<...<;..<...<;..<3..<au.<...<szt<"..<Rich...<.......................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10024cc0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609C7F93 [Thu May 13 01:23:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	88962f6760ea005847fb88b87e8ce1fd

Entrypoint Preview

Instruction
mov eax, 00000000h
cmpss xmm1, xmm2, 03h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 02h
mov eax, ebp
mov dword ptr [10029734h], eax
mov eax, ebx
mov dword ptr [10029730h], eax
mov eax, esi
mov dword ptr [10029728h], eax
jne 00007FEB14CD5D36h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2015 build 23026
[IMP] VS2013 UPD4 build 31101
[ C ] VS2010 build 30319
[RES] VS2015 UPD2 build 23918
[C++] VS2005 build 50727
[IMP] VS2010 SP1 build 40219
[RES] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2770a	0x5b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x277d8	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23f74	0x23e00	False	0.756362968206	data	7.53078515147	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2a04	0x2c00	False	0.753728693182	data	7.42331753213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crt	0x28000	0x36b0	0x1800	False	0.79052734375	MMDF mailbox	7.46423038313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x3a0	0x400	False	0.4248046875	data	3.06187161643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x26c	0x400	False	0.548828125	data	4.2946697642	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x33c	data

Imports

DLL	Import
KERNEL32.dll	GetProfileSectionW, CloseHandle, OpenSemaphoreW, LoadLibraryW, OutputDebugStringA, CreateFileW, GetProfileSectionA
USER32.dll	TranslateMessage
CLUSAPI.dll	ClusterEnum
ADVAPI32.dll	RegOverridePredefKey
RASAPI32.dll	RasGetConnectionStatistics
ole32.dll	CreatePointerMoniker, CreateStreamOnHGlobal

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	x2otfb
FileVersion	7.2.5422.00
Full Version	7.2.5_000-b00
CompanyName	Oracle Corporation
ProductName	Xhot(BM) Ltloehey YO 8
ProductVersion	7.2.5422.00
FileDescription	Java(TM) Platform SE binary
OriginalFilename	x2otfb.dll
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2021 07:06:12.084755898 CEST	50200	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:12.149693012 CEST	53	50200	8.8.8.8	192.168.2.3
May 13, 2021 07:06:12.321614027 CEST	51281	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:12.381635904 CEST	53	51281	8.8.8.8	192.168.2.3
May 13, 2021 07:06:12.529730082 CEST	49199	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:12.578414917 CEST	53	49199	8.8.8.8	192.168.2.3
May 13, 2021 07:06:12.882363081 CEST	50620	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:12.933892965 CEST	53	50620	8.8.8.8	192.168.2.3
May 13, 2021 07:06:14.094266891 CEST	64938	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:14.145802021 CEST	53	64938	8.8.8.8	192.168.2.3
May 13, 2021 07:06:14.971556902 CEST	60152	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:15.023622990 CEST	53	60152	8.8.8.8	192.168.2.3
May 13, 2021 07:06:15.486473083 CEST	57544	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:15.548631907 CEST	53	57544	8.8.8.8	192.168.2.3
May 13, 2021 07:06:16.069029093 CEST	55984	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:16.128964901 CEST	53	55984	8.8.8.8	192.168.2.3
May 13, 2021 07:06:16.975749969 CEST	64185	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:17.035387993 CEST	53	64185	8.8.8.8	192.168.2.3
May 13, 2021 07:06:18.088840961 CEST	65110	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:18.137587070 CEST	53	65110	8.8.8.8	192.168.2.3
May 13, 2021 07:06:19.186115980 CEST	58361	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:19.234903097 CEST	53	58361	8.8.8.8	192.168.2.3
May 13, 2021 07:06:20.090894938 CEST	63492	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:20.142101049 CEST	53	63492	8.8.8.8	192.168.2.3
May 13, 2021 07:06:21.722460985 CEST	60831	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:21.772391081 CEST	53	60831	8.8.8.8	192.168.2.3
May 13, 2021 07:06:22.914666891 CEST	60100	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:22.963865995 CEST	53	60100	8.8.8.8	192.168.2.3
May 13, 2021 07:06:24.315103054 CEST	53195	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:24.366724968 CEST	53	53195	8.8.8.8	192.168.2.3
May 13, 2021 07:06:25.178656101 CEST	50141	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:25.235788107 CEST	53	50141	8.8.8.8	192.168.2.3
May 13, 2021 07:06:26.178719044 CEST	53023	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:26.227371931 CEST	53	53023	8.8.8.8	192.168.2.3
May 13, 2021 07:06:27.032063007 CEST	49563	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:27.081860065 CEST	53	49563	8.8.8.8	192.168.2.3
May 13, 2021 07:06:28.539405107 CEST	51352	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:28.589996099 CEST	53	51352	8.8.8.8	192.168.2.3
May 13, 2021 07:06:29.426707983 CEST	59349	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:29.475404024 CEST	53	59349	8.8.8.8	192.168.2.3
May 13, 2021 07:06:30.628009081 CEST	57084	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:30.676721096 CEST	53	57084	8.8.8.8	192.168.2.3
May 13, 2021 07:06:31.866084099 CEST	58823	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:31.914755106 CEST	53	58823	8.8.8.8	192.168.2.3
May 13, 2021 07:06:32.850760937 CEST	57568	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:32.899518013 CEST	53	57568	8.8.8.8	192.168.2.3
May 13, 2021 07:06:44.039997101 CEST	50540	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:44.098830938 CEST	53	50540	8.8.8.8	192.168.2.3
May 13, 2021 07:06:51.825371981 CEST	54366	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:51.874033928 CEST	53	54366	8.8.8.8	192.168.2.3
May 13, 2021 07:06:58.214111090 CEST	53034	53	192.168.2.3	8.8.8.8
May 13, 2021 07:06:58.271070004 CEST	53	53034	8.8.8.8	192.168.2.3
May 13, 2021 07:07:05.327465057 CEST	57762	53	192.168.2.3	8.8.8.8
May 13, 2021 07:07:05.385914087 CEST	53	57762	8.8.8.8	192.168.2.3
May 13, 2021 07:07:07.374015093 CEST	55435	53	192.168.2.3	8.8.8.8
May 13, 2021 07:07:07.432626009 CEST	53	55435	8.8.8.8	192.168.2.3
May 13, 2021 07:07:36.709866047 CEST	50713	53	192.168.2.3	8.8.8.8
May 13, 2021 07:07:36.767180920 CEST	53	50713	8.8.8.8	192.168.2.3
May 13, 2021 07:07:43.456538916 CEST	56132	53	192.168.2.3	8.8.8.8
May 13, 2021 07:07:43.515566111 CEST	53	56132	8.8.8.8	192.168.2.3
May 13, 2021 07:07:59.583046913 CEST	58987	53	192.168.2.3	8.8.8.8
May 13, 2021 07:07:59.654011011 CEST	53	58987	8.8.8.8	192.168.2.3
May 13, 2021 07:08:17.001667023 CEST	56579	53	192.168.2.3	8.8.8.8
May 13, 2021 07:08:17.074435949 CEST	53	56579	8.8.8.8	192.168.2.3
May 13, 2021 07:08:18.848963022 CEST	60633	53	192.168.2.3	8.8.8.8
May 13, 2021 07:08:18.921035051 CEST	53	60633	8.8.8.8	192.168.2.3
May 13, 2021 07:09:04.516415119 CEST	61292	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:04.616945028 CEST	53	61292	8.8.8.8	192.168.2.3
May 13, 2021 07:09:05.999895096 CEST	63619	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:06.126808882 CEST	53	63619	8.8.8.8	192.168.2.3
May 13, 2021 07:09:08.066818953 CEST	64938	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:08.128129959 CEST	53	64938	8.8.8.8	192.168.2.3
May 13, 2021 07:09:08.629318953 CEST	61946	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:08.686511040 CEST	53	61946	8.8.8.8	192.168.2.3
May 13, 2021 07:09:09.226380110 CEST	64910	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:09.284317970 CEST	53	64910	8.8.8.8	192.168.2.3
May 13, 2021 07:09:09.865658998 CEST	52123	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:09.914448977 CEST	53	52123	8.8.8.8	192.168.2.3
May 13, 2021 07:09:10.437730074 CEST	56130	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:10.486855984 CEST	53	56130	8.8.8.8	192.168.2.3
May 13, 2021 07:09:11.262085915 CEST	56338	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:11.319325924 CEST	53	56338	8.8.8.8	192.168.2.3
May 13, 2021 07:09:12.227264881 CEST	59420	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:12.280409098 CEST	53	59420	8.8.8.8	192.168.2.3
May 13, 2021 07:09:12.755098104 CEST	58784	53	192.168.2.3	8.8.8.8
May 13, 2021 07:09:12.812491894 CEST	53	58784	8.8.8.8	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 13, 2021 07:06:12.578414917 CEST	8.8.8.8	192.168.2.3	0x850e	No error (0)	api.globalsign.cloud		104.18.24.243	A (IP address)	IN (0x0001)
May 13, 2021 07:06:12.578414917 CEST	8.8.8.8	192.168.2.3	0x850e	No error (0)	api.globalsign.cloud		104.18.25.243	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5608 Parent PID: 5748

General

Start time:	07:06:19
Start date:	13/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll'
Imagebase:	0x9a0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5420 Parent PID: 5608

General

Start time:	07:06:19
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5508 Parent PID: 5420

General

Start time:	07:06:19
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\4e021da2_by_Libranalysis.dll',#1
Imagebase:	0x2e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.285424376.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 2308 Parent PID: 5508

General

Start time:	07:06:48
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 764
Imagebase:	0x1160000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5608 Parent PID: 5748 loaddll32.exeCOMMON

Executed Functions

Non-executed Functions

Function 100220F0, Relevance: 11.7, Strings: 9, Instructions: 469COMMON

Download Yara Rule

Strings

a, xrefs: 1002256D
i, xrefs: 1002250E
t, xrefs: 1002255D
o, xrefs: 10022610
D, xrefs: 100229E4
l, xrefs: 10022600
u, xrefs: 10022565
l, xrefs: 10022608
c, xrefs: 1002262E

Memory Dump Source

Source File: 00000000.00000002.214331616.0000000010021000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.214307596.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.214311596.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.214339464.0000000010025000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.214347573.0000000010028000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.214354578.000000001002C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: D$a$c$i$l$l$o$t$u
API String ID: 0-1871623029
Opcode ID: 39defe97fc93470a7b804fd6dc8be910f88b852905747cfc221465a6754b1396
Instruction ID: 0084815472b1379f451f328db7bdd48fedf0434f01950e1a6ab525a79fee850b
Opcode Fuzzy Hash: 39defe97fc93470a7b804fd6dc8be910f88b852905747cfc221465a6754b1396
Instruction Fuzzy Hash: 6142A774608780CFD374CF28C894BDABBE1ABD9354F54892EE48D8B391E731A845CB56

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 5508 Parent PID: 5420 rundll32.exeCOMMON

Executed Functions

Function 035C23D4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E035C23D4(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr _v176;
				int _v180;
				char* _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				char _v196;
				intOrPtr* _t142;
				int _t148;
				int _t156;
				int _t160;
				unsigned int _t180;
				int _t196;
				intOrPtr _t230;
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t240;
				void* _t247;
				intOrPtr _t251;
				intOrPtr _t258;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t142 = _a4;
				_v20 = 0;
				_t247 =  *_t142;
				 *0x35c4418 = 1;
				asm("movaps xmm0, [0x35c3010]");
				asm("movups [0x35c4428], xmm0");
				_v48 = _t142;
				_v52 =  *((intOrPtr*)(_t142 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x6c));
				_v196 = _t247;
				_v192 =  *((intOrPtr*)(_v48 + 0x24));
				_v188 = 4;
				_v184 =  &_v20;
				_v60 =  *((intOrPtr*)(_t142 + 0x1c));
				_v64 = 4;
				_v68 = _t247;
				_v72 =  &_v20;
				_t148 = VirtualProtect(__edi, __esi, __ebx, _t271); // executed
				_v76 = _t148;
				_v196 = _v68;
				_v192 = 0;
				_v188 =  *((intOrPtr*)(_v48 + 0x24));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E035C1E7B();
				E035C1094(_v68,  *((intOrPtr*)(_v48 + 0x44)), _v56);
				E035C1E7B( *((intOrPtr*)(_v48 + 0x44)), 0, _v56);
				_t156 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x94;
				_t237 = _v68;
				_t258 =  *((intOrPtr*)(_t237 + 0x3c));
				_v96 = _t156;
				_v100 = _v68 + 0x3c;
				_v104 = _t237;
				_v108 = _t258;
				if(_t258 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v52 != 0) {
					_v144 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					_v148 = 0;
					while(1) {
						_t230 = _v144;
						_v156 = _v148;
						_t180 =  *(_t230 + 0x24);
						_v160 = _t180;
						_v164 = _t180 >> 0x1e;
						_v168 = _v160 >> 0x1f;
						_v172 = _v160 >> 0x0000001d & 0x00000001;
						_v196 = _v68 +  *((intOrPtr*)(_t230 + 0xc));
						_v192 =  *((intOrPtr*)(_t230 + 8));
						_v188 =  *((intOrPtr*)(0x35c4418 + ((_v164 & 0x00000001) << 4) + (_v168 << 3) + (_v172 << 2)));
						_v184 =  &_v20;
						_v176 = _t230;
						_t196 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t232 = _v156 + 1;
						_v180 = _t196;
						_v144 = _v176 + 0x28;
						_v148 = _t232;
						if(_t232 == _v52) {
							goto L11;
						}
					}
				}
				L11:
				 *_t278 = _v68;
				_v124 = _v68 +  *((intOrPtr*)(_v48 + 0x10));
				_t160 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t240 =  *_v100;
				_v152 = _t160;
				_v112 = _t240;
				_v116 = _v68;
				if(_t240 == 0) {
					L7:
					_t251 = _v48;
					_v44 =  *((intOrPtr*)(_t251 + 0x40));
					_v40 =  *((intOrPtr*)(_t251 + 0x4c));
					_v36 =  *((intOrPtr*)(_t251 + 0x20));
					_v32 =  *((intOrPtr*)(_t251 + 0x54));
					_v28 =  *((intOrPtr*)(_t251 + 0x58));
					_v24 = _v124;
					 *_t279 = _t251;
					_v196 = 0;
					_v192 = 0x74;
					_v128 =  *((intOrPtr*)(_v116 + 0x28));
					_v132 = 0;
					_v136 = 0x74;
					_v140 =  &_v44;
					E035C1E7B();
					if(_v128 != 0) {
						_t278 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
					return 1;
				} else {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
					goto L7;
				}
			}

0x035c23e0
0x035c23ee
0x035c23f5
0x035c23f7
0x035c2401
0x035c2408
0x035c2412
0x035c2418
0x035c2421
0x035c242a
0x035c242d
0x035c2431
0x035c2439
0x035c243d
0x035c2440
0x035c2443
0x035c2446
0x035c2449
0x035c2463
0x035c2469
0x035c246c
0x035c2474
0x035c2478
0x035c247b
0x035c247e
0x035c2481
0x035c2484
0x035c24a0
0x035c24bd
0x035c24e2
0x035c24e4
0x035c24ed
0x035c24f0
0x035c24fa
0x035c24fd
0x035c2500
0x035c2503
0x035c2506
0x035c255a
0x035c255a
0x035c2566
0x035c2569
0x035c25ed
0x035c25f3
0x035c265e
0x035c2664
0x035c2679
0x035c267f
0x035c2682
0x035c268b
0x035c269a
0x035c26ac
0x035c26dd
0x035c26e0
0x035c26e4
0x035c26e8
0x035c26ef
0x035c26f5
0x035c26f7
0x035c2700
0x035c2711
0x035c2717
0x035c271d
0x035c2723
0x00000000
0x00000000
0x035c2729
0x035c265e
0x035c261a
0x035c2628
0x035c2630
0x035c2633
0x035c2635
0x035c263b
0x035c2647
0x035c264d
0x035c2650
0x035c2653
0x035c2571
0x035c2581
0x035c2587
0x035c258d
0x035c2593
0x035c2599
0x035c259f
0x035c25a5
0x035c25a8
0x035c25ab
0x035c25b3
0x035c25bb
0x035c25be
0x035c25c1
0x035c25c7
0x035c25cd
0x035c25d8
0x035c2532
0x035c2538
0x035c2538
0x035c2614
0x035c2659
0x035c251f
0x00000000
0x035c251f

APIs

VirtualProtect.KERNELBASE ref: 035C2449
VirtualProtect.KERNELBASE ref: 035C24E2
VirtualProtect.KERNELBASE ref: 035C26F5

Strings

t, xrefs: 035C25B3

Memory Dump Source

Source File: 00000002.00000002.285189501.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: 06529121bb49f2c894562b35c2461a7ec0ae8a4358acb3d4a26295bd24dbdfe3
Instruction ID: b812aea85c09be43d9e2014e4483c8189038aaabbd688f40dce1987ef0763828
Opcode Fuzzy Hash: 06529121bb49f2c894562b35c2461a7ec0ae8a4358acb3d4a26295bd24dbdfe3
Instruction Fuzzy Hash: 86B1ADB4D04218CFDB14CF99C880A9DFBF1BF48304F1585AAD949AB352D735A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 035C2101, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 035C2172

Memory Dump Source

Source File: 00000002.00000002.285189501.00000000035C0000.00000040.00000001.sdmp, Offset: 035C0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 033d263155ffc3d0b6236b8629689c658cf4e2d9a96ebed7f8aabdbc96411034
Instruction ID: 85863b9374fbfb76f1484a9660a5f1e4e0535b84351b431597d36d66f67de6b8
Opcode Fuzzy Hash: 033d263155ffc3d0b6236b8629689c658cf4e2d9a96ebed7f8aabdbc96411034
Instruction Fuzzy Hash: 4841F3B5D0161A9FDB04DFA8D890AAEBBF1FF88314F14852DE848AB350D335A841CF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D50() {

				 *0x1001d280 = GetUserNameW;
				 *0x1001D284 = MessageBoxW;
				 *0x1001D288 = GetLastError;
				 *0x1001D28C = CreateFileA;
				 *0x1001D290 = DebugBreak;
				 *0x1001D294 = FlushFileBuffers;
				 *0x1001D298 = FreeEnvironmentStringsA;
				 *0x1001D29C = GetConsoleOutputCP;
				 *0x1001D2A0 = GetEnvironmentStrings;
				 *0x1001D2A4 = GetLocaleInfoA;
				 *0x1001D2A8 = GetStartupInfoA;
				 *0x1001D2AC = GetStringTypeA;
				 *0x1001D2B0 = HeapValidate;
				 *0x1001D2B4 = IsBadReadPtr;
				 *0x1001D2B8 = LCMapStringA;
				 *0x1001D2BC = LoadLibraryA;
				 *0x1001D2C0 = OutputDebugStringA;
				return 0x1001d280;
			}

0x10006d61
0x10006d69
0x10006d6c
0x10006d7b
0x10006d7e
0x10006d8d
0x10006d90
0x10006d9f
0x10006da2
0x10006db1
0x10006db4
0x10006dc3
0x10006dc6
0x10006dd5
0x10006dd8
0x10006de7
0x10006dea
0x10006ded

Memory Dump Source

Source File: 00000002.00000002.285424376.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.285418833.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.285451263.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.285456702.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.285461210.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction ID: 9a9f90be372116ce35b3bf57ca6adafecb814b37ff7dc50591bd4b03753dcc6b
Opcode Fuzzy Hash: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction Fuzzy Hash: 99110FB8A05620CFD34ACF09D5D49117BF2BB8E360312C19AD8098B376D734D985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000C218(void* __ecx, void* __edx) {
				char _v28;
				char _v33;
				char _v38;
				char _v43;
				void* _t24;
				char* _t25;
				char _t32;
				void* _t33;
				void* _t34;
				signed int _t38;
				char* _t40;

				_t40 = (_t38 & 0xfffffff0) - 0x2c;
				asm("movq xmm0, [edx]");
				_t32 = 0;
				 *_t40 = 0x7b;
				asm("movq [esp+0x1], xmm0");
				_v43 = 0x2d;
				do {
					 *((char*)(_t40 + _t32 + 0xa)) =  *((intOrPtr*)(_t32 + __edx + 8));
					_t32 = _t32 + 1;
				} while (_t32 < 4);
				_v38 = 0x2d;
				_t33 = 0;
				do {
					 *((char*)(_t40 + _t33 + 0xf)) =  *((intOrPtr*)(_t33 + __edx + 0xc));
					_t33 = _t33 + 1;
				} while (_t33 < 4);
				_v33 = 0x2d;
				_t34 = 0;
				do {
					 *((char*)(_t40 + _t34 + 0x14)) =  *((intOrPtr*)(_t34 + __edx + 0x10));
					_t34 = _t34 + 1;
				} while (_t34 < 4);
				_v28 = 0x2d;
				_t24 = 0;
				do {
					asm("movd xmm0, dword [eax+edx+0x14]");
					asm("movd [esp+eax+0x19], xmm0");
					_t24 = _t24 + 4;
				} while (_t24 < 0xc);
				_t25 = _t40;
				 *((char*)(_t25 + 0x25)) = 0x7d;
				 *((char*)(_t25 + 0x26)) = 0;
				E1000DFBC(__ecx, _t25, 0);
				return __ecx;
			}

0x1000c21f
0x1000c224
0x1000c228
0x1000c22a
0x1000c22e
0x1000c234
0x1000c239
0x1000c23d
0x1000c241
0x1000c242
0x1000c249
0x1000c24e
0x1000c250
0x1000c254
0x1000c258
0x1000c259
0x1000c260
0x1000c265
0x1000c267
0x1000c26b
0x1000c26f
0x1000c270
0x1000c275
0x1000c27a
0x1000c27c
0x1000c27c
0x1000c282
0x1000c288
0x1000c28b
0x1000c292
0x1000c295
0x1000c29b
0x1000c2a0
0x1000c2ae

Strings

-, xrefs: 1000C249
-, xrefs: 1000C260
-, xrefs: 1000C234
-, xrefs: 1000C275

Memory Dump Source

Source File: 00000002.00000002.285424376.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.285418833.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.285451263.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.285456702.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.285461210.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction ID: 6420cdf91b2b9fc5655fa5f82b4c53aa5eb92ddd4154ae73ebf41adf494228f8
Opcode Fuzzy Hash: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction Fuzzy Hash: C811252091C3C04CE749DB7C548462BFFD08F9A208F1886BEE4DA86B53E525D49683B7

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 4e021da2_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5608 Parent PID: 5748

Function 035C23D4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON