Play interactive tour

Edit tour

Analysis Report 2a71d07d_by_Libranalysis

Overview

General Information

Sample Name:	2a71d07d_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:	413059
MD5:	2a71d07d2558a0bb9ab701c68b2b7009
SHA1:	0515ca7e2258c364699bbaa6cd1ac7931cd092a1
SHA256:	0e3d0e409a4a46dec0ba0c9e15aff19f75b3b70d41997a9e56f89e97ee64e614
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 4168 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 4856 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3636 cmdline: rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.293111007.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]}

Machine Learning detection for sample

Show sources

Source: 2a71d07d_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: 2a71d07d_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 2a71d07d_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.211852733.0000000010025000.00000002.00020000.sdmp, 2a71d07d_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: INET-AS-IDPTInetGlobalIndoID INET-AS-IDPTInetGlobalIndoID

Source: loaddll32.exe, 00000000.00000002.211821127.0000000000C6B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.293111007.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100220F0	0_2_100220F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460	2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C	2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494	2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C	2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58	2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348	2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754	2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC	2_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 764

Source: 2a71d07d_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 2a71d07d_by_Libranalysis.dll

Source: 2a71d07d_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 2a71d07d_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal64.troj.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FCC.tmp

Jump to behavior

Source: 2a71d07d_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1	Jump to behavior

Source: 2a71d07d_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 2a71d07d_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.211852733.0000000010025000.00000002.00020000.sdmp, 2a71d07d_by_Libranalysis.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006207 push ebx; ret	0_2_10006208
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004E0F push 822377FAh; iretd	0_2_10004E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005813 push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006830 push 82235DBAh; iretd	0_2_10006855
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000585A push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005A7B push cs; iretd	0_2_10005B7E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006A80 push ebx; iretd	0_2_10006A85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000388E push 8223930Ah; iretd	0_2_10003893
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100048AF push 8223A1AEh; iretd	0_2_100048B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100066D0 push 8223737Ah; iretd	0_2_100066D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100054EF push 822385B2h; iretd	0_2_100054F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000530F push 82230D7Eh; iretd	0_2_10005314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002D4A push 0E950FD0h; iretd	0_2_10002D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000574F push 82238352h; iretd	0_2_10005754
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037A2 push cs; retf	0_2_100037DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100039C3 push edi; retf	0_2_100039C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005FD6 push 0E950020h; retf	0_2_10005FDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002DF3 push cs; iretd	0_2_10002E7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037F5 push cs; retf	0_2_100037DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h	2_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.53078515147

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2a71d07d_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.rundll32.exe.d80000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
82.209.17.209	unknown	Czech Republic	30764	PODA-ASCZ	true
162.241.209.225	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
43.229.206.212	unknown	Indonesia	24532	INET-AS-IDPTInetGlobalIndoID	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	413059
Start date:	13.05.2021
Start time:	07:14:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2a71d07d_by_Libranalysis (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.winDLL@6/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 57% (good quality ratio 49.4%) Quality average: 67.4% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI

Simulations

Behavior and APIs

Time	Type	Description
07:16:12	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
82.209.17.209	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse
162.241.209.225	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PODA-ASCZ	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
INET-AS-IDPTInetGlobalIndoID	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	43.229.206.212
UNIFIEDLAYER-AS-1US	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	5322b76c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a98ab505_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	1c640454_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	052a78c5_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6333f266_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_5e32d1e1b3525e7c67f78118fab6586a885e36df_82810a17_126713a2\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12482
Entropy (8bit):	3.767518431933883
Encrypted:	false
SSDEEP:	192:4WU9ie0oXUwcHBUZMX4jed+1G/u7suS274ItWch:AioXUrBUZMX4je5/u7suX4ItWch
MD5:	1128034D840B45B6ECA7DE2B7EC8F785
SHA1:	D0B0B9868B885E97D464610B96F5F58C2659F2F1
SHA-256:	319E26273BABA0EF4FC999ED343995B391564D1A0310931FC92774A5E42E613A
SHA-512:	7785AE36B27E5A637FB3190B2E4500E486C7B1F50496AB37C0C75CC14C84B3C04F1668DB3698D20E01862814172E8DC34F7D6A134BD4855C17247194FA755D9E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.3.8.8.9.6.9.2.2.9.5.8.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.3.8.8.9.7.1.3.7.0.2.0.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.7.6.a.6.c.f.-.d.8.f.5.-.4.a.6.b.-.a.c.7.a.-.2.b.5.2.4.5.0.5.e.4.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.0.c.c.3.8.8.-.3.3.6.6.-.4.8.7.e.-.a.1.8.1.-.7.2.3.b.c.6.8.f.4.a.5.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.3.4.-.0.0.0.1.-.0.0.1.7.-.0.5.a.8.-.3.a.7.1.0.2.4.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FCC.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 13 14:16:10 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46118
Entropy (8bit):	2.1468042056124736
Encrypted:	false
SSDEEP:	192:0RzYUkaAbrgGvOvcQCK4HkfCZeBDdHY+HhxuGNid193nHSR:NUkasrGUQGHW+gHY+vuGNInA
MD5:	38AA790B7AC1D1FE03058091CAB7B07B
SHA1:	E827408FCD07DBD11674AFB37AD1675CED0E650A
SHA-256:	85881E3AD823D9F8B2AAD24E16FED5403EF0C45053FAEA39286552E62656B418
SHA-512:	F3F1A4EF60BCAFAE154CA79427F0E2B7E00287CF1ACC077A57C12F62A3ADC55F35205C598A20E5C3F7622F4D58DE3FDDBF09C9959B795D50350D57C337A51223
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........4.`...................U...........B..............GenuineIntelW...........T.......4....4.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9413.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8292
Entropy (8bit):	3.693617165616258
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNitw6Z6Yse64igmfTQVSbCpr189bfn5sfx1m:RrlsNiq6Z6Y964igmfTQShfnSfa
MD5:	CF51C1B0A367440743AC0A9B6A1A4F65
SHA1:	868B74E9D15997E03267A5FA46192B73EFBAD4A4
SHA-256:	C33CCB28F60507A186C5BBC0C6DFBD86A6D264F0CA58CAAEA7E41FB5B3D1BE70
SHA-512:	CA3D48C14F3205CF879377DC6E65740680B24243B925B03FD351EF6F9E479E095F9D117DEDBE08CD3994606971BE4F1D32333457B262C15EF13F156B70E2B6A3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER953D.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4663
Entropy (8bit):	4.471533686853024
Encrypted:	false
SSDEEP:	48:cvIwSD8zsOJgtWI9hFWSC8BS8fm8M4JCdsiNrF1D+q8/PNF+4SrSYd:uITfE+0SN1JoNHD4NoDWYd
MD5:	18E8B898F05B5C3DD9AFCF487DA10200
SHA1:	4306199D33720C31A4EA77DCB6222A95F668EA85
SHA-256:	941202C23FAFC31BE9C838DF6A64F37EA50A584EECF22FE2C0110397A87852F5
SHA-512:	02CE8355E7EFB46CAE97DA64421CD43B06C12CC714161432F299A1DC80D0197CAE75E20ACEF9EC042B9FB4640F4E9AF9266C5972232C3FDE65568084C06C0EBB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="987806" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.513869948958515
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2a71d07d_by_Libranalysis.dll
File size:	167424
MD5:	2a71d07d2558a0bb9ab701c68b2b7009
SHA1:	0515ca7e2258c364699bbaa6cd1ac7931cd092a1
SHA256:	0e3d0e409a4a46dec0ba0c9e15aff19f75b3b70d41997a9e56f89e97ee64e614
SHA512:	efc3088868a6e785dd1f7a0e6d71e734635fef56c2922a82e478fbacc0eaf2690261cad1f89272847f83b7678a4458c68ee90bb811df359e69e97e6fa755e7ac
SSDEEP:	3072:x9F/oNrQb4xVubbXP/NTccbsFvCeLmXH57V30e8Pj:x9F6rQXvFczvYpQP
File Content Preview:	MZ......................@...................................\...........!..L.!This program cannot be run in DOS mode....$.......Xm.o...<...<...<.U!<...<..B<r..<...<...<rQ!<...<;..<...<;..<3..<au.<...<szt<"..<Rich...<.......................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10024cc0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609C8023 [Thu May 13 01:25:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	88962f6760ea005847fb88b87e8ce1fd

Entrypoint Preview

Instruction
mov eax, 00000000h
cmpss xmm1, xmm2, 03h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 02h
mov eax, ebp
mov dword ptr [10029734h], eax
mov eax, ebx
mov dword ptr [10029730h], eax
mov eax, esi
mov dword ptr [10029728h], eax
jne 00007FEDE101A706h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2015 build 23026
[IMP] VS2013 UPD4 build 31101
[ C ] VS2010 build 30319
[RES] VS2015 UPD2 build 23918
[C++] VS2005 build 50727
[IMP] VS2010 SP1 build 40219
[RES] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2770a	0x5b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x277d8	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23dfe	0x23e00	False	0.756362968206	data	7.53078515147	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2a04	0x2c00	False	0.753728693182	data	7.42331753213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crt	0x28000	0x389c	0x1800	False	0.79052734375	MMDF mailbox	7.46423038313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x3a0	0x400	False	0.4248046875	data	3.06187161643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x26c	0x400	False	0.548828125	data	4.2946697642	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x33c	data

Imports

DLL	Import
KERNEL32.dll	GetProfileSectionW, CloseHandle, OpenSemaphoreW, LoadLibraryW, OutputDebugStringA, CreateFileW, GetProfileSectionA
USER32.dll	TranslateMessage
CLUSAPI.dll	ClusterEnum
ADVAPI32.dll	RegOverridePredefKey
RASAPI32.dll	RasGetConnectionStatistics
ole32.dll	CreatePointerMoniker, CreateStreamOnHGlobal

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	x2otfb
FileVersion	7.2.5422.00
Full Version	7.2.5_000-b00
CompanyName	Oracle Corporation
ProductName	Xhot(BM) Ltloehey YO 8
ProductVersion	7.2.5422.00
FileDescription	Java(TM) Platform SE binary
OriginalFilename	x2otfb.dll
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2021 07:15:26.686638117 CEST	53	51281	8.8.8.8	192.168.2.3
May 13, 2021 07:15:26.688520908 CEST	49199	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:26.702251911 CEST	50620	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:26.737206936 CEST	53	49199	8.8.8.8	192.168.2.3
May 13, 2021 07:15:26.777293921 CEST	53	50620	8.8.8.8	192.168.2.3
May 13, 2021 07:15:26.909348965 CEST	64938	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:26.969623089 CEST	53	64938	8.8.8.8	192.168.2.3
May 13, 2021 07:15:27.443077087 CEST	60152	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:27.495605946 CEST	53	60152	8.8.8.8	192.168.2.3
May 13, 2021 07:15:29.982964993 CEST	57544	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:30.044810057 CEST	53	57544	8.8.8.8	192.168.2.3
May 13, 2021 07:15:30.849426031 CEST	55984	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:30.902123928 CEST	53	55984	8.8.8.8	192.168.2.3
May 13, 2021 07:15:31.857415915 CEST	64185	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:31.906342030 CEST	53	64185	8.8.8.8	192.168.2.3
May 13, 2021 07:15:32.874978065 CEST	65110	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:32.932156086 CEST	53	65110	8.8.8.8	192.168.2.3
May 13, 2021 07:15:39.983567953 CEST	58361	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:40.032356977 CEST	53	58361	8.8.8.8	192.168.2.3
May 13, 2021 07:15:40.786495924 CEST	63492	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:40.835283995 CEST	53	63492	8.8.8.8	192.168.2.3
May 13, 2021 07:15:41.896287918 CEST	60831	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:41.946419001 CEST	53	60831	8.8.8.8	192.168.2.3
May 13, 2021 07:15:42.841459990 CEST	60100	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:42.898762941 CEST	53	60100	8.8.8.8	192.168.2.3
May 13, 2021 07:15:43.830533028 CEST	53195	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:43.890641928 CEST	53	53195	8.8.8.8	192.168.2.3
May 13, 2021 07:15:45.443512917 CEST	50141	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:45.492244005 CEST	53	50141	8.8.8.8	192.168.2.3
May 13, 2021 07:15:46.567153931 CEST	53023	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:46.615864038 CEST	53	53023	8.8.8.8	192.168.2.3
May 13, 2021 07:15:47.362550974 CEST	49563	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:47.411397934 CEST	53	49563	8.8.8.8	192.168.2.3
May 13, 2021 07:15:48.616920948 CEST	51352	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:48.675738096 CEST	53	51352	8.8.8.8	192.168.2.3
May 13, 2021 07:15:54.693469048 CEST	59349	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:54.742096901 CEST	53	59349	8.8.8.8	192.168.2.3
May 13, 2021 07:15:55.504951000 CEST	57084	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:55.553744078 CEST	53	57084	8.8.8.8	192.168.2.3
May 13, 2021 07:15:56.299130917 CEST	58823	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:56.349631071 CEST	53	58823	8.8.8.8	192.168.2.3
May 13, 2021 07:15:58.119261026 CEST	57568	53	192.168.2.3	8.8.8.8
May 13, 2021 07:15:58.176493883 CEST	53	57568	8.8.8.8	192.168.2.3
May 13, 2021 07:16:00.198702097 CEST	50540	53	192.168.2.3	8.8.8.8
May 13, 2021 07:16:00.257688046 CEST	53	50540	8.8.8.8	192.168.2.3
May 13, 2021 07:16:10.271420002 CEST	54366	53	192.168.2.3	8.8.8.8
May 13, 2021 07:16:10.338891983 CEST	53	54366	8.8.8.8	192.168.2.3
May 13, 2021 07:16:11.612138033 CEST	53034	53	192.168.2.3	8.8.8.8
May 13, 2021 07:16:11.662036896 CEST	53	53034	8.8.8.8	192.168.2.3
May 13, 2021 07:16:19.080435038 CEST	57762	53	192.168.2.3	8.8.8.8
May 13, 2021 07:16:19.141362906 CEST	53	57762	8.8.8.8	192.168.2.3
May 13, 2021 07:16:22.187797070 CEST	55435	53	192.168.2.3	8.8.8.8
May 13, 2021 07:16:22.236650944 CEST	53	55435	8.8.8.8	192.168.2.3
May 13, 2021 07:16:49.881880045 CEST	50713	53	192.168.2.3	8.8.8.8
May 13, 2021 07:16:49.946985960 CEST	53	50713	8.8.8.8	192.168.2.3
May 13, 2021 07:16:55.901968956 CEST	56132	53	192.168.2.3	8.8.8.8
May 13, 2021 07:16:55.961009026 CEST	53	56132	8.8.8.8	192.168.2.3
May 13, 2021 07:17:16.144573927 CEST	58987	53	192.168.2.3	8.8.8.8
May 13, 2021 07:17:16.214315891 CEST	53	58987	8.8.8.8	192.168.2.3
May 13, 2021 07:17:24.808646917 CEST	56579	53	192.168.2.3	8.8.8.8
May 13, 2021 07:17:24.875758886 CEST	53	56579	8.8.8.8	192.168.2.3
May 13, 2021 07:17:27.004266024 CEST	60633	53	192.168.2.3	8.8.8.8
May 13, 2021 07:17:27.069664955 CEST	53	60633	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4168 Parent PID: 5600

General

Start time:	07:15:35
Start date:	13/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll'
Imagebase:	0xa60000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4856 Parent PID: 4168

General

Start time:	07:15:35
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3636 Parent PID: 4856

General

Start time:	07:15:35
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\2a71d07d_by_Libranalysis.dll',#1
Imagebase:	0xe90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.293111007.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4608 Parent PID: 3636

General

Start time:	07:16:07
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 764
Imagebase:	0xcc0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4168 Parent PID: 5600 loaddll32.exeCOMMON

Executed Functions

Non-executed Functions

Function 100220F0, Relevance: 11.7, Strings: 9, Instructions: 469COMMON

Download Yara Rule

Strings

t, xrefs: 1002255D
l, xrefs: 10022608
o, xrefs: 10022610
i, xrefs: 1002250E
D, xrefs: 100229E4
u, xrefs: 10022565
c, xrefs: 1002262E
a, xrefs: 1002256D
l, xrefs: 10022600

Memory Dump Source

Source File: 00000000.00000002.211847810.0000000010021000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.211828815.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211832706.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.211852733.0000000010025000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.211857708.0000000010028000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.211861727.000000001002C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: D$a$c$i$l$l$o$t$u
API String ID: 0-1871623029
Opcode ID: 39defe97fc93470a7b804fd6dc8be910f88b852905747cfc221465a6754b1396
Instruction ID: 0084815472b1379f451f328db7bdd48fedf0434f01950e1a6ab525a79fee850b
Opcode Fuzzy Hash: 39defe97fc93470a7b804fd6dc8be910f88b852905747cfc221465a6754b1396
Instruction Fuzzy Hash: 6142A774608780CFD374CF28C894BDABBE1ABD9354F54892EE48D8B391E731A845CB56

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3636 Parent PID: 4856 rundll32.exeCOMMON

Executed Functions

Function 00D823D4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00D823D4(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr _v176;
				int _v180;
				char* _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				char _v196;
				intOrPtr* _t142;
				int _t148;
				int _t156;
				int _t160;
				unsigned int _t180;
				int _t196;
				intOrPtr _t230;
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t240;
				void* _t247;
				intOrPtr _t251;
				intOrPtr _t258;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t142 = _a4;
				_v20 = 0;
				_t247 =  *_t142;
				 *0xd84418 = 1;
				asm("movaps xmm0, [0xd83010]");
				asm("movups [0xd84428], xmm0");
				_v48 = _t142;
				_v52 =  *((intOrPtr*)(_t142 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x6c));
				_v196 = _t247;
				_v192 =  *((intOrPtr*)(_v48 + 0x24));
				_v188 = 4;
				_v184 =  &_v20;
				_v60 =  *((intOrPtr*)(_t142 + 0x1c));
				_v64 = 4;
				_v68 = _t247;
				_v72 =  &_v20;
				_t148 = VirtualProtect(__edi, __esi, __ebx, _t271); // executed
				_v76 = _t148;
				_v196 = _v68;
				_v192 = 0;
				_v188 =  *((intOrPtr*)(_v48 + 0x24));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E00D81E7B();
				E00D81094(_v68,  *((intOrPtr*)(_v48 + 0x44)), _v56);
				E00D81E7B( *((intOrPtr*)(_v48 + 0x44)), 0, _v56);
				_t156 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x94;
				_t237 = _v68;
				_t258 =  *((intOrPtr*)(_t237 + 0x3c));
				_v96 = _t156;
				_v100 = _v68 + 0x3c;
				_v104 = _t237;
				_v108 = _t258;
				if(_t258 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v52 != 0) {
					_v144 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					_v148 = 0;
					while(1) {
						_t230 = _v144;
						_v156 = _v148;
						_t180 =  *(_t230 + 0x24);
						_v160 = _t180;
						_v164 = _t180 >> 0x1e;
						_v168 = _v160 >> 0x1f;
						_v172 = _v160 >> 0x0000001d & 0x00000001;
						_v196 = _v68 +  *((intOrPtr*)(_t230 + 0xc));
						_v192 =  *((intOrPtr*)(_t230 + 8));
						_v188 =  *((intOrPtr*)(0xd84418 + ((_v164 & 0x00000001) << 4) + (_v168 << 3) + (_v172 << 2)));
						_v184 =  &_v20;
						_v176 = _t230;
						_t196 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t232 = _v156 + 1;
						_v180 = _t196;
						_v144 = _v176 + 0x28;
						_v148 = _t232;
						if(_t232 == _v52) {
							goto L11;
						}
					}
				}
				L11:
				 *_t278 = _v68;
				_v124 = _v68 +  *((intOrPtr*)(_v48 + 0x10));
				_t160 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t240 =  *_v100;
				_v152 = _t160;
				_v112 = _t240;
				_v116 = _v68;
				if(_t240 == 0) {
					L7:
					_t251 = _v48;
					_v44 =  *((intOrPtr*)(_t251 + 0x40));
					_v40 =  *((intOrPtr*)(_t251 + 0x4c));
					_v36 =  *((intOrPtr*)(_t251 + 0x20));
					_v32 =  *((intOrPtr*)(_t251 + 0x54));
					_v28 =  *((intOrPtr*)(_t251 + 0x58));
					_v24 = _v124;
					 *_t279 = _t251;
					_v196 = 0;
					_v192 = 0x74;
					_v128 =  *((intOrPtr*)(_v116 + 0x28));
					_v132 = 0;
					_v136 = 0x74;
					_v140 =  &_v44;
					E00D81E7B();
					if(_v128 != 0) {
						_t278 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
					return 1;
				} else {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
					goto L7;
				}
			}

0x00d823e0
0x00d823ee
0x00d823f5
0x00d823f7
0x00d82401
0x00d82408
0x00d82412
0x00d82418
0x00d82421
0x00d8242a
0x00d8242d
0x00d82431
0x00d82439
0x00d8243d
0x00d82440
0x00d82443
0x00d82446
0x00d82449
0x00d82463
0x00d82469
0x00d8246c
0x00d82474
0x00d82478
0x00d8247b
0x00d8247e
0x00d82481
0x00d82484
0x00d824a0
0x00d824bd
0x00d824e2
0x00d824e4
0x00d824ed
0x00d824f0
0x00d824fa
0x00d824fd
0x00d82500
0x00d82503
0x00d82506
0x00d8255a
0x00d8255a
0x00d82566
0x00d82569
0x00d825ed
0x00d825f3
0x00d8265e
0x00d82664
0x00d82679
0x00d8267f
0x00d82682
0x00d8268b
0x00d8269a
0x00d826ac
0x00d826dd
0x00d826e0
0x00d826e4
0x00d826e8
0x00d826ef
0x00d826f5
0x00d826f7
0x00d82700
0x00d82711
0x00d82717
0x00d8271d
0x00d82723
0x00000000
0x00000000
0x00d82729
0x00d8265e
0x00d8261a
0x00d82628
0x00d82630
0x00d82633
0x00d82635
0x00d8263b
0x00d82647
0x00d8264d
0x00d82650
0x00d82653
0x00d82571
0x00d82581
0x00d82587
0x00d8258d
0x00d82593
0x00d82599
0x00d8259f
0x00d825a5
0x00d825a8
0x00d825ab
0x00d825b3
0x00d825bb
0x00d825be
0x00d825c1
0x00d825c7
0x00d825cd
0x00d825d8
0x00d82532
0x00d82538
0x00d82538
0x00d82614
0x00d82659
0x00d8251f
0x00000000
0x00d8251f

APIs

VirtualProtect.KERNELBASE ref: 00D82449
VirtualProtect.KERNELBASE ref: 00D824E2
VirtualProtect.KERNELBASE ref: 00D826F5

Strings

t, xrefs: 00D825B3

Memory Dump Source

Source File: 00000002.00000002.292515587.0000000000D80000.00000040.00000001.sdmp, Offset: 00D80000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: ddb2cb642431f5e858f7c1c956981e4aabe898299c0a241d24652d928e517527
Instruction ID: 118b41ffe10ec240402b6d8c072e4304712c502327fc2dbdbe82055ff218d700
Opcode Fuzzy Hash: ddb2cb642431f5e858f7c1c956981e4aabe898299c0a241d24652d928e517527
Instruction Fuzzy Hash: 1FB19CB4D04218CFDB14DF68C980AADBBF1FF48304F1585AAE949AB351D731A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D82101, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00D82172

Memory Dump Source

Source File: 00000002.00000002.292515587.0000000000D80000.00000040.00000001.sdmp, Offset: 00D80000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 033d263155ffc3d0b6236b8629689c658cf4e2d9a96ebed7f8aabdbc96411034
Instruction ID: ff35384085efff52a7171041ad174f16b26f2466e360c5412f987f28b4b49736
Opcode Fuzzy Hash: 033d263155ffc3d0b6236b8629689c658cf4e2d9a96ebed7f8aabdbc96411034
Instruction Fuzzy Hash: 5A41E2B5D012199FDB08DFA8D894AAEBBF1FF48314F14852DE948AB340D335A845CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D50() {

				 *0x1001d280 = GetUserNameW;
				 *0x1001D284 = MessageBoxW;
				 *0x1001D288 = GetLastError;
				 *0x1001D28C = CreateFileA;
				 *0x1001D290 = DebugBreak;
				 *0x1001D294 = FlushFileBuffers;
				 *0x1001D298 = FreeEnvironmentStringsA;
				 *0x1001D29C = GetConsoleOutputCP;
				 *0x1001D2A0 = GetEnvironmentStrings;
				 *0x1001D2A4 = GetLocaleInfoA;
				 *0x1001D2A8 = GetStartupInfoA;
				 *0x1001D2AC = GetStringTypeA;
				 *0x1001D2B0 = HeapValidate;
				 *0x1001D2B4 = IsBadReadPtr;
				 *0x1001D2B8 = LCMapStringA;
				 *0x1001D2BC = LoadLibraryA;
				 *0x1001D2C0 = OutputDebugStringA;
				return 0x1001d280;
			}

0x10006d61
0x10006d69
0x10006d6c
0x10006d7b
0x10006d7e
0x10006d8d
0x10006d90
0x10006d9f
0x10006da2
0x10006db1
0x10006db4
0x10006dc3
0x10006dc6
0x10006dd5
0x10006dd8
0x10006de7
0x10006dea
0x10006ded

Memory Dump Source

Source File: 00000002.00000002.293111007.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.293106131.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.293136611.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.293149260.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.293157390.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction ID: 9a9f90be372116ce35b3bf57ca6adafecb814b37ff7dc50591bd4b03753dcc6b
Opcode Fuzzy Hash: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction Fuzzy Hash: 99110FB8A05620CFD34ACF09D5D49117BF2BB8E360312C19AD8098B376D734D985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000C218(void* __ecx, void* __edx) {
				char _v28;
				char _v33;
				char _v38;
				char _v43;
				void* _t24;
				char* _t25;
				char _t32;
				void* _t33;
				void* _t34;
				signed int _t38;
				char* _t40;

				_t40 = (_t38 & 0xfffffff0) - 0x2c;
				asm("movq xmm0, [edx]");
				_t32 = 0;
				 *_t40 = 0x7b;
				asm("movq [esp+0x1], xmm0");
				_v43 = 0x2d;
				do {
					 *((char*)(_t40 + _t32 + 0xa)) =  *((intOrPtr*)(_t32 + __edx + 8));
					_t32 = _t32 + 1;
				} while (_t32 < 4);
				_v38 = 0x2d;
				_t33 = 0;
				do {
					 *((char*)(_t40 + _t33 + 0xf)) =  *((intOrPtr*)(_t33 + __edx + 0xc));
					_t33 = _t33 + 1;
				} while (_t33 < 4);
				_v33 = 0x2d;
				_t34 = 0;
				do {
					 *((char*)(_t40 + _t34 + 0x14)) =  *((intOrPtr*)(_t34 + __edx + 0x10));
					_t34 = _t34 + 1;
				} while (_t34 < 4);
				_v28 = 0x2d;
				_t24 = 0;
				do {
					asm("movd xmm0, dword [eax+edx+0x14]");
					asm("movd [esp+eax+0x19], xmm0");
					_t24 = _t24 + 4;
				} while (_t24 < 0xc);
				_t25 = _t40;
				 *((char*)(_t25 + 0x25)) = 0x7d;
				 *((char*)(_t25 + 0x26)) = 0;
				E1000DFBC(__ecx, _t25, 0);
				return __ecx;
			}

0x1000c21f
0x1000c224
0x1000c228
0x1000c22a
0x1000c22e
0x1000c234
0x1000c239
0x1000c23d
0x1000c241
0x1000c242
0x1000c249
0x1000c24e
0x1000c250
0x1000c254
0x1000c258
0x1000c259
0x1000c260
0x1000c265
0x1000c267
0x1000c26b
0x1000c26f
0x1000c270
0x1000c275
0x1000c27a
0x1000c27c
0x1000c27c
0x1000c282
0x1000c288
0x1000c28b
0x1000c292
0x1000c295
0x1000c29b
0x1000c2a0
0x1000c2ae

Strings

-, xrefs: 1000C249
-, xrefs: 1000C234
-, xrefs: 1000C275
-, xrefs: 1000C260

Memory Dump Source

Source File: 00000002.00000002.293111007.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.293106131.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.293136611.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.293149260.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.293157390.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction ID: 6420cdf91b2b9fc5655fa5f82b4c53aa5eb92ddd4154ae73ebf41adf494228f8
Opcode Fuzzy Hash: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction Fuzzy Hash: C811252091C3C04CE749DB7C548462BFFD08F9A208F1886BEE4DA86B53E525D49683B7

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2a71d07d_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 4168 Parent PID: 5600

Function 00D823D4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON