Play interactive tour

Edit tour

Analysis Report 2fba2168_by_Libranalysis

Overview

General Information

Sample Name:	2fba2168_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:	413065
MD5:	2fba21684f9cee9e69c81f516fa6f564
SHA1:	c4d402963878c169a6149d7d8f43f85ac7c0c12d
SHA256:	f6521a28e0d4f21ec9d6a59f787d5e6251c2c2146b3141ede44820d3614a5779
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6164 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6172 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6184 cmdline: rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.306535551.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]}

Machine Learning detection for sample

Show sources

Source: 2fba2168_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: 2fba2168_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 2fba2168_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.225498866.0000000010025000.00000002.00020000.sdmp, 2fba2168_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000002.00000002.306535551.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100220F0	0_2_100220F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460	2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C	2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494	2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C	2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58	2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348	2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754	2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC	2_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 764

Source: 2fba2168_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 2fba2168_by_Libranalysis.dll

Source: 2fba2168_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 2fba2168_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal64.troj.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6184

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER98A2.tmp

Jump to behavior

Source: 2fba2168_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1	Jump to behavior

Source: 2fba2168_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 2fba2168_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.225498866.0000000010025000.00000002.00020000.sdmp, 2fba2168_by_Libranalysis.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006207 push ebx; ret	0_2_10006208
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004E0F push 822377FAh; iretd	0_2_10004E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005813 push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006830 push 82235DBAh; iretd	0_2_10006855
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000585A push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005A7B push cs; iretd	0_2_10005B7E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006A80 push ebx; iretd	0_2_10006A85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000388E push 8223930Ah; iretd	0_2_10003893
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100048AF push 8223A1AEh; iretd	0_2_100048B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100066D0 push 8223737Ah; iretd	0_2_100066D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100054EF push 822385B2h; iretd	0_2_100054F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000530F push 82230D7Eh; iretd	0_2_10005314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002D4A push 0E950FD0h; iretd	0_2_10002D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000574F push 82238352h; iretd	0_2_10005754
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037A2 push cs; retf	0_2_100037DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100039C3 push edi; retf	0_2_100039C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005FD6 push 0E950020h; retf	0_2_10005FDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002DF3 push cs; iretd	0_2_10002E7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037F5 push cs; retf	0_2_100037DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h	2_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.53078515147

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2fba2168_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.rundll32.exe.2fc0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
82.209.17.209	unknown	Czech Republic	30764	PODA-ASCZ	true
162.241.209.225	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
43.229.206.212	unknown	Indonesia	24532	INET-AS-IDPTInetGlobalIndoID	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	413065
Start date:	13.05.2021
Start time:	07:25:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2fba2168_by_Libranalysis (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.winDLL@6/4@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 57% (good quality ratio 49.4%) Quality average: 67.4% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI

Simulations

Behavior and APIs

Time	Type	Description
07:26:43	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
82.209.17.209	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse
	7587f225_by_Libranalysis.dll	Get hash	malicious	Browse
	e3429d75_by_Libranalysis.dll	Get hash	malicious	Browse
	8b521700_by_Libranalysis.dll	Get hash	malicious	Browse
	94a4d66c_by_Libranalysis.dll	Get hash	malicious	Browse
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse
	0f72be74_by_Libranalysis.dll	Get hash	malicious	Browse
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse
	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse
162.241.209.225	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse
	7587f225_by_Libranalysis.dll	Get hash	malicious	Browse
	e3429d75_by_Libranalysis.dll	Get hash	malicious	Browse
	8b521700_by_Libranalysis.dll	Get hash	malicious	Browse
	94a4d66c_by_Libranalysis.dll	Get hash	malicious	Browse
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse
	0f72be74_by_Libranalysis.dll	Get hash	malicious	Browse
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse
	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PODA-ASCZ	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	7587f225_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	e3429d75_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	8b521700_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	94a4d66c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	0f72be74_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	82.209.17.209
UNIFIEDLAYER-AS-1US	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	7587f225_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	e3429d75_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	8b521700_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	94a4d66c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	0f72be74_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	2a71d07d_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	fe1d4238_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	13f88d67_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	4bfaad72_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	a194019c_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	cdc733ac_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	4e021da2_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	27c06d28_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	86fa0c16_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225
	6bea48e8_by_Libranalysis.dll	Get hash	malicious	Browse	162.241.209.225

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_3b68747a563f6dc075ce1d8715b428671c2ff110_82810a17_1b84ae1e\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12482
Entropy (8bit):	3.769615985795733
Encrypted:	false
SSDEEP:	192:V7Mi50oXGcHBUZMX4jed+9e/u7sBS274ItWcT:pMi3XNBUZMX4jeZ/u7sBX4ItWcT
MD5:	9B422A34910A219640827DEF01019321
SHA1:	7A36C8E4D37615394B61A84B5440D846F7394A95
SHA-256:	344790D50C49A71113C4B6032CFB5F04BA557DB30DA78F1DAE5D827B76E40B26
SHA-512:	1C7B996A921C279979D1030A7FB050084FD566F93987B4D61BC6FAC4DF2F63F6ABA8B3E465064F084DA353DD933B8EB70187074517735D553CC6A2877BF56D79
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.3.8.9.5.9.8.1.2.5.0.9.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.5.3.8.9.6.0.1.5.1.9.5.1.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.5.0.9.5.2.6.-.a.e.d.5.-.4.2.1.a.-.b.1.1.8.-.e.c.1.3.9.7.6.7.b.4.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.d.6.9.c.b.4.-.1.8.3.0.-.4.7.4.7.-.8.4.6.4.-.3.1.8.8.6.7.3.3.8.3.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.8.-.0.0.0.1.-.0.0.1.7.-.6.e.6.9.-.f.8.e.8.0.3.4.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98A2.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 13 14:26:40 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46614
Entropy (8bit):	2.1470377300300734
Encrypted:	false
SSDEEP:	192:7ydRCtOb8CCU3kkJoTFgfCZeBDdH6+J1ra0Obv9ewwn+8W:udIKT37JoTFq+gH6+nG0ObUFa
MD5:	8763408D817EAD0814E9311F2101099B
SHA1:	A0289925D808A067A0EBA7FA4A3BB6CC75166748
SHA-256:	50BC0172E643A896F0CEC48AA9F223B3FF47682B3E50CC8652415D869C0F613E
SHA-512:	D038D38374E319A415287F0F0C2EA70DF71B3AC7A069CCA70D336FB4A4CFE0601C8AC7FDA2D94FC4C16E9480C61DBA481AE99EFAFA14C1BF4839ABF7579AC81A
Malicious:	false
Reputation:	low
Preview:	MDMP....... ....... 7.`...................U...........B..............GenuineIntelW...........T.......(....6.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA19C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8292
Entropy (8bit):	3.694301511766365
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNieC6+6Yhs6cgmfTYVSCCprZ89bYaOOksfZIm:RrlsNiz6+6Ya6cgmfT4SMYaXfD
MD5:	1CC39FBC80377E4F7959D4ACDEE173B5
SHA1:	BBA81B3E8395EB5602713CC251BF4BE8AEC6A028
SHA-256:	469B8F6637CF9894359784C035F30ECBE195FC22EBC37E7BA6E7112544267E87
SHA-512:	C250D23BB3C4CD756E40F4F3D6B6CA96A34F066319945996ED0FE704D94EB80C40DD303FDA03B7F39BA462F257163D4588F92EFEB6409B0068CD6F00185112D4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA556.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4663
Entropy (8bit):	4.4746475795150475
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI9GAWSC8BUe8fm8M4JCds+NrFe+q8/HNFv4SrSLd:uITfqV5SNmbJsNM8N9DWLd
MD5:	6BE5FF421C5789944F82D24DA2BF773F
SHA1:	2F0435BD996A4B6B32737708F087245158ACABD4
SHA-256:	37DBF3F0402A95B01129C4DCC267594D022B3D7260C564CBE8E5AF44B22F9F83
SHA-512:	FA42F3B6C50ADEAC1E6DD02224B186D989422763E6B530989CDD66512F0BE5FAE7F9C4FC96F07242CCB69C56829F5C1CF5BE5BFE5B50D925C2EAD950D3FE5E0B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="987817" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.513878329899262
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2fba2168_by_Libranalysis.dll
File size:	167424
MD5:	2fba21684f9cee9e69c81f516fa6f564
SHA1:	c4d402963878c169a6149d7d8f43f85ac7c0c12d
SHA256:	f6521a28e0d4f21ec9d6a59f787d5e6251c2c2146b3141ede44820d3614a5779
SHA512:	dd24bf8760d69ad5f942d1fc84ecd083ac09778783ecacf656b5e210746a63bb4f77ce7a68a48910a9bb82e1f5feb42e4dcabdee823d518142a417e97a1f42ed
SSDEEP:	3072:29F/oNrQb4xVubbXP/NTccbsFvCeLmXH57V30e8Pj:29F6rQXvFczvYpQP
File Content Preview:	MZ......................@...................................\...........!..L.!This program cannot be run in DOS mode....$.......Xm.o...<...<...<.U!<...<..B<r..<...<...<rQ!<...<;..<...<;..<3..<au.<...<szt<"..<Rich...<.......................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10024cc0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609C8025 [Thu May 13 01:25:57 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	88962f6760ea005847fb88b87e8ce1fd

Entrypoint Preview

Instruction
mov eax, 00000000h
cmpss xmm1, xmm2, 03h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 02h
mov eax, ebp
mov dword ptr [10029734h], eax
mov eax, ebx
mov dword ptr [10029730h], eax
mov eax, esi
mov dword ptr [10029728h], eax
jne 00007F0F5C9FA486h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2015 build 23026
[IMP] VS2013 UPD4 build 31101
[ C ] VS2010 build 30319
[RES] VS2015 UPD2 build 23918
[C++] VS2005 build 50727
[IMP] VS2010 SP1 build 40219
[RES] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2770a	0x5b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x277d8	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23dfe	0x23e00	False	0.756362968206	data	7.53078515147	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2a04	0x2c00	False	0.753728693182	data	7.42331753213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crt	0x28000	0x331c	0x1800	False	0.79052734375	MMDF mailbox	7.46423038313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x3a0	0x400	False	0.4248046875	data	3.06187161643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x26c	0x400	False	0.548828125	data	4.2946697642	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x33c	data

Imports

DLL	Import
KERNEL32.dll	GetProfileSectionW, CloseHandle, OpenSemaphoreW, LoadLibraryW, OutputDebugStringA, CreateFileW, GetProfileSectionA
USER32.dll	TranslateMessage
CLUSAPI.dll	ClusterEnum
ADVAPI32.dll	RegOverridePredefKey
RASAPI32.dll	RasGetConnectionStatistics
ole32.dll	CreatePointerMoniker, CreateStreamOnHGlobal

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	x2otfb
FileVersion	7.2.5422.00
Full Version	7.2.5_000-b00
CompanyName	Oracle Corporation
ProductName	Xhot(BM) Ltloehey YO 8
ProductVersion	7.2.5422.00
FileDescription	Java(TM) Platform SE binary
OriginalFilename	x2otfb.dll
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2021 07:25:57.938117981 CEST	53	50620	8.8.8.8	192.168.2.3
May 13, 2021 07:25:58.090055943 CEST	64938	53	192.168.2.3	8.8.8.8
May 13, 2021 07:25:58.165978909 CEST	53	64938	8.8.8.8	192.168.2.3
May 13, 2021 07:25:58.673769951 CEST	60152	53	192.168.2.3	8.8.8.8
May 13, 2021 07:25:58.725931883 CEST	53	60152	8.8.8.8	192.168.2.3
May 13, 2021 07:25:59.507867098 CEST	57544	53	192.168.2.3	8.8.8.8
May 13, 2021 07:25:59.561276913 CEST	53	57544	8.8.8.8	192.168.2.3
May 13, 2021 07:26:00.668514013 CEST	55984	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:00.730794907 CEST	53	55984	8.8.8.8	192.168.2.3
May 13, 2021 07:26:00.863681078 CEST	64185	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:00.912404060 CEST	53	64185	8.8.8.8	192.168.2.3
May 13, 2021 07:26:01.683482885 CEST	65110	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:01.732305050 CEST	53	65110	8.8.8.8	192.168.2.3
May 13, 2021 07:26:02.882029057 CEST	58361	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:02.933504105 CEST	53	58361	8.8.8.8	192.168.2.3
May 13, 2021 07:26:03.838167906 CEST	63492	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:03.889414072 CEST	53	63492	8.8.8.8	192.168.2.3
May 13, 2021 07:26:04.731040001 CEST	60831	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:04.782543898 CEST	53	60831	8.8.8.8	192.168.2.3
May 13, 2021 07:26:05.532747984 CEST	60100	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:05.581553936 CEST	53	60100	8.8.8.8	192.168.2.3
May 13, 2021 07:26:07.667964935 CEST	53195	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:07.719585896 CEST	53	53195	8.8.8.8	192.168.2.3
May 13, 2021 07:26:08.513835907 CEST	50141	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:08.562529087 CEST	53	50141	8.8.8.8	192.168.2.3
May 13, 2021 07:26:09.388216019 CEST	53023	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:09.439402103 CEST	53	53023	8.8.8.8	192.168.2.3
May 13, 2021 07:26:10.672744989 CEST	49563	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:10.721647024 CEST	53	49563	8.8.8.8	192.168.2.3
May 13, 2021 07:26:11.529457092 CEST	51352	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:11.578620911 CEST	53	51352	8.8.8.8	192.168.2.3
May 13, 2021 07:26:13.231054068 CEST	59349	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:13.281929970 CEST	53	59349	8.8.8.8	192.168.2.3
May 13, 2021 07:26:14.088349104 CEST	57084	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:14.136991978 CEST	53	57084	8.8.8.8	192.168.2.3
May 13, 2021 07:26:15.292376995 CEST	58823	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:15.342806101 CEST	53	58823	8.8.8.8	192.168.2.3
May 13, 2021 07:26:17.155204058 CEST	57568	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:17.204781055 CEST	53	57568	8.8.8.8	192.168.2.3
May 13, 2021 07:26:25.807163000 CEST	50540	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:25.868737936 CEST	53	50540	8.8.8.8	192.168.2.3
May 13, 2021 07:26:42.161396980 CEST	54366	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:42.218687057 CEST	53	54366	8.8.8.8	192.168.2.3
May 13, 2021 07:26:44.985694885 CEST	53034	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:45.043519020 CEST	53	53034	8.8.8.8	192.168.2.3
May 13, 2021 07:26:53.891522884 CEST	57762	53	192.168.2.3	8.8.8.8
May 13, 2021 07:26:53.950203896 CEST	53	57762	8.8.8.8	192.168.2.3
May 13, 2021 07:27:03.092555046 CEST	55435	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:03.151369095 CEST	53	55435	8.8.8.8	192.168.2.3
May 13, 2021 07:27:30.477190018 CEST	50713	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:30.536890030 CEST	53	50713	8.8.8.8	192.168.2.3
May 13, 2021 07:27:35.632688999 CEST	56132	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:35.689703941 CEST	53	56132	8.8.8.8	192.168.2.3
May 13, 2021 07:27:54.975250006 CEST	58987	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:55.026815891 CEST	53	58987	8.8.8.8	192.168.2.3
May 13, 2021 07:27:55.660052061 CEST	56579	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:55.717127085 CEST	53	56579	8.8.8.8	192.168.2.3
May 13, 2021 07:27:56.314263105 CEST	60633	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:56.371546984 CEST	53	60633	8.8.8.8	192.168.2.3
May 13, 2021 07:27:56.577215910 CEST	61292	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:56.634275913 CEST	53	61292	8.8.8.8	192.168.2.3
May 13, 2021 07:27:57.012459040 CEST	63619	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:57.061223030 CEST	53	63619	8.8.8.8	192.168.2.3
May 13, 2021 07:27:57.612756014 CEST	64938	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:57.664381027 CEST	53	64938	8.8.8.8	192.168.2.3
May 13, 2021 07:27:58.254887104 CEST	61946	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:58.303589106 CEST	53	61946	8.8.8.8	192.168.2.3
May 13, 2021 07:27:58.821774960 CEST	64910	53	192.168.2.3	8.8.8.8
May 13, 2021 07:27:58.883989096 CEST	53	64910	8.8.8.8	192.168.2.3
May 13, 2021 07:28:00.129184008 CEST	52123	53	192.168.2.3	8.8.8.8
May 13, 2021 07:28:00.177917004 CEST	53	52123	8.8.8.8	192.168.2.3
May 13, 2021 07:28:01.266190052 CEST	56130	53	192.168.2.3	8.8.8.8
May 13, 2021 07:28:01.314861059 CEST	53	56130	8.8.8.8	192.168.2.3
May 13, 2021 07:28:01.835982084 CEST	56338	53	192.168.2.3	8.8.8.8
May 13, 2021 07:28:01.885653973 CEST	53	56338	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6164 Parent PID: 5656

General

Start time:	07:26:05
Start date:	13/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll'
Imagebase:	0x13d0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6172 Parent PID: 6164

General

Start time:	07:26:05
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6184 Parent PID: 6172

General

Start time:	07:26:06
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\2fba2168_by_Libranalysis.dll',#1
Imagebase:	0x180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.306535551.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 7096 Parent PID: 6184

General

Start time:	07:26:36
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 764
Imagebase:	0xf10000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6164 Parent PID: 5656 loaddll32.exeCOMMON

Executed Functions

Non-executed Functions

Function 100220F0, Relevance: 11.7, Strings: 9, Instructions: 469COMMON

Download Yara Rule

Strings

o, xrefs: 10022610
l, xrefs: 10022608
l, xrefs: 10022600
i, xrefs: 1002250E
D, xrefs: 100229E4
c, xrefs: 1002262E
u, xrefs: 10022565
t, xrefs: 1002255D
a, xrefs: 1002256D

Memory Dump Source

Source File: 00000000.00000002.225492736.0000000010021000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.225470551.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225475408.0000000010001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225498866.0000000010025000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225504343.0000000010028000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225510977.000000001002C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: D$a$c$i$l$l$o$t$u
API String ID: 0-1871623029
Opcode ID: 39defe97fc93470a7b804fd6dc8be910f88b852905747cfc221465a6754b1396
Instruction ID: 0084815472b1379f451f328db7bdd48fedf0434f01950e1a6ab525a79fee850b
Opcode Fuzzy Hash: 39defe97fc93470a7b804fd6dc8be910f88b852905747cfc221465a6754b1396
Instruction Fuzzy Hash: 6142A774608780CFD374CF28C894BDABBE1ABD9354F54892EE48D8B391E731A845CB56

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6184 Parent PID: 6172 rundll32.exeCOMMON

Executed Functions

Function 02FC23D4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E02FC23D4(long __ebx, void* __edi, long __esi, intOrPtr* _a4) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v68;
				char* _v72;
				int _v76;
				long _v80;
				long _v84;
				DWORD* _v88;
				intOrPtr _v92;
				int _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr _v176;
				int _v180;
				char* _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				char _v196;
				intOrPtr* _t142;
				int _t148;
				int _t156;
				int _t160;
				unsigned int _t180;
				int _t196;
				intOrPtr _t230;
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t240;
				void* _t247;
				intOrPtr _t251;
				intOrPtr _t258;
				DWORD* _t271;
				void* _t275;
				intOrPtr* _t278;
				intOrPtr* _t279;

				_t142 = _a4;
				_v20 = 0;
				_t247 =  *_t142;
				 *0x2fc4418 = 1;
				asm("movaps xmm0, [0x2fc3010]");
				asm("movups [0x2fc4428], xmm0");
				_v48 = _t142;
				_v52 =  *((intOrPtr*)(_t142 + 0x48));
				_v56 =  *((intOrPtr*)(_v48 + 0x6c));
				_v196 = _t247;
				_v192 =  *((intOrPtr*)(_v48 + 0x24));
				_v188 = 4;
				_v184 =  &_v20;
				_v60 =  *((intOrPtr*)(_t142 + 0x1c));
				_v64 = 4;
				_v68 = _t247;
				_v72 =  &_v20;
				_t148 = VirtualProtect(__edi, __esi, __ebx, _t271); // executed
				_v76 = _t148;
				_v196 = _v68;
				_v192 = 0;
				_v188 =  *((intOrPtr*)(_v48 + 0x24));
				_v80 = 0x400;
				_v84 = 2;
				_v88 =  &_v20;
				_v92 = 0;
				E02FC1E7B();
				E02FC1094(_v68,  *((intOrPtr*)(_v48 + 0x44)), _v56);
				E02FC1E7B( *((intOrPtr*)(_v48 + 0x44)), 0, _v56);
				_t156 = VirtualProtect(_v68, 0x400, 2, _v88); // executed
				_t278 = _t275 - 0x94;
				_t237 = _v68;
				_t258 =  *((intOrPtr*)(_t237 + 0x3c));
				_v96 = _t156;
				_v100 = _v68 + 0x3c;
				_v104 = _t237;
				_v108 = _t258;
				if(_t258 != 0) {
					_v104 = _v68 + (_v108 + 0x0000ffff & 0x0000ffff) + 1;
				}
				_v120 = _v104;
				if(_v52 != 0) {
					_v144 = _v120 + 0x18 + ( *(_v120 + 0x14) & 0x0000ffff);
					_v148 = 0;
					while(1) {
						_t230 = _v144;
						_v156 = _v148;
						_t180 =  *(_t230 + 0x24);
						_v160 = _t180;
						_v164 = _t180 >> 0x1e;
						_v168 = _v160 >> 0x1f;
						_v172 = _v160 >> 0x0000001d & 0x00000001;
						_v196 = _v68 +  *((intOrPtr*)(_t230 + 0xc));
						_v192 =  *((intOrPtr*)(_t230 + 8));
						_v188 =  *((intOrPtr*)(0x2fc4418 + ((_v164 & 0x00000001) << 4) + (_v168 << 3) + (_v172 << 2)));
						_v184 =  &_v20;
						_v176 = _t230;
						_t196 = VirtualProtect(??, ??, ??, ??); // executed
						_t278 = _t278 - 0x10;
						_t232 = _v156 + 1;
						_v180 = _t196;
						_v144 = _v176 + 0x28;
						_v148 = _t232;
						if(_t232 == _v52) {
							goto L11;
						}
					}
				}
				L11:
				 *_t278 = _v68;
				_v124 = _v68 +  *((intOrPtr*)(_v48 + 0x10));
				_t160 = DisableThreadLibraryCalls(??);
				_t279 = _t278 - 4;
				_t240 =  *_v100;
				_v152 = _t160;
				_v112 = _t240;
				_v116 = _v68;
				if(_t240 == 0) {
					L7:
					_t251 = _v48;
					_v44 =  *((intOrPtr*)(_t251 + 0x40));
					_v40 =  *((intOrPtr*)(_t251 + 0x4c));
					_v36 =  *((intOrPtr*)(_t251 + 0x20));
					_v32 =  *((intOrPtr*)(_t251 + 0x54));
					_v28 =  *((intOrPtr*)(_t251 + 0x58));
					_v24 = _v124;
					 *_t279 = _t251;
					_v196 = 0;
					_v192 = 0x74;
					_v128 =  *((intOrPtr*)(_v116 + 0x28));
					_v132 = 0;
					_v136 = 0x74;
					_v140 =  &_v44;
					E02FC1E7B();
					if(_v128 != 0) {
						_t278 =  *((intOrPtr*)( &_v44 + 0x10));
						goto __eax;
					}
					return 1;
				} else {
					_v116 = _v68 + (_v112 + 0x0000ffff & 0x0000ffff) + 1;
					goto L7;
				}
			}

0x02fc23e0
0x02fc23ee
0x02fc23f5
0x02fc23f7
0x02fc2401
0x02fc2408
0x02fc2412
0x02fc2418
0x02fc2421
0x02fc242a
0x02fc242d
0x02fc2431
0x02fc2439
0x02fc243d
0x02fc2440
0x02fc2443
0x02fc2446
0x02fc2449
0x02fc2463
0x02fc2469
0x02fc246c
0x02fc2474
0x02fc2478
0x02fc247b
0x02fc247e
0x02fc2481
0x02fc2484
0x02fc24a0
0x02fc24bd
0x02fc24e2
0x02fc24e4
0x02fc24ed
0x02fc24f0
0x02fc24fa
0x02fc24fd
0x02fc2500
0x02fc2503
0x02fc2506
0x02fc255a
0x02fc255a
0x02fc2566
0x02fc2569
0x02fc25ed
0x02fc25f3
0x02fc265e
0x02fc2664
0x02fc2679
0x02fc267f
0x02fc2682
0x02fc268b
0x02fc269a
0x02fc26ac
0x02fc26dd
0x02fc26e0
0x02fc26e4
0x02fc26e8
0x02fc26ef
0x02fc26f5
0x02fc26f7
0x02fc2700
0x02fc2711
0x02fc2717
0x02fc271d
0x02fc2723
0x00000000
0x00000000
0x02fc2729
0x02fc265e
0x02fc261a
0x02fc2628
0x02fc2630
0x02fc2633
0x02fc2635
0x02fc263b
0x02fc2647
0x02fc264d
0x02fc2650
0x02fc2653
0x02fc2571
0x02fc2581
0x02fc2587
0x02fc258d
0x02fc2593
0x02fc2599
0x02fc259f
0x02fc25a5
0x02fc25a8
0x02fc25ab
0x02fc25b3
0x02fc25bb
0x02fc25be
0x02fc25c1
0x02fc25c7
0x02fc25cd
0x02fc25d8
0x02fc2532
0x02fc2538
0x02fc2538
0x02fc2614
0x02fc2659
0x02fc251f
0x00000000
0x02fc251f

APIs

VirtualProtect.KERNELBASE ref: 02FC2449
VirtualProtect.KERNELBASE ref: 02FC24E2
VirtualProtect.KERNELBASE ref: 02FC26F5

Strings

t, xrefs: 02FC25B3

Memory Dump Source

Source File: 00000002.00000002.306386853.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: t
API String ID: 544645111-2238339752
Opcode ID: ffeb42fb848282f7e94418b772a7f6f163f715ab19ede71441c37ef6fa3a9c44
Instruction ID: d20fd9ea0faa324503b5e45753f63bc898dd4f1ecd0735cc7815287165a83c3c
Opcode Fuzzy Hash: ffeb42fb848282f7e94418b772a7f6f163f715ab19ede71441c37ef6fa3a9c44
Instruction Fuzzy Hash: 39B19AB5E042198FDB14CF68C990A9DBBF1FF48304F2585AAE948AB351D731A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FC2101, Relevance: 1.4, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02FC2172

Memory Dump Source

Source File: 00000002.00000002.306386853.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 033d263155ffc3d0b6236b8629689c658cf4e2d9a96ebed7f8aabdbc96411034
Instruction ID: 234338a9d188449e4ea7ee17f27e33451b828d26ac32bdefddca6955736c9edc
Opcode Fuzzy Hash: 033d263155ffc3d0b6236b8629689c658cf4e2d9a96ebed7f8aabdbc96411034
Instruction Fuzzy Hash: EC41E4B5D0521A9FDB04DFA8D990AAEBBF1FF48354F14852DE948AB340D375A841CF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D50() {

				 *0x1001d280 = GetUserNameW;
				 *0x1001D284 = MessageBoxW;
				 *0x1001D288 = GetLastError;
				 *0x1001D28C = CreateFileA;
				 *0x1001D290 = DebugBreak;
				 *0x1001D294 = FlushFileBuffers;
				 *0x1001D298 = FreeEnvironmentStringsA;
				 *0x1001D29C = GetConsoleOutputCP;
				 *0x1001D2A0 = GetEnvironmentStrings;
				 *0x1001D2A4 = GetLocaleInfoA;
				 *0x1001D2A8 = GetStartupInfoA;
				 *0x1001D2AC = GetStringTypeA;
				 *0x1001D2B0 = HeapValidate;
				 *0x1001D2B4 = IsBadReadPtr;
				 *0x1001D2B8 = LCMapStringA;
				 *0x1001D2BC = LoadLibraryA;
				 *0x1001D2C0 = OutputDebugStringA;
				return 0x1001d280;
			}

0x10006d61
0x10006d69
0x10006d6c
0x10006d7b
0x10006d7e
0x10006d8d
0x10006d90
0x10006d9f
0x10006da2
0x10006db1
0x10006db4
0x10006dc3
0x10006dc6
0x10006dd5
0x10006dd8
0x10006de7
0x10006dea
0x10006ded

Memory Dump Source

Source File: 00000002.00000002.306535551.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.306531837.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.306556538.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.306563191.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.306568600.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction ID: 9a9f90be372116ce35b3bf57ca6adafecb814b37ff7dc50591bd4b03753dcc6b
Opcode Fuzzy Hash: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction Fuzzy Hash: 99110FB8A05620CFD34ACF09D5D49117BF2BB8E360312C19AD8098B376D734D985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000C218(void* __ecx, void* __edx) {
				char _v28;
				char _v33;
				char _v38;
				char _v43;
				void* _t24;
				char* _t25;
				char _t32;
				void* _t33;
				void* _t34;
				signed int _t38;
				char* _t40;

				_t40 = (_t38 & 0xfffffff0) - 0x2c;
				asm("movq xmm0, [edx]");
				_t32 = 0;
				 *_t40 = 0x7b;
				asm("movq [esp+0x1], xmm0");
				_v43 = 0x2d;
				do {
					 *((char*)(_t40 + _t32 + 0xa)) =  *((intOrPtr*)(_t32 + __edx + 8));
					_t32 = _t32 + 1;
				} while (_t32 < 4);
				_v38 = 0x2d;
				_t33 = 0;
				do {
					 *((char*)(_t40 + _t33 + 0xf)) =  *((intOrPtr*)(_t33 + __edx + 0xc));
					_t33 = _t33 + 1;
				} while (_t33 < 4);
				_v33 = 0x2d;
				_t34 = 0;
				do {
					 *((char*)(_t40 + _t34 + 0x14)) =  *((intOrPtr*)(_t34 + __edx + 0x10));
					_t34 = _t34 + 1;
				} while (_t34 < 4);
				_v28 = 0x2d;
				_t24 = 0;
				do {
					asm("movd xmm0, dword [eax+edx+0x14]");
					asm("movd [esp+eax+0x19], xmm0");
					_t24 = _t24 + 4;
				} while (_t24 < 0xc);
				_t25 = _t40;
				 *((char*)(_t25 + 0x25)) = 0x7d;
				 *((char*)(_t25 + 0x26)) = 0;
				E1000DFBC(__ecx, _t25, 0);
				return __ecx;
			}

0x1000c21f
0x1000c224
0x1000c228
0x1000c22a
0x1000c22e
0x1000c234
0x1000c239
0x1000c23d
0x1000c241
0x1000c242
0x1000c249
0x1000c24e
0x1000c250
0x1000c254
0x1000c258
0x1000c259
0x1000c260
0x1000c265
0x1000c267
0x1000c26b
0x1000c26f
0x1000c270
0x1000c275
0x1000c27a
0x1000c27c
0x1000c27c
0x1000c282
0x1000c288
0x1000c28b
0x1000c292
0x1000c295
0x1000c29b
0x1000c2a0
0x1000c2ae

Strings

-, xrefs: 1000C234
-, xrefs: 1000C249
-, xrefs: 1000C275
-, xrefs: 1000C260

Memory Dump Source

Source File: 00000002.00000002.306535551.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.306531837.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.306556538.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.306563191.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.306568600.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction ID: 6420cdf91b2b9fc5655fa5f82b4c53aa5eb92ddd4154ae73ebf41adf494228f8
Opcode Fuzzy Hash: 1d36367edc1a87d387ea343f4f2a29612f5303ddecac01934eed59726700fcc9
Instruction Fuzzy Hash: C811252091C3C04CE749DB7C548462BFFD08F9A208F1886BEE4DA86B53E525D49683B7

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2fba2168_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6164 Parent PID: 5656

General

Function 02FC23D4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224
memoryCOMMON

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Function 1000C218, Relevance: 5.1, Strings: 4, Instructions: 53
COMMON