Windows Analysis Report aFqZ2vCizZ

Overview

General Information

Sample Name:	aFqZ2vCizZ (renamed file extension from none to dll)
Analysis ID:	458963
MD5:	68c5b6d1c78a20a82a6c2693a6997fea
SHA1:	b93df3c60247e3ce0654a509bd9e419cb7b8cd56
SHA256:	d571a65edbdecd8530716dad1e96b6ef8239066fdc52eb8a9ad075659f36831b
Infos:
Most interesting Screenshot:

Detection

IcedID

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected IcedID

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Performs DNS queries to domains with low reputation

Rundll32 performs DNS lookup (likely malicious behavior)

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: aFqZ2vCizZ.dll

Avira: detected

Multi AV Scanner detection for domain / URL

Source: 49vodysf.club	Virustotal: Detection: 6%			Perma Link
Source: nazamoskaotp.xyz	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for submitted file

Source: aFqZ2vCizZ.dll	Virustotal: Detection: 7%			Perma Link
Source: aFqZ2vCizZ.dll	ReversingLabs: Detection: 51%

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

Compliance:

Uses 32bit PE files

Source: aFqZ2vCizZ.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: aFqZ2vCizZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\found\21\50\70\Them\43\35\40\Dad\60\cook.pdb source: loaddll32.exe, 00000001.00000002.471079471.000000006E16D000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.472688978.000000006E16D000.00000002.00020000.sdmp, aFqZ2vCizZ.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1651B4 FindFirstFileExA,		1_2_6E1651B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1651B4 FindFirstFileExA,		5_2_6E1651B4

Networking:

Performs DNS queries to domains with low reputation

Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source:	DNS query: nazamoskaotp.xyz
Source:	DNS query: nazamoskaotp.xyz

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: nazamoskaotp.xyz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: 49vodysf.club replaycode: Server failure (2)

Source: unknown

DNS traffic detected: queries for: nazamoskaotp.xyz

Source: aFqZ2vCizZ.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: loaddll32.exe, 00000001.00000002.469315984.0000000001671000.00000004.00000020.sdmp	String found in binary or memory: https://49vodysf.club/
Source: loaddll32.exe, 00000001.00000003.442595897.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/Z
Source: loaddll32.exe, 00000001.00000003.374734261.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/e
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.469357450.000000000167C000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.442595897.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000
Source: loaddll32.exe, 00000001.00000003.374700540.0000000001673000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000$
Source: loaddll32.exe, 00000001.00000002.469315984.0000000001671000.00000004.00000020.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF000000000000000000$
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000g
Source: loaddll32.exe, 00000001.00000003.442660303.000000000167C000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000ze6Q
Source: loaddll32.exe, 00000001.00000003.363811459.000000000165A000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.363828561.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000
Source: loaddll32.exe, 00000001.00000003.430907985.0000000001674000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000$
Source: loaddll32.exe, 00000001.00000003.430917491.000000000167C000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000e
Source: aFqZ2vCizZ.dll	String found in binary or memory: https://sectigo.com/CPS0
Source: aFqZ2vCizZ.dll	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.469054338.000000000162B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

System Summary:

Rundll32 performs DNS lookup (likely malicious behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E155A80	1_2_6E155A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E154FD0	1_2_6E154FD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E146C30	1_2_6E146C30
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E162D1F	1_2_6E162D1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E147810	1_2_6E147810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E155A80	5_2_6E155A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E154FD0	5_2_6E154FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E147810	5_2_6E147810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E146C30	5_2_6E146C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E162D1F	5_2_6E162D1F

PE / OLE file has an invalid certificate

Source: aFqZ2vCizZ.dll

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: aFqZ2vCizZ.dll

Binary or memory string: OriginalFilenamecook.dll8 vs aFqZ2vCizZ.dll

Uses 32bit PE files

Source: aFqZ2vCizZ.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal96.troj.evad.winDLL@7/0@24/0

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\gaziizac32\

Jump to behavior

Source: aFqZ2vCizZ.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure

Source: aFqZ2vCizZ.dll	Virustotal: Detection: 7%
Source: aFqZ2vCizZ.dll	ReversingLabs: Detection: 51%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1	Jump to behavior

Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: aFqZ2vCizZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: aFqZ2vCizZ.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E14EF9C push dword ptr [ebx-1AD723F2h]; retf	1_2_6E14EFC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E158B76 push ecx; ret	1_2_6E158B89
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1589C1 push ecx; ret	1_2_6E1589D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1851BC push dword ptr [ebx-1AD723F2h]; retf	1_2_6E1851E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E158B76 push ecx; ret	5_2_6E158B89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1589C1 push ecx; ret	5_2_6E1589D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1851BC push dword ptr [ebx-1AD723F2h]; retf	5_2_6E1851E7

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1415E6 wsprintfA,

1_2_6E1415E6

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E141627 second address: 000000006E141647 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E141647 second address: 000000006E141627 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F9544BB979Ah 0x0000000c jc 00007F9544BB9759h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F9544BB9758h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F9544BB978Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F9544BB96D5h 0x00000020 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E141627 second address: 000000006E141647 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E141647 second address: 000000006E141627 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F9544BB979Ah 0x0000000c jc 00007F9544BB9759h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F9544BB9758h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F9544BB978Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F9544BB96D5h 0x00000020 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E14171A rdtsc

1_2_6E14171A

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 4.4 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1651B4 FindFirstFileExA,		1_2_6E1651B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1651B4 FindFirstFileExA,		5_2_6E1651B4

Source: loaddll32.exe, 00000001.00000002.469054338.000000000162B000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E14171A rdtsc

1_2_6E14171A

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6E15CCFF

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E15E9A8 mov eax, dword ptr fs:[00000030h]	1_2_6E15E9A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1842F8 mov eax, dword ptr fs:[00000030h]	1_2_6E1842F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E183E36 push dword ptr fs:[00000030h]	1_2_6E183E36
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E18422E mov eax, dword ptr fs:[00000030h]	1_2_6E18422E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E15E9A8 mov eax, dword ptr fs:[00000030h]	5_2_6E15E9A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1842F8 mov eax, dword ptr fs:[00000030h]	5_2_6E1842F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E183E36 push dword ptr fs:[00000030h]	5_2_6E183E36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E18422E mov eax, dword ptr fs:[00000030h]	5_2_6E18422E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E141130 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle,

1_2_6E141130

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E158EAF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6E158EAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E15CCFF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E158D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E158D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E158EAF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6E158EAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E15CCFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E158D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E158D8D

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: 49vodysf.club

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1415E6 cpuid

1_2_6E1415E6

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_6E167F19
Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_6E1677B5
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6E161C56
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6E167DF0
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E167A2D
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E167A78
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E167B13
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6E168020
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1618B1
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_6E1680ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E167A2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E167A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E167B13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_6E167F19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_6E1677B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_6E168020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_6E161C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E1618B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_6E1680ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_6E167DF0

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1590AA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_6E1590AA

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1414D2 GetUserNameA,

1_2_6E1414D2

Stealing of Sensitive Information:

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

Remote Access Functionality:

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted Domains

Name	IP	Active
49vodysf.club	unknown	unknown
nazamoskaotp.xyz	unknown	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: aFqZ2vCizZ.dll

Avira: detected

Multi AV Scanner detection for domain / URL

Source: 49vodysf.club	Virustotal: Detection: 6%			Perma Link
Source: nazamoskaotp.xyz	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for submitted file

Source: aFqZ2vCizZ.dll	Virustotal: Detection: 7%			Perma Link
Source: aFqZ2vCizZ.dll	ReversingLabs: Detection: 51%

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

Compliance:

Uses 32bit PE files

Source: aFqZ2vCizZ.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: aFqZ2vCizZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1651B4 FindFirstFileExA,		1_2_6E1651B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1651B4 FindFirstFileExA,		5_2_6E1651B4

Networking:

Performs DNS queries to domains with low reputation

Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: nazamoskaotp.xyz
Source: C:\Windows\System32\loaddll32.exe	DNS query: nazamoskaotp.xyz
Source:	DNS query: nazamoskaotp.xyz
Source:	DNS query: nazamoskaotp.xyz

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown	DNS traffic detected: query: nazamoskaotp.xyz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: 49vodysf.club replaycode: Server failure (2)

Source: unknown

DNS traffic detected: queries for: nazamoskaotp.xyz

Source: aFqZ2vCizZ.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: aFqZ2vCizZ.dll	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: loaddll32.exe, 00000001.00000002.469315984.0000000001671000.00000004.00000020.sdmp	String found in binary or memory: https://49vodysf.club/
Source: loaddll32.exe, 00000001.00000003.442595897.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/Z
Source: loaddll32.exe, 00000001.00000003.374734261.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/e
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.469357450.000000000167C000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.442595897.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000
Source: loaddll32.exe, 00000001.00000003.374700540.0000000001673000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000$
Source: loaddll32.exe, 00000001.00000002.469315984.0000000001671000.00000004.00000020.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF000000000000000000$
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000g
Source: loaddll32.exe, 00000001.00000003.442660303.000000000167C000.00000004.00000001.sdmp	String found in binary or memory: https://49vodysf.club/image/?id=0138AFCD2917C220F300FF0000000000000000ze6Q
Source: loaddll32.exe, 00000001.00000003.363811459.000000000165A000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/
Source: loaddll32.exe, 00000001.00000003.420123389.000000000167C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.363828561.0000000001667000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000
Source: loaddll32.exe, 00000001.00000003.430907985.0000000001674000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000$
Source: loaddll32.exe, 00000001.00000003.430917491.000000000167C000.00000004.00000001.sdmp	String found in binary or memory: https://nazamoskaotp.xyz/image/?id=0138AFCD2917C220F300FF0000000000000000e
Source: aFqZ2vCizZ.dll	String found in binary or memory: https://sectigo.com/CPS0
Source: aFqZ2vCizZ.dll	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000001.00000002.469054338.000000000162B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

System Summary:

Rundll32 performs DNS lookup (likely malicious behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	DNS query: name: 49vodysf.club

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E155A80	1_2_6E155A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E154FD0	1_2_6E154FD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E146C30	1_2_6E146C30
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E162D1F	1_2_6E162D1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E147810	1_2_6E147810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E155A80	5_2_6E155A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E154FD0	5_2_6E154FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E147810	5_2_6E147810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E146C30	5_2_6E146C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E162D1F	5_2_6E162D1F

PE / OLE file has an invalid certificate

Source: aFqZ2vCizZ.dll

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: aFqZ2vCizZ.dll

Binary or memory string: OriginalFilenamecook.dll8 vs aFqZ2vCizZ.dll

Uses 32bit PE files

Source: aFqZ2vCizZ.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal96.troj.evad.winDLL@7/0@24/0

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\gaziizac32\

Jump to behavior

Source: aFqZ2vCizZ.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure

Source: aFqZ2vCizZ.dll	Virustotal: Detection: 7%
Source: aFqZ2vCizZ.dll	ReversingLabs: Detection: 51%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\aFqZ2vCizZ.dll,Rulefigure	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1	Jump to behavior

Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aFqZ2vCizZ.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: aFqZ2vCizZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: aFqZ2vCizZ.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aFqZ2vCizZ.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E14EF9C push dword ptr [ebx-1AD723F2h]; retf	1_2_6E14EFC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E158B76 push ecx; ret	1_2_6E158B89
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1589C1 push ecx; ret	1_2_6E1589D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1851BC push dword ptr [ebx-1AD723F2h]; retf	1_2_6E1851E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E158B76 push ecx; ret	5_2_6E158B89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1589C1 push ecx; ret	5_2_6E1589D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1851BC push dword ptr [ebx-1AD723F2h]; retf	5_2_6E1851E7

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1415E6 wsprintfA,

1_2_6E1415E6

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E141627 second address: 000000006E141647 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E141647 second address: 000000006E141627 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F9544BB979Ah 0x0000000c jc 00007F9544BB9759h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F9544BB9758h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F9544BB978Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F9544BB96D5h 0x00000020 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E141627 second address: 000000006E141647 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 mov dword ptr [esp+1Ch], edx 0x00000008 xor eax, eax 0x0000000a lea edi, dword ptr [esp+28h] 0x0000000e inc eax 0x0000000f xor ecx, ecx 0x00000011 cpuid 0x00000013 mov dword ptr [edi], eax 0x00000015 mov eax, edi 0x00000017 mov dword ptr [eax+04h], ebx 0x0000001a mov dword ptr [eax+08h], ecx 0x0000001d mov dword ptr [eax+0Ch], edx 0x00000020 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E141647 second address: 000000006E141627 instructions: 0x00000000 rdtsc 0x00000002 sub eax, esi 0x00000004 sbb edx, dword ptr [esp+1Ch] 0x00000008 test edx, edx 0x0000000a jnbe 00007F9544BB979Ah 0x0000000c jc 00007F9544BB9759h 0x0000000e cmp eax, 000000FAh 0x00000013 jnc 00007F9544BB9758h 0x00000015 inc byte ptr [esp+1Ah] 0x00000019 jmp 00007F9544BB978Fh 0x0000001b sub ebp, 01h 0x0000001e jne 00007F9544BB96D5h 0x00000020 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E14171A rdtsc

1_2_6E14171A

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 4.4 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1651B4 FindFirstFileExA,		1_2_6E1651B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1651B4 FindFirstFileExA,		5_2_6E1651B4

Source: loaddll32.exe, 00000001.00000002.469054338.000000000162B000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E14171A rdtsc

1_2_6E14171A

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6E15CCFF

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E15E9A8 mov eax, dword ptr fs:[00000030h]	1_2_6E15E9A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E1842F8 mov eax, dword ptr fs:[00000030h]	1_2_6E1842F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E183E36 push dword ptr fs:[00000030h]	1_2_6E183E36
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E18422E mov eax, dword ptr fs:[00000030h]	1_2_6E18422E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E15E9A8 mov eax, dword ptr fs:[00000030h]	5_2_6E15E9A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E1842F8 mov eax, dword ptr fs:[00000030h]	5_2_6E1842F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E183E36 push dword ptr fs:[00000030h]	5_2_6E183E36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E18422E mov eax, dword ptr fs:[00000030h]	5_2_6E18422E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E141130 CreateFileA,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,CloseHandle,

1_2_6E141130

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E158EAF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6E158EAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E15CCFF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E158D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6E158D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E158EAF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6E158EAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E15CCFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E15CCFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E158D8D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6E158D8D

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: nazamoskaotp.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: 49vodysf.club

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\aFqZ2vCizZ.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.469457279.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.469608358.0000000002C50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1415E6 cpuid

1_2_6E1415E6

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_6E167F19
Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_6E1677B5
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6E161C56
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6E167DF0
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E167A2D
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E167A78
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E167B13
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	1_2_6E168020
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	1_2_6E1618B1
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_6E1680ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E167A2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E167A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E167B13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_6E167F19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_6E1677B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_6E168020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_6E161C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_6E1618B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_6E1680ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_6E167DF0

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1590AA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_6E1590AA

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6E1414D2 GetUserNameA,

1_2_6E1414D2

Stealing of Sensitive Information:

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

Remote Access Functionality:

Yara detected IcedID

Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6e140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.3d1261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e140000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14a1261.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.421261.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.356800062.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.470777736.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472279306.000000006E143000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363239046.00000000014A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.356776329.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5396, type: MEMORYSTR

ID:	458963
Product:	CloudBasic
Start time:	23:10:46
Start date:	03.08.2021
Sample:	aFqZ2vCizZ
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	68c5b6d1c78a20a82a6c2693a6997fea
SHA1:	b93df3c60247e3ce0654a509bd9e419cb7b8cd56
SHA256:	d571a65edbdecd8530716dad1e96b6ef8239066fdc52eb8a9ad075659f36831b
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report aFqZ2vCizZ

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Domains