Windows Analysis Report SecuriteInfo.com.Variant.Razy.980776.8232.dll

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Razy.980776.8232.dll
Analysis ID: 510689
MD5: 6df0687582c592e9860683a68858e082
SHA1: 53780def0699c055381746ce4ecebef8f17fd12d
SHA256: 90877ec621cc53fc31e693362e3b335a429aecc77abdbfd8b7d5d7493478f36d
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Found detection on Joe Sandbox Cloud Basic with higher score
Detected Dridex e-Banking trojan
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.rundll32.exe.6e9f0000.0.unpack Malware Configuration Extractor: Dridex {"Version": 10444, "C2 list": ["192.46.210.220:443", "143.244.140.214:808", "45.77.0.96:6891", "185.56.219.47:8116"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "syF7NqCylLS878kcIy9w5XeI8w6uMrqVwowz4h3uWHHlWsr5ELTiXic3wgqbllkcZyNGwPGihI"]}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll ReversingLabs: Detection: 18%

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.690574263.000000006EAB7000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.691096574.000000006EAB7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.8232.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1CEF8 FindFirstFileExW, 0_2_6EA1CEF8

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.77.0.96 235 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.56.219.47 180 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.46.210.220 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 143.244.140.214 40 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 192.46.210.220:443
Source: Malware configuration extractor IPs: 143.244.140.214:808
Source: Malware configuration extractor IPs: 45.77.0.96:6891
Source: Malware configuration extractor IPs: 185.56.219.47:8116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: KELIWEBIT KELIWEBIT
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.77.0.96 45.77.0.96
Source: Joe Sandbox View IP Address: 185.56.219.47 185.56.219.47
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49745 -> 143.244.140.214:808
Source: global traffic TCP traffic: 192.168.2.3:49748 -> 45.77.0.96:6891
Source: global traffic TCP traffic: 192.168.2.3:49750 -> 185.56.219.47:8116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:22 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:29 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:37 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:45 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 143.244.140.214
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 45.77.0.96
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.56.219.47
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.690375377.0000000002F60000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: loaddll32.exe, 00000000.00000003.563593432.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://14.77.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214/
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/Q#
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/hy
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/l
Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/l?
Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/la
Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/oft
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://143.244.140.214:808/q
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47/
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.680691305.0000000002F6D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/0
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/N
Source: rundll32.exe, 00000003.00000003.680691305.0000000002F6D000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/dv
Source: loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/fW
Source: loaddll32.exe, 00000000.00000003.462263005.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/ion
Source: loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://185.56.219.47:8116/soft
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.689702912.0000000000958000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000002.690791416.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/
Source: loaddll32.exe, 00000000.00000003.544483266.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/#
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/4
Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/7.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.462263005.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/:
Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/A
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/H
Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/N
Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/S
Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/X
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/a
Source: loaddll32.exe, 00000000.00000003.528593129.000000000095A000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/aenh.dll
Source: loaddll32.exe, 00000000.00000002.689702912.0000000000958000.00000004.00000020.sdmp String found in binary or memory: https://192.46.210.220/e
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/k
Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://192.46.210.220/w
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.452876324.0000000002F60000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/
Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/.0.96:6891/m
Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/14
Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/6
Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/F
Source: loaddll32.exe, 00000000.00000003.462293153.0000000000998000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/I
Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/Microsoft
Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/N
Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/der
Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/der.
Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/der6
Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/derF
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.690791416.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/graphy
Source: loaddll32.exe, 00000000.00000003.528593129.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/m
Source: loaddll32.exe, 00000000.00000003.454214187.0000000000960000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/n
Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/r
Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/s
Source: rundll32.exe, 00000003.00000003.452876324.0000000002F60000.00000004.00000001.sdmp String found in binary or memory: https://45.77.0.96:6891/tv
Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmp String found in binary or memory: https://45192.46.210.220/
Source: unknown HTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA239F9 InternetReadFile, 0_2_6EA239F9
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49744 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 3.3.rundll32.exe.475db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.475db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.492db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.342db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.413db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.9fdb55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.413db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.492db55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.9fdb55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.342db55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.429863191.0000000003410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.404224619.0000000004740000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.690890687.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.690396403.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.420461174.0000000004120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.396279024.0000000004910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.431718268.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Detected Dridex e-Banking trojan
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F51A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 0_2_6E9F51A7

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher score
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Joe Sandbox Cloud Basic: Detection: malicious Score: 88 Threat Name: Dridex Perma Link
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA067C8 0_2_6EA067C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA08AB0 0_2_6EA08AB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA126B0 0_2_6EA126B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA11EB0 0_2_6EA11EB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0AE80 0_2_6EA0AE80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0F6E0 0_2_6EA0F6E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F6AD0 0_2_6E9F6AD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA08EF0 0_2_6EA08EF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0B6F0 0_2_6EA0B6F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA162F0 0_2_6EA162F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA13EC0 0_2_6EA13EC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1FA10 0_2_6EA1FA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA096D0 0_2_6EA096D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA10220 0_2_6EA10220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1D620 0_2_6EA1D620
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9FCA10 0_2_6E9FCA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1FA10 0_2_6EA1FA10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0A660 0_2_6EA0A660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA17660 0_2_6EA17660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA12E60 0_2_6EA12E60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9FB254 0_2_6E9FB254
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA09E70 0_2_6EA09E70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA11240 0_2_6EA11240
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F9E70 0_2_6E9F9E70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F1784 0_2_6E9F1784
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0E3F0 0_2_6EA0E3F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA083C0 0_2_6EA083C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA07FC0 0_2_6EA07FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA17FC0 0_2_6EA17FC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA11730 0_2_6EA11730
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA13B00 0_2_6EA13B00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA19B10 0_2_6EA19B10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA05B60 0_2_6EA05B60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0BF50 0_2_6EA0BF50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0E0A0 0_2_6EA0E0A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA14CA0 0_2_6EA14CA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA150A0 0_2_6EA150A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1DCA0 0_2_6EA1DCA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA15CB0 0_2_6EA15CB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA088C0 0_2_6EA088C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA08CC0 0_2_6EA08CC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0A0D0 0_2_6EA0A0D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA098DA 0_2_6EA098DA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA11020 0_2_6EA11020
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0D030 0_2_6EA0D030
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0D980 0_2_6EA0D980
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1D180 0_2_6EA1D180
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA0C590 0_2_6EA0C590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA3E210 3_2_6EA3E210
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA022A0 NtDelayExecution, 0_2_6EA022A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1BE30 NtClose, 0_2_6EA1BE30
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Bluewing
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Earth
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Masterjust
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Bluewing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Earth Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Masterjust Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.bank.troj.evad.winDLL@11/1@0/4
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Bluewing
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Static file information: File size 1375232 > 1048576
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Variant.Razy.980776.8232.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.690574263.000000006EAB7000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.691096574.000000006EAB7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.8232.dll
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Contains functionality to query network adapater information
Source: C:\Windows\System32\loaddll32.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo, 0_2_6E9F51A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA03930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation, 0_2_6EA03930
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA1CEF8 FindFirstFileExW, 0_2_6EA1CEF8
Source: loaddll32.exe, 00000000.00000002.689683727.000000000094C000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA363A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA363A0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA68B60 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, 3_2_6EA68B60
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA647C0 mov ecx, dword ptr fs:[00000030h] 3_2_6EA647C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EB3BA72 mov eax, dword ptr fs:[00000030h] 3_2_6EB3BA72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EB3B64D push dword ptr fs:[00000030h] 3_2_6EB3B64D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EB3B942 mov eax, dword ptr fs:[00000030h] 3_2_6EB3B942
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA06C50 KiUserExceptionDispatcher,LdrLoadDll, 0_2_6EA06C50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA07A60 RtlAddVectoredExceptionHandler, 0_2_6EA07A60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA363A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA363A0

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.77.0.96 235 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.56.219.47 180 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.46.210.220 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 143.244.140.214 40 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA81E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA81F40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 3_2_6EA82750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA6B0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6EA6BC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA81DB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6EA82960
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA02980 GetUserNameW, 0_2_6EA02980
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510689 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 28/10/2021 Architecture: WINDOWS Score: 92 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Dridex unpacked file 2->32 34 2 other signatures 2->34 7 loaddll32.exe 13 2->7         started        process3 signatures4 38 Detected Dridex e-Banking trojan 7->38 10 cmd.exe 1 7->10         started        12 rundll32.exe 7->12         started        14 rundll32.exe 7->14         started        16 rundll32.exe 7->16         started        process5 process6 18 rundll32.exe 12 10->18         started        dnsIp7 22 185.56.219.47, 49750, 49751, 49758 KELIWEBIT Italy 18->22 24 192.46.210.220, 443, 49743, 49744 FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe United States 18->24 26 2 other IPs or domains 18->26 36 System process connects to network (likely due to code injection or exploit) 18->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.77.0.96
 unknown United States
20473 AS-CHOOPAUS true
185.56.219.47
 unknown Italy
202675 KELIWEBIT true
192.46.210.220
 unknown United States
5501 FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe true
143.244.140.214
 unknown United States
174 COGENT-174US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://192.46.210.220/ true
  • URL Reputation: safe
 unknown