Source: Frkmlkdkdubkznbkmcf.dll |
Virustotal: Detection: 16% |
Perma Link |
Source: Frkmlkdkdubkznbkmcf.dll |
ReversingLabs: Detection: 23% |
Source: Frkmlkdkdubkznbkmcf.dll |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Frkmlkdkdubkznbkmcf.dll, type: SAMPLE |
Matched rule: MAL_OBFUSC_Unknown_Jan22_1 date = 2022-01-16, hash1 = 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d, author = Florian Roth, description = Detects samples similar to reversed stage3 found in Ukrainian wiper incident named WhisperGate, reference = https://twitter.com/juanandres_gs/status/1482827018404257792 |
Source: Frkmlkdkdubkznbkmcf.dll |
Virustotal: Detection: 16% |
Source: Frkmlkdkdubkznbkmcf.dll |
ReversingLabs: Detection: 23% |
Source: Frkmlkdkdubkznbkmcf.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: classification engine |
Classification label: mal60.evad.winDLL@5/0@0/0 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 |
Jump to behavior |
Source: Frkmlkdkdubkznbkmcf.dll, u0008u2007.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: Frkmlkdkdubkznbkmcf.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Frkmlkdkdubkznbkmcf.dll |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Frkmlkdkdubkznbkmcf.dll, u000eu2004u2000.cs |
.Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: initial sample |
Static PE information: section name: .text entropy: 6.9383493763 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Frkmlkdkdubkznbkmcf.dll, u0006u2003u2000.cs |
Reference to suspicious API methods: ('\\x02', 'VirtualAlloc@kernel32'), ('\\x02', 'LoadLibraryA@kernel32'), ('\\x02', 'VirtualProtect@kernel32'), ('\\x02', 'GetProcAddress@kernel32'), ('\\x02', 'OpenProcess@kernel32.dll') |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 |
Jump to behavior |