Windows Analysis Report Frkmlkdkdubkznbkmcf.dll

Overview

General Information

Sample Name: Frkmlkdkdubkznbkmcf.dll
Analysis ID: 553989
MD5: e61518ae9454a563b8f842286bbdb87b
SHA1: 82d29b52e35e7938e7ee610c04ea9daaf5e08e90
SHA256: 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
Tags: dllWhisperGate
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Yara signature match
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Frkmlkdkdubkznbkmcf.dll Virustotal: Detection: 16% Perma Link
Source: Frkmlkdkdubkznbkmcf.dll ReversingLabs: Detection: 23%
Source: Frkmlkdkdubkznbkmcf.dll Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

System Summary:

barindex
Yara signature match
Source: Frkmlkdkdubkznbkmcf.dll, type: SAMPLE Matched rule: MAL_OBFUSC_Unknown_Jan22_1 date = 2022-01-16, hash1 = 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d, author = Florian Roth, description = Detects samples similar to reversed stage3 found in Ukrainian wiper incident named WhisperGate, reference = https://twitter.com/juanandres_gs/status/1482827018404257792
Source: Frkmlkdkdubkznbkmcf.dll Virustotal: Detection: 16%
Source: Frkmlkdkdubkznbkmcf.dll ReversingLabs: Detection: 23%
Source: Frkmlkdkdubkznbkmcf.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal60.evad.winDLL@5/0@0/0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 Jump to behavior
Source: Frkmlkdkdubkznbkmcf.dll, u0008u2007.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Frkmlkdkdubkznbkmcf.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Frkmlkdkdubkznbkmcf.dll Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Frkmlkdkdubkznbkmcf.dll, u000eu2004u2000.cs .Net Code: \x03 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: initial sample Static PE information: section name: .text entropy: 6.9383493763
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: Frkmlkdkdubkznbkmcf.dll, u0006u2003u2000.cs Reference to suspicious API methods: ('\\x02', 'VirtualAlloc@kernel32'), ('\\x02', 'LoadLibraryA@kernel32'), ('\\x02', 'VirtualProtect@kernel32'), ('\\x02', 'GetProcAddress@kernel32'), ('\\x02', 'OpenProcess@kernel32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Frkmlkdkdubkznbkmcf.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553989 Sample: Frkmlkdkdubkznbkmcf.dll Startdate: 17/01/2022 Architecture: WINDOWS Score: 60 13 Multi AV Scanner detection for submitted file 2->13 15 .NET source code contains potential unpacker 2->15 17 .NET source code references suspicious native API functions 2->17 19 Sigma detected: Suspicious Call by Ordinal 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
No contacted IP infos