Windows
Analysis Report
knigger.bin
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 6348 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\kni gger.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 6340 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\kni gger.dll", #1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 6324 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\knig ger.dll",# 1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - WerFault.exe (PID: 4680 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 324 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
{"Version": 22201, "C2 list": ["144.91.122.100:443", "188.214.241.242:4664", "93.104.209.107:8116", "5.189.190.214:593"], "RC4 keys": ["S9OYlNFUvY5N1RDSpi8BgH6SgS8gPIcU", "rRgzULsP0KBJ7CcLRdZ7mhoBdNxJNQSrQLI3uRuRJVi7lqosB75laFDkwhMJ8LECg1b8sYjJZr"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
MALWARE_Win_DLLLoader | Detects unknown DLL Loader | ditekSHen |
| |
Click to see the 10 entries |
System Summary |
---|
Source: | Author: Florian Roth: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Networking |
---|
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Code function: | 2_2_6F280730 | |
Source: | Code function: | 2_2_6F289370 | |
Source: | Code function: | 2_2_6F278428 | |
Source: | Code function: | 2_2_6F28143C | |
Source: | Code function: | 2_2_6F271494 | |
Source: | Code function: | 2_2_6F27A4E8 |
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 2_2_6F27F6A9 |
Source: | Static PE information: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 2_2_6F276D0C |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 2_2_6F276D0C |
Source: | Code function: | 2_2_6F276D0C |
Source: | Binary or memory string: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 11 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Rundll32 | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Obfuscated Files or Information | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 11 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 Remote System Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
70% | ReversingLabs | Win32.Trojan.Drixed | ||
100% | Avira | TR/Crypt.Agent.pvvzj |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | HEUR/AGEN.1144420 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| low |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
188.214.241.242 | unknown | Spain | 62412 | BORECOM-INNOVABorecom-InnovaES | true | |
93.104.209.107 | unknown | Germany | 8767 | MNET-ASGermanyDE | true | |
144.91.122.100 | unknown | Germany | 51167 | CONTABODE | true | |
5.189.190.214 | unknown | Germany | 51167 | CONTABODE | true |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 564921 |
Start date: | 02.02.2022 |
Start time: | 15:41:40 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 25s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | knigger.bin (renamed file extension from bin to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 28 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.winDLL@6/6@0/4 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 23.54.113.53, 13.89.179.12
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: knigger.dll
Time | Type | Description |
---|---|---|
15:42:50 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
188.214.241.242 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
93.104.209.107 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
MNET-ASGermanyDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
BORECOM-INNOVABorecom-InnovaES | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_88c9a135c9b22294e84c86e44fa262283b2da9a_82810a17_122904ea\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.932361057778476 |
Encrypted: | false |
SSDEEP: | 192:6Vii0oXjHBUZMX4jed+P/u7spS274ItWc:cikXjBUZMX4jeq/u7spX4ItWc |
MD5: | 712EE66153C612FE2A7AA6FC985729BB |
SHA1: | B2F7C3ECB750E05424B4C957D68274D3FBBBDF71 |
SHA-256: | CDC3F05FCC52A9B300B6900A17CB140EF99075A89FB41C31B2C096B8937432F1 |
SHA-512: | 4780AB5BFCC7BB9379B1EF580AD1475A2437C7E8C3DB485E0698ACD07AB848B8584E9D77567DAD780E2EDF95CBB55995218DFDB5A93D1D13A568FC936683A52F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45956 |
Entropy (8bit): | 2.33754465661868 |
Encrypted: | false |
SSDEEP: | 192:5hQ/8qOnMzQDO5SkbV3bDu7EhWj8c+oAqBMt1na:Q2MF5LbVmj8cZAqaVa |
MD5: | F4EE02EFEE8AD69BBF3A906A0C9CDF5F |
SHA1: | BAD07B24B1C20FD5DBF3C176BD279A5807C2A330 |
SHA-256: | 426F7F30254E664E414A1C1D610F2DA89CD567D7E0DC0A4BA1DE9B90EA210054 |
SHA-512: | 1B030FA9F1B3A40939A588BE1BCA22A0D7AAC94FF63C20D8E8B0325A06927BBC42BB0D7EF38022F34A1C16F3C6DF3A98BC904BE2609FC471C55CB5CCCD915805 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8240 |
Entropy (8bit): | 3.689898444594183 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiqdS63b6R6YKw6WgmfTTSRCpra89b0visfR8m:RrlsNiqI6o6Yd6WgmfTTSK0vhf/ |
MD5: | F2DAD464F90154FCE75F0F86AAF8C0DF |
SHA1: | D701FBBFB585419CA5C386089A3DE155B5D14786 |
SHA-256: | 371924D06A753B50039AD1197442DDC28CBAC2A1E0BBFBFA0229ECA5562643B0 |
SHA-512: | 89DC1C399C0D746BEC703CA6AA0F2C4A6DA71334C089A82D2BCB836C0E92EC24C14231AD7DEE036A2E3363699F5B8EF4D29D024479F69D8645FF901B74F47456 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4624 |
Entropy (8bit): | 4.453834621245006 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsEJgtWI9g+WSC8B88fm8M4JCdsL2jGF78+q8/iKYR544SrS8d:uITfCP/SN/JJM34DW8d |
MD5: | 18872478B5333711926B37EA28B1C7AA |
SHA1: | FC30FB7334320FF44049BBDF4A27A69E9D495E1E |
SHA-256: | 2D351F4C8F1D06A4B6B2F6EB7004280DB9A8D842D1CED83DD091C807EE312E50 |
SHA-512: | 6BDA3227DAF90178636EC5603137BDE72BE6F665ADBE6EFCB24C1CADBCDE1770BB2D3A4AC96AD75B0A38E5F8EBEE0F2D7E610394ACC8589ACEE3C42D7913D200 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.216496919713934 |
Encrypted: | false |
SSDEEP: | 12288:fDZIPRnLP6jV5jM72DlrIcK4UHjqYk/+t/lcST3kwdJOOcUP2dmbxT:rZIPRnLP6jzjM7cKDTHz |
MD5: | F4CBF56A201641BE2B70F2F8AA40CCB0 |
SHA1: | 01A55AA87EFDAC623087B552642C8B4163863EC1 |
SHA-256: | 3B215E7FE68D246FD94F347E369FE24E9D71437CA782071395DB4F64D97F13D0 |
SHA-512: | 3C863A393A5EDC7333F2C238CD7FA06D9AACF0443ABED6695EFCDBAEB45109313E7DA2BFFC871555FD71A1E1F9A032B04F3793740ABD3886AACE2C084A7A30AE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 3.5197824415151917 |
Encrypted: | false |
SSDEEP: | 384:Niy5NnIrnc8mTVgGFK0XnmnQFRiovOglT:cMxAc8EVgGE0XmnQF9vP |
MD5: | 752FCD99E5EB7A9761D903827848FC50 |
SHA1: | AD9F5CF9EC6FB3670EAE8420B08D75059400BDBE |
SHA-256: | 53990467AC8208918CAEE7D1E2FA50D587F7B98BE48A621FFD148BD78B741BFD |
SHA-512: | AF2359246FA2CF03FC7C0561BC37D74718E720972BA4D01A3FFB4D74DE524CF2D01B9CC3462F322884A556810FAEDDC373FF5E55B8D8D18A0FB9C9A517B54967 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.311800540085467 |
TrID: |
|
File name: | knigger.dll |
File size: | 520192 |
MD5: | f2fdb0f416abda7c5fb8436578f1b6c8 |
SHA1: | cb35382ae44bc43c1372a21b04fc214885a4d8f2 |
SHA256: | 5e5242e1251bfb745e068b413dab59a74afe94850e1b8d02acb607c50ce63fd0 |
SHA512: | e0a5bb0fbcb0732f4dc1450de7d7a75a47408233e2ee669d574788ea0e87ca39ba4ae4aa7a93d4bbaa73a7042eb0ab147348243397a3418af09ce14e347dcfda |
SSDEEP: | 6144:55a3RjZ1XrZvR7Z9JrZdR5ZbR1Z9RVZ1RvZpR17fRrZpRrTZRfZ3Rr3fRJZfRlZ3:obTFRJXfZrFTfVBokoa7fGs8k7l |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....< |
Icon Hash: | 74f0e4ecccdce0e4 |
Entrypoint: | 0x10005000 |
Entrypoint Section: | .rdata |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x61C045E9 [Mon Dec 20 08:59:21 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 2b1b4edc6ebe7eca63696f6220126258 |
Instruction |
---|
mov edx, 00000003h |
cmpps xmm1, xmm0, 02h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
add edx, 04h |
call 00007F29B4DBD9A2h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push ebx |
push edi |
push esi |
and esp, FFFFFFF8h |
sub esp, 00000088h |
mov eax, dword ptr [ebp+08h] |
mov byte ptr [esp+77h], 00000018h |
mov ecx, dword ptr [esp+78h] |
mov edx, dword ptr [esp+7Ch] |
mov esi, ecx |
or esi, 37041D98h |
mov dword ptr [esp+78h], esi |
mov bl, byte ptr [esp+77h] |
mov bh, bl |
xor bh, FFFFFFCDh |
mov byte ptr [esp+4Fh], bh |
mov dword ptr [esp+34h], eax |
mov dword ptr [esp+30h], ecx |
mov dword ptr [esp+2Ch], edx |
mov byte ptr [esp+2Bh], bl |
call 00007F29B4DC1398h |
xor ecx, ecx |
mov di, word ptr [esp+6Ch] |
mov word ptr [esp+6Ch], di |
mov edx, eax |
mov esi, dword ptr [eax+3Ch] |
mov bl, byte ptr [esp+2Bh] |
xor bl, 00000069h |
mov dword ptr [esp+00h], eax |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x76d43 | 0x60 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x76e1c | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7f000 | 0x2f0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x80000 | 0x8d8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6030 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.rdata | 0x1000 | 0x69ae | 0x7000 | False | 0.381487165179 | data | 4.43403192783 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x6f052 | 0x70000 | False | 0.29494367327 | data | 7.44583798287 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x78000 | 0x6428 | 0x5000 | False | 0.345947265625 | data | 5.9113186779 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x7f000 | 0x2f0 | 0x1000 | False | 0.09033203125 | data | 0.793575928673 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x80000 | 0x8d8 | 0x1000 | False | 0.275390625 | data | 4.1888764152 | IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x7f060 | 0x290 | MS Windows COFF PA-RISC object file | English | United States |
DLL | Import |
---|---|
OPENGL32.dll | glTexImage2D |
KERNEL32.dll | GetFileSize, GetModuleFileNameW, OutputDebugStringA, CloseHandle, IsDebuggerPresent, GetModuleHandleW |
ADVAPI32.dll | QueryServiceStatusEx, RegCloseKey, AccessCheck |
WINSPOOL.DRV | EnumFormsW |
USER32.dll | GetWindowTextA |
ole32.dll | PropVariantClear |
WS2_32.dll | WSACleanup |
Description | Data |
---|---|
OriginalFilename | Nrt.dll |
FileDescription | Oracle Call Interface |
FileVersion | 9.6.7.6.0 |
Legal Copyright | Copyright Oracle Corporation 1979, 2001. All rights reserved. |
CompanyName | Oracle Corporation |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 15:42:42 |
Start date: | 02/02/2022 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x140000 |
File size: | 116736 bytes |
MD5 hash: | 7DEB5DB86C0AC789123DEC286286B938 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 1 |
Start time: | 15:42:42 |
Start date: | 02/02/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2a0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 15:42:42 |
Start date: | 02/02/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1250000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Target ID: | 6 |
Start time: | 15:42:45 |
Start date: | 02/02/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x11a0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Execution Graph
Execution Coverage: | 3.3% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 20% |
Total number of Nodes: | 978 |
Total number of Limit Nodes: | 25 |
Graph
Function 011A107E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228memoryCOMMON
Control-flow Graph
C-Code - Quality: 42% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F283628 Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
Control-flow Graph
C-Code - Quality: 29% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011A193D Relevance: 1.4, APIs: 1, Instructions: 100memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 31% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 84% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 93% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F280730 Relevance: .6, Instructions: 650COMMONCrypto
C-Code - Quality: 78% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F28143C Relevance: .6, Instructions: 572COMMONCrypto
C-Code - Quality: 90% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6F276D0C Relevance: .0, Instructions: 36COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |