Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
knigger.bin

Overview

General Information

Sample Name:knigger.bin (renamed file extension from bin to dll)
Analysis ID:564921
MD5:f2fdb0f416abda7c5fb8436578f1b6c8
SHA1:cb35382ae44bc43c1372a21b04fc214885a4d8f2
SHA256:5e5242e1251bfb745e068b413dab59a74afe94850e1b8d02acb607c50ce63fd0
Infos:

Detection

Dridex
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Yara signature match
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Entry point lies outside standard sections

Classification

  • System is w10x64
  • loaddll32.exe (PID: 6348 cmdline: loaddll32.exe "C:\Users\user\Desktop\knigger.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6340 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6324 cmdline: rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 4680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 700 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"Version": 22201, "C2 list": ["144.91.122.100:443", "188.214.241.242:4664", "93.104.209.107:8116", "5.189.190.214:593"], "RC4 keys": ["S9OYlNFUvY5N1RDSpi8BgH6SgS8gPIcU", "rRgzULsP0KBJ7CcLRdZ7mhoBdNxJNQSrQLI3uRuRJVi7lqosB75laFDkwhMJ8LECg1b8sYjJZr"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.370345630.00000000011A0000.00000040.00000800.00020000.00000000.sdmpMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
  • 0x3063:$s1: LondLibruryA
  • 0x304e:$s2: LdrLoadDll
  • 0x3059:$s3: snxhk.dll
  • 0x30f6:$s4: DisableThreadLibraryCalls
00000002.00000000.358193713.00000000011A0000.00000040.00000800.00020000.00000000.sdmpMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
  • 0x3063:$s1: LondLibruryA
  • 0x304e:$s2: LdrLoadDll
  • 0x3059:$s3: snxhk.dll
  • 0x30f6:$s4: DisableThreadLibraryCalls
00000002.00000002.370546422.000000006F271000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000002.00000000.358345713.000000006F271000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000002.00000000.357246849.00000000011A0000.00000040.00000800.00020000.00000000.sdmpMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
      • 0x3063:$s1: LondLibruryA
      • 0x304e:$s2: LdrLoadDll
      • 0x3059:$s3: snxhk.dll
      • 0x30f6:$s4: DisableThreadLibraryCalls
      Click to see the 1 entries
      SourceRuleDescriptionAuthorStrings
      2.0.rundll32.exe.32fc63b.4.raw.unpackMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
      • 0x1a93:$s1: LondLibruryA
      • 0x1a7e:$s2: LdrLoadDll
      • 0x1a89:$s3: snxhk.dll
      • 0x1b26:$s4: DisableThreadLibraryCalls
      2.2.rundll32.exe.11a0000.0.raw.unpackMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
      • 0x3063:$s1: LondLibruryA
      • 0x304e:$s2: LdrLoadDll
      • 0x3059:$s3: snxhk.dll
      • 0x30f6:$s4: DisableThreadLibraryCalls
      2.2.rundll32.exe.11a0000.0.unpackMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
      • 0x1a93:$s1: LondLibruryA
      • 0x1a7e:$s2: LdrLoadDll
      • 0x1a89:$s3: snxhk.dll
      • 0x1b26:$s4: DisableThreadLibraryCalls
      2.0.rundll32.exe.32fc63b.1.unpackMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
      • 0xcf3:$s1: LondLibruryA
      • 0xcde:$s2: LdrLoadDll
      • 0xce9:$s3: snxhk.dll
      • 0xd86:$s4: DisableThreadLibraryCalls
      2.0.rundll32.exe.11a0000.3.raw.unpackMALWARE_Win_DLLLoaderDetects unknown DLL LoaderditekSHen
      • 0x3063:$s1: LondLibruryA
      • 0x304e:$s2: LdrLoadDll
      • 0x3059:$s3: snxhk.dll
      • 0x30f6:$s4: DisableThreadLibraryCalls
      Click to see the 10 entries

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6340, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1, ProcessId: 6324

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: knigger.dllAvira: detected
      Source: 2.2.rundll32.exe.6f270000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.100:443", "188.214.241.242:4664", "93.104.209.107:8116", "5.189.190.214:593"], "RC4 keys": ["S9OYlNFUvY5N1RDSpi8BgH6SgS8gPIcU", "rRgzULsP0KBJ7CcLRdZ7mhoBdNxJNQSrQLI3uRuRJVi7lqosB75laFDkwhMJ8LECg1b8sYjJZr"]}
      Source: knigger.dllReversingLabs: Detection: 69%
      Source: knigger.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: knigger.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: RFFGTEQ.pdb source: loaddll32.exe, 00000000.00000002.353161046.000000006F508000.00000002.00000001.01000000.00000003.sdmp, knigger.dll

      Networking

      barindex
      Source: Malware configuration extractorIPs: 144.91.122.100:443
      Source: Malware configuration extractorIPs: 188.214.241.242:4664
      Source: Malware configuration extractorIPs: 93.104.209.107:8116
      Source: Malware configuration extractorIPs: 5.189.190.214:593
      Source: Joe Sandbox ViewASN Name: BORECOM-INNOVABorecom-InnovaES BORECOM-INNOVABorecom-InnovaES
      Source: Joe Sandbox ViewASN Name: MNET-ASGermanyDE MNET-ASGermanyDE
      Source: Joe Sandbox ViewIP Address: 188.214.241.242 188.214.241.242
      Source: Joe Sandbox ViewIP Address: 93.104.209.107 93.104.209.107
      Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
      Source: rundll32.exe, 00000002.00000000.358373179.000000006F28F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.kazanfirst.ruDVarFileInfo$

      E-Banking Fraud

      bar