Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUclYxO7PA.dll

Overview

General Information

Sample Name:QUclYxO7PA.dll
Analysis ID:591183
MD5:d1230ae077174b20767cc5375b13d25f
SHA1:52245cee97892bf43f0f63265c206008482b61d5
SHA256:490bcee7c0b9607d834fd8b3e5d01613d062fcf48be043e6f5f60c5077b55e3c
Infos:

Detection

CryptOne Matanbuchus
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Matanbuchus
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Antivirus / Scanner detection for submitted sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4816 cmdline: loaddll32.exe "C:\Users\user\Desktop\QUclYxO7PA.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6356 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QUclYxO7PA.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5892 cmdline: rundll32.exe "C:\Users\user\Desktop\QUclYxO7PA.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 2088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 720 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Matanbuchus

{"C2 list": ["https://belialw869367.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml", "https://belialr878539.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml", "https://beliale232634.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml", "https://belialp632298.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml", "https://belialq449663.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.364773490.0000000001070000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
    00000004.00000000.364059244.0000000001070000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
      00000001.00000002.435533780.0000000002780000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MatanbuchusYara detected MatanbuchusJoe Security
        00000004.00000000.364094356.00000000010B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MatanbuchusYara detected MatanbuchusJoe Security
          00000001.00000002.435793901.00000000027A0000.00000040.00001000.00020000.00000000.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x1b494:$s2: #??;8qdd
          • 0x1b524:$s2: \x1D\x01\x01\x05\x06OZZ
          • 0x1b654:$s2: wkkol%00
          • 0x1b6d4:$s2: 1--)*cvv
          • 0x1b7a4:$s2: vjjnm$11
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.rundll32.exe.10d0000.3.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x1b494:$s2: #??;8qdd
          • 0x1b524:$s2: \x1D\x01\x01\x05\x06OZZ
          • 0x1b654:$s2: wkkol%00
          • 0x1b6d4:$s2: 1--)*cvv
          • 0x1b7a4:$s2: vjjnm$11
          4.2.rundll32.exe.10d0000.3.raw.unpackJoeSecurity_MatanbuchusYara detected MatanbuchusJoe Security
            1.2.loaddll32.exe.27a0000.2.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x1b494:$s2: #??;8qdd
            • 0x1b524:$s2: \x1D\x01\x01\x05\x06OZZ
            • 0x1b654:$s2: wkkol%00
            • 0x1b6d4:$s2: 1--)*cvv
            • 0x1b7a4:$s2: vjjnm$11
            1.2.loaddll32.exe.27a0000.2.raw.unpackJoeSecurity_MatanbuchusYara detected MatanbuchusJoe Security
              4.2.rundll32.exe.1070184.1.raw.unpackJoeSecurity_MatanbuchusYara detected MatanbuchusJoe Security
                Click to see the 15 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Call by Ordinal
                Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\QUclYxO7PA.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\QUclYxO7PA.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QUclYxO7PA.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6356, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\QUclYxO7PA.dll",#1, ProcessId: 5892

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 4.0.rundll32.exe.10d0000.7.raw.unpackMalware Configuration Extractor: Matanbuchus {"C2 list": ["https://belialw869367.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml", "https://belialr878539.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml", "https://beliale232634.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml", "https://belialp632298.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml", "https://belialq449663.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml"]}
                Multi AV Scanner detection for submitted file
                Source: QUclYxO7PA.dllVirustotal: Detection: 64%Perma Link
                Source: QUclYxO7PA.dllMetadefender: Detection: 41%Perma Link
                Source: QUclYxO7PA.dllReversingLabs: Detection: 82%
                Antivirus / Scanner detection for submitted sample
                Source: QUclYxO7PA.dllAvira: detected
                Source: QUclYxO7PA.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                Source: QUclYxO7PA.dllStatic PE information: certificate valid
                Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_027AD51A FindFirstFileExW,1_2_027AD51A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00885408 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcp