flash

yytr.dll

Status: finished
Submission Time: 09.02.2021 11:52:17
Malicious
E-Banking Trojan
Trojan
Spyware
Evader
Ursnif

Comments

Tags

Details

  • Analysis ID:
    350433
  • API (Web) ID:
    602832
  • Analysis Started:
    09.02.2021 11:52:18
  • Analysis Finished:
    09.02.2021 12:06:58
  • MD5:
    ba2befa9c70c2b6d779c48a59cece3e5
  • SHA1:
    4c855f80076e357d35c7d60cd52d2c49abefc5ff
  • SHA256:
    9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
29/66

malicious
11/28

IPs

IP Country Detection
45.67.231.135
Moldova Republic of
104.16.249.249
United States
80.208.230.180
Lithuania

Domains

Name IP Detection
eorctconthoelrrpentshfex.com
45.67.231.135
1.0.0.127.in-addr.arpa
0.0.0.0
assets.onestore.ms
0.0.0.0
Click to see the 5 hidden entries
8.8.8.8.in-addr.arpa
0.0.0.0
pronpepsipirpyamvioerd.com
80.208.230.180
mozilla.cloudflare-dns.com
104.16.249.249
resolver1.opendns.com
208.67.222.222
ajax.aspnetcdn.com
0.0.0.0

URLs

Name Detection
http://nuget.org/NuGet.exe
http://pronpepsipirpyamvioerd.com/manifest/NYuAqVunzg8xaQkjvT46w/1VWG9VjwQgEgBMZm/Edmv_2B8LPKApUf/y1_2FkkZHFAdOsdYZs/d_2Fil_2B/2sLNxYxtzdQxXGXvTOBx/XjwkkSX2ErFOwgwZnhQ/X4rzMPZ_2BQqzPEaol9dkp/NXUXbdRpfvyEv/malx3f_2/F5Dcl9KMBZOba09lPIsxEXU/75awVY4snO/mAGP3ya11/S.snx
http://constitution.org/usdeclar.txt
Click to see the 15 hidden entries
http://pesterbdd.com/images/Pester.png
http://pronpepsipirpyamvioerd.com/manifest/0Ru5_2BN/vJgRf6V8sbRC064gj9umjfq/qGksViZKyK/CLTbbr_2Frwl7IIUm/2WgRCjkUmuV8/iqgLjW1thwy/gJZQmwxnV_2BDM/Wr8pQO7reeN1b6Kt1HCeS/XjNtvAuY9ME_2BeN/LgpsYgJYXFXyrGm/d7KSfhzGcV8NWQ7ppv/9EulZOHC5/KtUCLTDeST800go2ZMVb/VjoLNr.snx
http://crl.microsoft
http://www.apache.org/licenses/LICENSE-2.0.html
http://pronpepsipirpyamvioerd.com/manifest/B6BYv9zhM9/Ha3CHkPLo3mXozKfC/o_2FE8j69Cu2/vMtBWo7v_2B/K717OxVgHzGizO/XIuLXZu8qkAN2wMJkptv8/1QwAgfct_2FjngCz/DuCEjb4kUB5NNhB/qR0_2FpSaJDi7blpKM/fBK5rghxV/R_2BqBsae2XxsQIQFD_2/FNGXxVdkHEUOrk_2FKw/pFfmknmoACymtAa0UoGCEX/7h.snx
https://contoso.com/
https://nuget.org/nuget.exe
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
http://pronpepsipirpyamvioerd.com/favicon.ico
http://crl.micr
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_db99bffafeba5bc19edb8917aba4cdaba066d_82810a17_13ca7fe1\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 65 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B01.tmp.dmp
Mini DuMP crash report, 14 streams, Tue Feb 9 10:53:08 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER70DE.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7276.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A3DC979-6AC5-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{25073A9B-6AC5-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27115B58-6AC5-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A3DC97B-6AC5-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{25073A9D-6AC5-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{27115B5A-6AC5-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{27115B5C-6AC5-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\7h[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\S[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\jquery-1.9.1.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mwfmdl2-v3.54[1].woff
Web Open Font Format, TrueType, length 26288, version 0.0
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\17-f90ef1[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mwf-west-european-default.min[1].css
UTF-8 Unicode text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\override[1].css
ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\RE1Mu3b[1].png
PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\VjoLNr[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\favicon[1].ico
MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\wcp-consent[1].js
UTF-8 Unicode text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\54-41a2a0[1].css
UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\MWFMDL2[1].ttf
TrueType Font data, 15 tables, 1st "OS/2", 37 names, Microsoft, language 0x403, type 2 string, Normaloby
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\MWFMDL2[1].woff
Web Open Font Format, TrueType, length 11480, version 0.0
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\6422.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\8CE6.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\B885.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\BB09.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RESCC08.tmp
data
#
C:\Users\user\AppData\Local\Temp\RESDFCF.tmp
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15kq1a0i.mt1.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cwaabyi.1x4.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\~DF278173DF210C3232.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF2BE453F2FFB3DF0D.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF2D3E39DD72D69D45.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF5BDE8D116B855265.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF9C0FE75732B658AC.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFA80715CFB9C59485.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFE15395D1BA8278C0.TMP
data
#
C:\Users\user\AppData\Roaming\Microsoft\{89416E59-54DD-A3A8-A6CD-C8873A517CAB}
HTML document, UTF-8 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\{8B1244C5-6E46-F55A-D0EF-82F90493D63D}\cookie.cr\Cookies.cr
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\AppData\Roaming\Microsoft\{8B1244C5-6E46-F55A-D0EF-82F90493D63D}\cookie.ie\deprecated.cookie.ie
ASCII text, with no line terminators
#
C:\Users\user\Documents\20210209\PowerShell_transcript.618321.ulkUtsN9.20210209115429.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#