flash

u8xtCk7fq8.dll

Status: finished
Submission Time: 12.02.2021 09:58:16
Malicious
E-Banking Trojan
Trojan
Evader
Gozi Ursnif

Comments

Tags

  • dll

Details

  • Analysis ID:
    352339
  • API (Web) ID:
    606616
  • Analysis Started:
    12.02.2021 09:58:17
  • Analysis Finished:
    12.02.2021 10:10:13
  • MD5:
    913c77883aa2e28ec98e5cf86d6fc2cb
  • SHA1:
    5a5c60b32770cb4654269a812d07e13767ad7ed6
  • SHA256:
    ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious
New

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
23/69

malicious

IPs

IP Country Detection
35.228.31.40
United States

Domains

Name IP Detection
c56.lepini.at
35.228.31.40
resolver1.opendns.com
208.67.222.222
api3.lepini.at
35.228.31.40
Click to see the 3 hidden entries
go.in100k.at
35.228.31.40
golang.feel500.at
35.228.31.40
api10.laptok.at
35.228.31.40

URLs

Name Detection
http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo
http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0
http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/
Click to see the 22 hidden entries
http://c56.lepini.at/jvassets/xI/t64.dat
http://golang.feel500.at/favicon.ico
http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE
http://nuget.org/NuGet.exe
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
http://api3.lepini.at/api1/bEXxGnisNWK6xtmL7/hzYrMk4fVaqx/ViX9ZT9idqj/PQ9QlS_2Bewcsf/axkcAfr_2BzxGO9WnlqBd/umvUtqC2JD_2FbD6/jRIZuLHLzIoCsIu/th8f7Grv16LoelmZNm/uRoB0I5fl/RyNL47ZLZhHArmxOZnfP/f8ypX_2FMmc9Wn_2Fb7/mm90yk6M3N263p5s7_2FO7/65Wq2SHNyz0Tb/buzgvD7t/7CozDKzLEzGVXehbrpYH8bp/nDYW5twoJN/W5eyx_2BFnpNnvPUb/ZwRm3Bx_2BLc/U7tdViUVaKh/lB3EcM6_2BV2AV/kX7gmeVC/Z2x2FOp
http://go.in100k.at/favicon.ico
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://api3.lepini.at/api1/LMJLtOqdu8fp_2BNLOB5YBP/qly_2BfzDH/EAemu37KWi1Sk2xGU/KUNgOk1dCHS6/AgjNesC_2FL/0VRR3489g9d213/hnGFcgoP3NnJY57aNNU7X/g37VutmCLLvxlC3K/uWdTjPXn7_2BhUq/Ng_2FAVek6bgpkb4dt/OleaxmqWa/3cqZOMqKlEvnCHKOagPS/Ml3FT3Cf6J9pNtnQsAy/H2GMz5cmt0xhyUBUDbZV2P/wT6YuW4qyfVDR/pXcknYbm/8zZh_2FbRECix2oRrtcd2ZU/_2B7miWVVc/ZZTomZrPf3ghqQ7Sj/_2FENCrsSLt7/pXfjB
http://https://file://USER.ID%lu.exe/upd
http://api10.laptok.at/favicon.ico
https://github.com/Pester/Pester
http://go.in100k.at/api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh
http://constitution.org/usdeclar.txt
http://api10.laptok.at/api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26
https://contoso.com/
https://nuget.org/nuget.exe
http://api3.lepini.at/api1/5I7pLP9QNe/N5buyckYCrgoPqvPA/NjC86WmFUumJ/d5ZJk2tc_2B/naCfPReUYVV3Vx/ldXi9UGRyYBJQ_2Fncfms/yLLq_2F_2FAO72XM/I_2BWOGHGpoip8O/L_2FeZA1PRI5XY_2BB/j3rs0r3Qi/LjAFf6GJs2hLttaGlvqk/QXt9zzN9fNRamdHdcye/Eig_2Fsi5CrdV1iAkxdGXk/dY8xK6yf2XhnW/0wyvHV0p/pz8P8_2FIx_2BIgHiQgkzmF/pVcGr3XY_2/F0IzfpDiL0qRGlWkz/h5CX5vmyOkVW/KUlweXnwefm/x2MMNvATag8_2F/nIODL_2BJ417QebINK55v/VFjAtH9us6H/2M
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B3B83AA-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
Click to see the 57 hidden entries
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36092B4E-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1B3B83AC-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B50-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B52-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B54-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B56-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36092B58-6D5C-11EB-90E5-ECF4BB2D2496}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\jQf9TsE9[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\4Glkh[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\VeCW9pRE[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\GbYUyI[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2Rm26[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\yM8_2B0[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\4puomjgc\CSCC6FE28103CDC4CEEBA53F6CD503CAE96.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\51oepeny\51oepeny.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RES3102.tmp
data
#
C:\Users\user\AppData\Local\Temp\RES3577.tmp
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vypiyij.x2o.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_240ytxdc.pjs.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvhjmosr.kkn.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1ou22r1.pxt.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\~DF3C5248E8E1772FD2.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF495D779FEA4AFC6F.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF6146159DCCFE94CE.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF94A0433F3C84B120.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF9862F95666CE8E46.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFD55014E88807743E.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFD9D7AEF5A86C726A.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFE8DB2A113C1213D8.TMP
data
#
C:\Users\user\Documents\20210212\PowerShell_transcript.783875.Nasw0dJs.20210212100056.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210212\PowerShell_transcript.783875.jBDxpBMk.20210212100054.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#