Windows Analysis Report
nvbbzu.xml

Overview

General Information

Sample Name: nvbbzu.xml (renamed file extension from xml to dll)
Analysis ID: 674157
MD5: 60aafd76fbfa15db34a0b2f93df5eea9
SHA1: a968c42da887544c4f46aa9924914022be44a40a
SHA256: 46aa7de354f23ab96c0c4bf31a8ef06e6c2cf257dadce53d0a7f6e7d49a1fb6a
Infos:

Detection

Dridex Dropper
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Dridex dropper found
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Machine Learning detection for sample
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: nvbbzu.dll Virustotal: Detection: 48% Perma Link
Source: nvbbzu.dll Metadefender: Detection: 28% Perma Link
Machine Learning detection for sample
Source: nvbbzu.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: nvbbzu.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: Binary string: xP+=_.pdbd? source: nvbbzu.dll
Source: Binary string: xP+=_.pdb source: nvbbzu.dll

E-Banking Fraud
barindex
Dridex dropper found
Source: Initial file Signature Results: Dridex dropper behavior
Uses 32bit PE files
Source: nvbbzu.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00931000 NtCreateThreadEx, 1_2_00931000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A41000 NtCreateThreadEx, 4_2_04A41000
Sample file is different than original file name gathered from version info
Source: nvbbzu.dll Binary or memory string: OriginalFilenameciide4.dll( vs nvbbzu.dll
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00864210 1_2_00864210
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00863FA4 1_2_00863FA4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00861000 1_2_00861000
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0086110C 1_2_0086110C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00863AF4 1_2_00863AF4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008620F0 1_2_008620F0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00864A1C 1_2_00864A1C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00864D98 1_2_00864D98
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00932990 1_2_00932990
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00933190 1_2_00933190
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00931000 1_2_00931000
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00931A37 1_2_00931A37
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00933A20 1_2_00933A20
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00932D90 1_2_00932D90
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00933C90 1_2_00933C90
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00933EB0 1_2_00933EB0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_009315D0 1_2_009315D0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_009342D0 1_2_009342D0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00931350 1_2_00931350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04974210 4_2_04974210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04973AF4 4_2_04973AF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_049720F0 4_2_049720F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04974A1C 4_2_04974A1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04974D98 4_2_04974D98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04973FA4 4_2_04973FA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04971000 4_2_04971000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A42990 4_2_04A42990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A43190 4_2_04A43190
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A43A20 4_2_04A43A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A41A37 4_2_04A41A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A41000 4_2_04A41000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A43EB0 4_2_04A43EB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A42D90 4_2_04A42D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A43C90 4_2_04A43C90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A415D0 4_2_04A415D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A442D0 4_2_04A442D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A41350 4_2_04A41350
Source: nvbbzu.dll Static PE information: Section: .CRT0 ZLIB complexity 0.9951186852952454
Source: nvbbzu.dll Static PE information: Section: .crt1 ZLIB complexity 0.9950722536426381
Source: nvbbzu.dll Virustotal: Detection: 48%
Source: nvbbzu.dll Metadefender: Detection: 28%
Source: nvbbzu.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal64.bank.evad.winDLL@5/0@0/0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nvbbzu.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nvbbzu.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nvbbzu.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nvbbzu.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nvbbzu.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nvbbzu.dll",#1 Jump to behavior
Source: nvbbzu.dll Static file information: File size 1511424 > 1048576
Source: Binary string: xP+=_.pdbd? source: nvbbzu.dll
Source: Binary string: xP+=_.pdb source: nvbbzu.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008641F4 push esi; mov dword ptr [esp], ecx 1_2_008641F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_049741F4 push esi; mov dword ptr [esp], ecx 4_2_049741F6
PE file contains sections with non-standard names
Source: nvbbzu.dll Static PE information: section name: .CRT0
Source: nvbbzu.dll Static PE information: section name: .crt1
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Windows\System32\loaddll32.exe Section loaded: \KnownDlls32\testapp.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: \KnownDlls32\testapp.exe Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nvbbzu.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 674157 Sample: nvbbzu.xml Startdate: 27/07/2022 Architecture: WINDOWS Score: 64 15 Multi AV Scanner detection for submitted file 2->15 17 Dridex dropper found 2->17 19 Machine Learning detection for sample 2->19 7 loaddll32.exe 1 2->7         started        process3 signatures4 21 Tries to detect sandboxes / dynamic malware analysis system (file name check) 7->21 10 cmd.exe 1 7->10         started        process5 process6 12 rundll32.exe 10->12         started        signatures7 23 Tries to detect sandboxes / dynamic malware analysis system (file name check) 12->23
No contacted IP infos