Click to jump to signature section
Source: ijexogdf64.dll | Virustotal: Detection: 7% | Perma Link |
Source: klareqvino.com | Avira URL Cloud: Label: malware |
Source: peranistaer.top | Virustotal: Detection: 15% | Perma Link |
Source: klareqvino.com | Virustotal: Detection: 12% | Perma Link |
Source: gruvihabralo.nl | Virustotal: Detection: 14% | Perma Link |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp | Malware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["peranistaer.top", "gruvihabralo.nl", "klareqvino.com", "ultomductingbig.pro"], "Campaign ID": 1573268852} |
Source: ijexogdf64.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: Malware configuration extractor | URLs: peranistaer.top |
Source: Malware configuration extractor | URLs: gruvihabralo.nl |
Source: Malware configuration extractor | URLs: klareqvino.com |
Source: Malware configuration extractor | URLs: ultomductingbig.pro |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: ijexogdf64.dll | Static PE information: No import functions for PE file found |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00007FFFF0316111 NtCreateSection,NtMapViewOfSection, | 3_2_00007FFFF0316111 |
Source: ijexogdf64.dll | Virustotal: Detection: 7% |
Source: ijexogdf64.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK |
Source: unknown | Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ijexogdf64.dll" | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 | Jump to behavior |
Source: classification engine | Classification label: mal84.troj.winDLL@21/0@0/0 |
Source: ijexogdf64.dll | Static PE information: Image base 0x180000000 > 0x60000000 |
Source: ijexogdf64.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00007FFFF03112F6 push r10; ret | 3_2_00007FFFF0311301 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00007FFFF0313B20 push r13; ret | 3_2_00007FFFF0313BA2 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, | 3_2_00000001800014A0 |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 5316 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, | 3_2_00000001800014A0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000000180001044 GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,lstrcpyA,lstrcpyA, | 3_2_0000000180001044 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |