Windows Analysis Report
ijexogdf64.dll

Overview

General Information

Sample Name: ijexogdf64.dll
Analysis ID: 682774
MD5: d243c07128ee42bccef33bda67ec61d9
SHA1: 5089dd76080329877c488325bc8ef8f736d1d1e4
SHA256: d45c78fa400b32c11443061dcd1c286d971881ddf35a47143e4d426a3ec6bffd
Tags: BokbotDLLexeIcedID
Infos:

Detection

IcedID
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected IcedID
C2 URLs / IPs found in malware configuration
PE file does not import any functions
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ijexogdf64.dll Virustotal: Detection: 11% Perma Link
Antivirus detection for URL or domain
Source: klareqvino.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: peranistaer.top Virustotal: Detection: 15% Perma Link
Source: klareqvino.com Virustotal: Detection: 12% Perma Link
Source: gruvihabralo.nl Virustotal: Detection: 14% Perma Link
Yara detected IcedID
Source: Yara match File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["peranistaer.top", "gruvihabralo.nl", "klareqvino.com", "ultomductingbig.pro"], "Campaign ID": 1573268852}
Source: ijexogdf64.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: peranistaer.top
Source: Malware configuration extractor URLs: gruvihabralo.nl
Source: Malware configuration extractor URLs: klareqvino.com
Source: Malware configuration extractor URLs: ultomductingbig.pro

E-Banking Fraud
barindex
Yara detected IcedID
Source: Yara match File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
PE file does not import any functions
Source: ijexogdf64.dll Static PE information: No import functions for PE file found
Yara signature match
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66E06111 NtCreateSection,NtMapViewOfSection, 3_2_00007FFC66E06111
Source: ijexogdf64.dll Virustotal: Detection: 11%
Source: ijexogdf64.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ijexogdf64.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 Jump to behavior
Source: classification engine Classification label: mal84.troj.winDLL@21/0@0/0
Source: ijexogdf64.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: ijexogdf64.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66E03B20 push r13; ret 3_2_00007FFC66E03BA2
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFC66E012F6 push r10; ret 3_2_00007FFC66E01301
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, 3_2_00000001800014A0
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 1748 Thread sleep time: -120000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, 3_2_00000001800014A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180001044 GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,lstrcpyA,lstrcpyA, 3_2_0000000180001044
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected IcedID
Source: Yara match File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected IcedID
Source: Yara match File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682774 Sample: ijexogdf64.dll Startdate: 12/08/2022 Architecture: WINDOWS Score: 84 19 Multi AV Scanner detection for domain / URL 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus detection for URL or domain 2->23 25 3 other signatures 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 6 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
peranistaer.top true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
ultomductingbig.pro true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
klareqvino.com true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
gruvihabralo.nl true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown