Click to jump to signature section
Source: ijexogdf64.dll | Virustotal: Detection: 11% | Perma Link |
Source: klareqvino.com | Avira URL Cloud: Label: malware |
Source: peranistaer.top | Virustotal: Detection: 15% | Perma Link |
Source: klareqvino.com | Virustotal: Detection: 12% | Perma Link |
Source: gruvihabralo.nl | Virustotal: Detection: 14% | Perma Link |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp | Malware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["peranistaer.top", "gruvihabralo.nl", "klareqvino.com", "ultomductingbig.pro"], "Campaign ID": 1573268852} |
Source: ijexogdf64.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: Malware configuration extractor | URLs: peranistaer.top |
Source: Malware configuration extractor | URLs: gruvihabralo.nl |
Source: Malware configuration extractor | URLs: klareqvino.com |
Source: Malware configuration extractor | URLs: ultomductingbig.pro |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: ijexogdf64.dll | Static PE information: No import functions for PE file found |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00007FFC66E06111 NtCreateSection,NtMapViewOfSection, |
Source: ijexogdf64.dll | Virustotal: Detection: 11% |
Source: ijexogdf64.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK |
Source: unknown | Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ijexogdf64.dll" |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Source: classification engine | Classification label: mal84.troj.winDLL@21/0@0/0 |
Source: ijexogdf64.dll | Static PE information: Image base 0x180000000 > 0x60000000 |
Source: ijexogdf64.dll | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00007FFC66E03B20 push r13; ret |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00007FFC66E012F6 push r10; ret |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll64.exe TID: 1748 | Thread sleep time: -120000s >= -30000s |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe | Thread delayed: delay time: 120000 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000000180001044 GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,lstrcpyA,lstrcpyA, |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Source: C:\Windows\System32\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.1f73e088708.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.286218758.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.286266026.000001F73E077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |