Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
478fukupP9.dll

Overview

General Information

Sample Name:478fukupP9.dll
Analysis ID:728621
MD5:800619c7ef9baa08d8b9166afc95ce75
SHA1:e97b1c9da42e67666a46ac930187695d3987d1a5
SHA256:b8490732ccb34fdd76910ee15aa3eced95ef445f2ab287d45181f98f44742df1
Tags:dllErbiumStealer
Infos:

Detection

Erbium Stealer
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Erbium Stealer
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Yara signature match
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Contains functionality to detect virtual machines (STR)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SIDT)
Contains functionality to detect virtual machines (SGDT)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 2788 cmdline: loaddll32.exe "C:\Users\user\Desktop\478fukupP9.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2920 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4908 cmdline: rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"C2 list": ["http://77.73.133.53/cloud/index.php"]}
SourceRuleDescriptionAuthorStrings
478fukupP9.dllJoeSecurity_ErbiumStealerYara detected Erbium StealerJoe Security
    478fukupP9.dllINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
    • 0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    SourceRuleDescriptionAuthorStrings
    00000003.00000002.254490404.0000000010255000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
    • 0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
    • 0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    00000003.00000000.242990269.0000000010255000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
    • 0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
    • 0x2354b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    00000003.00000002.254160360.0000000010001000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_ErbiumStealerYara detected Erbium StealerJoe Security
      Click to see the 5 entries
      SourceRuleDescriptionAuthorStrings
      3.0.rundll32.exe.10000000.1.unpackJoeSecurity_ErbiumStealerYara detected Erbium StealerJoe Security
        3.0.rundll32.exe.10000000.1.unpackINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
        • 0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
        0.2.loaddll32.exe.10000000.0.unpackJoeSecurity_ErbiumStealerYara detected Erbium StealerJoe Security
          0.2.loaddll32.exe.10000000.0.unpackINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
          • 0x27734b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
          3.2.rundll32.exe.10000000.0.unpackJoeSecurity_ErbiumStealerYara detected Erbium StealerJoe Security
            Click to see the 3 entries
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: http://77.73.133.53/cloud/index.phpAvira URL Cloud: Label: malware
            Source: http://77.73.133.53/cloud/index.phpVirustotal: Detection: 10%Perma Link
            Source: 0.2.loaddll32.exe.10000000.0.unpackMalware Configuration Extractor: Erbium Stealer {"C2 list": ["http://77.73.133.53/cloud/index.php"]}
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----

            Networking

            barindex
            Source: Malware configuration extractorURLs: http://77.73.133.53/cloud/index.php
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dllString found in binary or memory: http://www.winimage.com/zLibDll
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dllString found in binary or memory: http://www.winimage.com/zLibDll1.2.11.1-motley.z%02d...././///.//../6666666666666666jjjjjjjjjjjjjjjj
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dllString found in binary or memory: https://curl.se/docs/alt-svc.html
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dllString found in binary or memory: https://curl.se/docs/hsts.html
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, 478fukupP9.dllString found in binary or memory: https://curl.se/docs/http-cookies.html
            Source: loaddll32.exe, 00000000.00000002.241205230.0000000000DEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary

            barindex
            Source: 478fukupP9.dll, type: SAMPLEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 00000003.00000002.254490404.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 00000003.00000000.242990269.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: Process Memory Space: loaddll32.exe PID: 2788, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: Process Memory Space: rundll32.exe PID: 4908, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
            Source: 478fukupP9.dll, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 00000003.00000002.254490404.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 00000003.00000000.242990269.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: Process Memory Space: loaddll32.exe PID: 2788, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: Process Memory Space: rundll32.exe PID: 4908, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 640
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_101A9B300_2_101A9B30
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\478fukupP9.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 640
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C69.tmpJump to behavior
            Source: classification engineClassification label: mal76.troj.winDLL@7/4@0/0
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: loaddll32.exe, 00000000.00000002.241663791.0000000010255000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.244878640.0000000010255000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: 478fukupP9.dllStatic file information: File size 2877955 > 1048576
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010FAD48 push eax; iretd 3_2_010FAD49
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010FA1C0 str word ptr [eax+010E3C30h]3_2_010FA1C0
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010F08C4 sidt fword ptr [ecx+edx*4]3_2_010F08C4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010F08C4 sgdt fword ptr [ecx]3_2_010F08C4
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\478fukupP9.dll",#1Jump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 478fukupP9.dll, type: SAMPLE
            Source: Yara matchFile source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.254160360.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.242673427.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.243200020.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 478fukupP9.dll, type: SAMPLE
            Source: Yara matchFile source: 3.0.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.254160360.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.242673427.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.243200020.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241220841.0000000010001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath Interception11
            Process Injection
            4
            Virtualization/Sandbox Evasion
            1
            Input Capture
            1
            Security Software Discovery
            Remote Services1
            Input Capture
            Exfiltration Over Other Network Medium1
            Encrypted Channel
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Rundll32
            LSASS Memory4
            Virtualization/Sandbox Evasion
            Remote Desktop Protocol11
            Archive Collected Data
            Exfiltration Over Bluetooth1
            Application Layer Protocol
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
            Process Injection
            Security Account Manager1
            System Information Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Obfuscated Files or Information
            NTDS1
            Remote System Discovery
            Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 728621 Sample: 478fukupP9.dll Startdate: 23/10/2022 Architecture: WINDOWS Score: 76 18 Multi AV Scanner detection for domain / URL 2->18 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus detection for URL or domain 2->22 24 2 other signatures 2->24 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 conhost.exe 8->12         started        process5 14 rundll32.exe 10->14         started        process6 16 WerFault.exe 23 9 14->16         started       

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.