Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5iiXyNVCQ3

Overview

General Information

Sample Name:5iiXyNVCQ3 (renamed file extension from none to dll)
Analysis ID:736960
MD5:73c06c75bd9aa0a194b0dc73ab38cac5
SHA1:7604d4be31e6c017e3bd9a1e5590a81a7aafb40f
SHA256:fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3144 cmdline: loaddll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 400 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5996 cmdline: rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • svchost.exe (PID: 5972 cmdline: C:\WINDOWS\system32\svchost.exe -K NetworkService MD5: FA6C268A5B5BDA067A901764D203D433)
    • rundll32.exe (PID: 964 cmdline: rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • svchost.exe (PID: 5020 cmdline: C:\WINDOWS\system32\svchost.exe -K NetworkService MD5: FA6C268A5B5BDA067A901764D203D433)
      • WerFault.exe (PID: 1372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 844 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • svchost.exe (PID: 3832 cmdline: C:\WINDOWS\system32\svchost.exe -K NetworkService MD5: FA6C268A5B5BDA067A901764D203D433)
    • WerFault.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
3.0.rundll32.exe.475e2dd.4.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
4.2.rundll32.exe.1000e2dd.1.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
0.3.loaddll32.exe.280e2dd.0.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
0.0.loaddll32.exe.1000e2dd.2.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
0.2.loaddll32.exe.280e2dd.1.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
Click to see the 12 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

Timestamp:192.168.2.48.8.8.856572532023883 11/03/22-12:35:13.698250
SID:2023883
Source Port:56572
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 5iiXyNVCQ3.dllVirustotal: Detection: 92%Perma Link
Source: 5iiXyNVCQ3.dllReversingLabs: Detection: 95%
Source: 5iiXyNVCQ3.dllMetadefender: Detection: 80%Perma Link
Antivirus / Scanner detection for submitted sample
Source: 5iiXyNVCQ3.dllAvira: detected
Multi AV Scanner detection for domain / URL
Source: 52eva.topVirustotal: Detection: 6%Perma Link
Antivirus detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dllAvira: detection malicious, Label: HEUR/AGEN.1238485
Multi AV Scanner detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dllReversingLabs: Detection: 95%
Source: C:\Program Files\WinRAP\RarExt32.dllVirustotal: Detection: 92%Perma Link
Source: C:\Program Files\WinRAP\RarExt32.dllMetadefender: Detection: 80%Perma Link
Machine Learning detection for sample
Source: 5iiXyNVCQ3.dllJoe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dllJoe Sandbox ML: detected
Source: 0.0.loaddll32.exe.bd4498.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.280e2dd.4.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.475e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 7.3.svchost.exe.e56000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.3.loaddll32.exe.280e2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.2.loaddll32.exe.280e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.475e2dd.4.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.2.rundll32.exe.1000e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.f1fe88.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.475e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.3.rundll32.exe.475e2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.68ffa0.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 7.3.svchost.exe.eab008.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.aee2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.1000e2dd.5.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.f1fe88.3.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.1000e2dd.5.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.f1fe88.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.bd4498.3.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.2.loaddll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.2.rundll32.exe.aee2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.280e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.68ffa0.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.loaddll32.exe.bd4498.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 5iiXyNVCQ3.dll