flash

3a94.dll

Status: finished
Submission Time: 05.07.2021 16:50:18
Malicious
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • gozi

Details

  • Analysis ID:
    444316
  • API (Web) ID:
    811905
  • Analysis Started:
    05.07.2021 16:50:20
  • Analysis Finished:
    05.07.2021 17:00:12
  • MD5:
    3a943173c6de419b7078e88c20997838
  • SHA1:
    56567824c6b5c62112a74daa7a1a66e2ec0505d3
  • SHA256:
    af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
20/29

IPs

IP Country Detection
165.232.183.49
United States

Domains

Name IP Detection
gtr.antoinfer.com
165.232.183.49
todo.faroin.at
165.232.183.49
resolver1.opendns.com
208.67.222.222

URLs

Name Detection
http://gtr.antoinfer.com/favicon.ico
http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy
http://todo.faroin.at/6g7Xxs_2FcViNEvb/eUtlbGrmJOFyKjq/4FN1_2BKuLEoXjCSjf/rOtT7yIKe/XRB6VT8HCmGKCo9CPKHU/Y1tIeEDJ_2FZ5yl_2FC/3CWd28J10mPHAD4tnrT0eQ/4O_2BGRTBNWA2/fqx1qdU0/QI6EnaEphgC1mUE1Thrm53Z/ztU91Ji5Ak/31pVhif7ltLzOz9wa/PTfZf7fPEDoP/uPtRBBL_2F_/2FyHjGxoZIO3t9/kK4G4Vnymr0EDYoDEeLP8/HOyGGLeAWlRehWGS/nV7QbBb2S9gvK76/W7SlcXxU8wsH_2FGY1/v4Zp7Lft8CnCAMr/yLw
Click to see the 14 hidden entries
http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob
http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ
http://nuget.org/NuGet.exe
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
https://contoso.com/License
https://contoso.com/Icon
http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrj
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester
http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC
http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCe

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{166D0566-DDEC-11EB-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{166D0568-DDEC-11EB-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{166D056A-DDEC-11EB-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
#
Click to see the 12 hidden entries
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1D3BDB90-DDEC-11EB-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\0DMy[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\CJ[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\_2BFfob[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ip5c0f02.3tk.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcbiu1ig.42d.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\~DF0F558DCEA216EEDD.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF3FF9B029E5192D75.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF6EAF3ABE87705E33.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFA1E658E0CB2C92C6.TMP
data
#
C:\Users\user\Documents\20210705\PowerShell_transcript.116938.pbWhvSVs.20210705165307.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#