flash

c36.dll

Status: finished
Submission Time: 09.07.2021 15:22:18
Malicious
Trojan
Ursnif

Comments

Tags

  • dll
  • gozi

Details

  • Analysis ID:
    446420
  • API (Web) ID:
    814009
  • Analysis Started:
    09.07.2021 15:22:18
  • Analysis Finished:
    09.07.2021 15:43:57
  • MD5:
    c36ab737db2b6d11fb1f443f8117a7fa
  • SHA1:
    e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
  • SHA256:
    181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
72/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Run with higher sleep bypass

malicious
84/100

malicious
5/67

IPs

IP Country Detection
52.97.201.210
United States
40.97.128.194
United States
195.20.250.115
Germany
Click to see the 9 hidden entries
52.97.201.194
United States
52.97.186.114
United States
52.98.163.18
United States
52.98.168.178
United States
82.165.229.16
Germany
172.217.168.14
United States
52.97.232.194
United States
82.165.229.59
Germany
82.165.229.87
Germany

Domains

Name IP Detection
taybhctdyehfhgthp2.xyz
0.0.0.0
thyihjtkylhmhnypp2.xyz
0.0.0.0
outlook.com
40.97.128.194
Click to see the 12 hidden entries
ZRH-efz.ms-acdc.office.com
52.97.186.114
www.mail.com
82.165.229.59
plusmailcom.ha-cdn.de
195.20.250.115
mail.com
82.165.229.87
wa.mail.com
82.165.229.16
www.googleoptimize.com
172.217.168.14
outlook.office365.com
0.0.0.0
s.uicdn.com
0.0.0.0
www.outlook.com
0.0.0.0
img.ui-portal.de
0.0.0.0
plus.mail.com
0.0.0.0
dl.mail.com
0.0.0.0

URLs

Name Detection
https://dl.gmx.at/permission/oneTrust/
https://www.mail.com/cdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4B
https://dl.1und1.de/permission/oneTrust/
Click to see the 58 hidden entries
https://wa.mail.com/1and1/mailcom/s?_c=0&name=
https://www.mail.com/consentpage/event/visit
https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/tracklib.min.js
https://s.uicdn.com/mailint/9.1725.0/assets/consent/consent-management.js
http://scottjehl.github.io/picturefill
https://s.uicdn.com/mailint/9.1725.0/assets/consent/main.js
https://dl.gmx.com/permission/oneTrust/
https://s.uicdn.com/permission/live/
http://outlook.com/jdraw/OvXGpKzLxUlvc/5YmODYZ1/gEki0c5_2Bcj_2BJgBmclYf/4zl_2FiIGx/zg7_2FVzTFFpxQ0Zg/IVmTcFICtOu9/15kAqnW78YI/MXCY1lZONnEzVM/eyszldhHfL9FhdO1fFyz9/RRaqeJksBpKD0xlU/B2SSOZmmpvCp3sI/4IJYpEC_2BP8ptXo3E/E9fvTGTLb/WJ6m1MuHv/Uxoe1d.crw
http://www.amazon.com/
https://s.uicdn.com/tcf/live/v1/js/tcf-api.js
http://www.twitter.com/
https://dl.web.de/permission/oneTrust/
https://www.mail.com/
https://dl.gmx.es/permission/oneTrust/
https://github.com/arv/DOM-URL-Polyfill/blob/master/src/url.js
https://www.mail.com/consentpage/event/error
https://dl.mail.com/tcf/live/v1/js/tcf-api.js
https://github.com/scottjehl/picturefill/blob/master/Authors.txt;
https://nct.ui-portal.de/mailcom/mailcom/s?
https://my.onetrust.com/s/article/UUID-185d63b9-1094-a9d3-e684-bb1f155ae6ad
http://taybhctdyehfhgthp2.xyz/jdraw/vPapbiz2Eh/ZPYySNPAkvOvIyVz2/tWl_2FHqiE2d/6ywtXMerrZg/ABJ_2FJE5Z
https://dl.gmx.co.uk/permission/oneTrust/
https://url.spec.whatwg.org/#urlencoded-serializing
https://dl.gmx.ch/permission/oneTrust/
https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js
https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js
https://outlook.office365.com/jdraw/OvXGpKzLxUlvc/5YmODYZ1/gEki0c5_2Bcj_2BJgBmclYf/4zl_2FiIGx/zg7_2F
http://mail.com/jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFdYu/NG5HWnb0/vfvVzx4Doj88hqHzLS5VCB0/IRrw6ObYiX/1_2Fr33YbqAT9Ry0m/a_2FLfkuNA_2/F_2Fy3jjalf/Eg8brnQokZm55h/jGcurV8IMufIt7jFcTF99/whDSjKuT/g9l8UU7_2/B.crw
https://outlook.office365.com/jdraw/0SBJEaWj8uzaYO9/X2ZLyhcXhOBs13vUhk/uA0Mj7KPw/1hd_2FrDfFtdqWCbDdz
https://github.com/getsentry/sentry-javascript
http://www.reddit.com/
https://mail.com/jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFdYu
https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/11da4229-abbc-4e04-a16b-72fa8f1
http://thyihjtkylhmhnypp2.xyz/jdraw/5aLAbJwTVae/qoEFd9apr89OcM/6ayYRQOOdtFpSwTDl2aq9/CqCbos6Cqnizb6H
https://github.com/WebReflection/url-search-params/blob/master/src/url-search-params.js
https://s.uicdn.com/shared/sentry/5.5.0/bundle.min.js
http://www.nytimes.com/
https://outlook.office365.com/jdraw/xGbcxYlao6QybS/5qDDj85QhfUdCqg61IRxY/a3KKCFnPRTca1yiq/_2Fc_2FODy
https://s.uicdn.com/mailint/9.1725.0/assets/consent/mailcom/styles.css
https://s.uicdn.com/tcf/live/
https://dl.mail.com/permission/oneTrust/
https://www.mail.com/consentpageVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFd
http://modernizr.com/download/?-csstransforms-csstransforms3d-csstransitions-flexbox-flexboxlegacy-f
https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/662e5c67-1d13-450e-90e2-8ba98fb
https://dl.gmx.net/permission/oneTrust/
https://s.uicdn.com/mailint/9.1725.0/assets/consent/mailcom/spinner.gif
https://s.uicdn.com/mailint/9.1725.0/assets/favicon.ico
https://www.mail.com/consentpage
https://mam-confluence.1and1.com/display/TDII/BRAIN-Tracking
http://www.youtube.com/
https://www.mail.com/jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4B
https://cdn.cookielaw.org/vendorlist/
http://www.wikipedia.com/
https://github.com/js-cookie/js-cookie
http://www.live.com/
https://s.uicdn.com/mailint/9.1725.0/assets/favicon.ico~
https://dl.gmx.fr/permission/oneTrust/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\BACZYXTY\plus.mail[1].xml
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.mail[1].xml
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\dl.mail[1].xml
ASCII text, with no line terminators
#
Click to see the 81 hidden entries
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7933872F-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93B4E600-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9AD72DEB-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A226C23E-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A90D6F77-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0214095-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B9821E81-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{79338731-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{93B4E602-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9AD72DED-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A226C240-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A90D6F79-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B0214097-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B9821E83-E0BA-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\B[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\adservice[1].js
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\down[1]
PNG image data, 15 x 15, 8-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\entry3[1].js
Java source, ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\head.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\permission-layer.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\picturefill.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\tcf-api[1].js
UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\url-polyfill[1].js
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\MAILCOM_content_smartphone[1].jpg
[TIFF image data, little-endian, direntries=0], baseline, precision 8, 375x1500, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\MAILCOM_content_tablet[1].jpg
[TIFF image data, little-endian, direntries=0], baseline, precision 8, 768x1024, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\logo_mailcom[1].png
PNG image data, 127 x 33, 8-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\permission-client[1].js
UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\polyfills.min[1].js
UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\spinner[1].gif
GIF image data, version 89a, 32 x 32
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\B[1].htm
HTML document, ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\consent-management[1].js
ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\core[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\down[1]
PNG image data, 15 x 15, 8-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\favicon[1].ico
MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\lt[1].htm
HTML document, UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\permission-core.min[1].js
UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\promise.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\promise.min[2].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\t[1].gif
GIF image data, version 89a, 1 x 1
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\bundle.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\consentpage[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\css[1].css
ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\logo_mobile[1].png
PNG image data, 43 x 43, 8-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\main.min[1].js
HTML document, UTF-8 Unicode text, with very long lines, with NEL line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\main[1].js
ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\styles[1].css
ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\tcf-api[1].js
UTF-8 Unicode text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\tracklib.min[1].js
ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\~DF0F318B5CCE001BBF.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF134D6241D89374BD.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF2278B18D6A6BD7ED.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF3B2B4B210D4677DA.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF3F423AA33482C50B.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF5F3CA953B42C7490.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF60A783B178E5E3D4.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF8670946C9A228354.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF867A60F063A0CB97.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF9CCB71D7125A321B.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFA4B211933831C46D.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFADD0A24F1B043A66.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFDC723F1443C4BAD9.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFFE16BBD1A669E84C.TMP
data
#