flash

lj3H69Z3Io.dll

Status: finished
Submission Time: 12.07.2021 11:32:03
Malicious
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • Gozi
  • ISFB
  • Ursnif

Details

  • Analysis ID:
    447090
  • API (Web) ID:
    814680
  • Analysis Started:
    12.07.2021 11:34:57
  • Analysis Finished:
    12.07.2021 12:00:32
  • MD5:
    0bb29556ece1c51c751cb4e7c8752ddc
  • SHA1:
    324cc356a56c68e51f09348e91405001e68e4a08
  • SHA256:
    af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
48/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Run with higher sleep bypass

malicious
96/100

malicious
28/67

malicious
9/29

IPs

IP Country Detection
167.172.38.18
United States

Domains

Name IP Detection
gtr.antoinfer.com
167.172.38.18

URLs

Name Detection
http://gtr.antoinfer.com/favicon.ico
http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2
http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2FaVCd/bp1e8aV2PI_2/FY5oP4oo0f6/GeARX2_2FlA_2F/2BhurwBe_2BrsQ1B1bUK7/wilinEmmYIdaZ6lz/71Mw33QzoCtr9s9/ULFilVIFcIxUDJIsEo/crrSiFkaK/6sQSCYti3ETwug18IBlk/b94MQVqQ698rgMibrOo/RMBVkg8AFrK4uT2Dq6pO06/OdceZPFn8QQWz/SARUSfJd/dirYBJB3Uuu4IivFAYs9FmV/Pmcsy6YvBv/Lcgiqf1bUTKnYCeNL/dikDMv66Bty/6H
Click to see the 12 hidden entries
http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2FaVCd
http://gtr.antoinfer.com/Pl9Eori10/TWROVDxUXG0e5P8cvyge/ZU2BrrTT9UbiVqqjDG4/pcVLHkjQ_2FTIEKMeI9p0c/u
http://gtr.antoinfer.com/4khtvsQ0u/_2Bibxls4V27IXxwFbLo/MVAeZiN_2BcOXrnrV8V/qJdJNxZ6Bgv5NEeycuU5RT/x
http://nuget.org/NuGet.exe
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
https://contoso.com/License
https://contoso.com/Icon
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e10347d3010a05cec57e2a7338104047e76f62_82810a17_01564e18\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A24.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Jul 12 18:49:35 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3457.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 16 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3840.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{08A52030-E342-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{08A52032-E342-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{08A52034-E342-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{08A52036-E342-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\6H[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\a[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SgPLk[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pzye43c.itc.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5sxjpc1.1lo.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\~DF5A692A62F2D75F35.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF7A8FA428499FD9A8.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFA4D21E6A958BB9F9.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFBCEA36BA3DC5EC74.TMP
data
#
C:\Users\user\Documents\20210712\PowerShell_transcript.992547.S0FaV4MQ.20210712115054.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#