data.dll

Status: finished

Submission Time: 2021-10-07 01:30:08 +02:00

Malicious

E-Banking Trojan

Trojan

Spyware

Evader

Ursnif

Comments

Details

Analysis ID:
498359
API (Web) ID:
865931
Analysis Started:

2021-10-07 01:30:08 +02:00
Analysis Finished:

2021-10-07 01:45:37 +02:00
MD5:
b0165e4e73dad2ac1cb519ea1eab8bd6
SHA1:
4ebb5db088d233d4c85b19b299613a240ce25c95
SHA256:
7ff6558fd39f6d8db53aa0baa3f3a9b1edb02ea2631102b6d85eafaf4bbd702b
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 9/89

malicious

IPs

IP	Country	Detection
194.147.86.221	Russian Federation

Domains

Name	IP	Detection
init.icecreambob.com	194.147.86.221
art.microsoftsofymicrosoftsoft.at	194.147.86.221
222.222.67.208.in-addr.arpa	0.0.0.0
Click to see the 2 hidden entries
myip.opendns.com	102.129.143.57
resolver1.opendns.com	208.67.222.222

URLs

Name	Detection
http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i
http://init.icecreambob.com/
http://init.icecreambob.com/l
Click to see the 36 hidden entries
http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Imm
http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT
http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsb
http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B
http://art.microsoftsofymicrosoftsoft.at/F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7
http://init.icecreambob.com/lbK
http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy
http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic
http://www.g5e.com/G5_End_User_License_Supplemental_Terms
http://www.g5e.com/G5_End_User_License_Supplemental_TermsW~
http://constitution.org/usdeclar.txt
https://contoso.com/
https://nuget.org/nuget.exe
https://www.roblox.com/info/privacy
http://ns.adobe.ux
http://www.g5e.com/termsofservice
https://en.help.roblox.com/hc/en-us
http://ns.micro/1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://ns.adobp/
http://nuget.org/NuGet.exe
http://twitter.com/spotify:
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
http://ns.adobe.co/xa
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://corp.roblox.com/contact/
https://www.roblox.com/develop
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
http://ns.adobe.cmg
https://www.tiktok.com/legal/report/feedback
https://corp.roblox.com/parents/

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.out	ASCII text, with CRLF, CR line terminators	#
Click to see the 31 hidden entries
C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\Documents\20211007\PowerShell_transcript.910646.NcA_PxyH.20211007013229.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\Documents\20211007\PowerShell_transcript.910646.uobBzu5J.20211007013230.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.out	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tg4p345c.j2l.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psahr3sw.wpu.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hr4en22c.pth.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1khnqhjk.loo.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\RESF652.tmp	data	#
C:\Users\user\AppData\Local\Temp\RESF604.tmp	data	#
C:\Users\user\AppData\Local\Temp\RES47B.tmp	data	#
C:\Users\user\AppData\Local\Temp\RES20A.tmp	data	#
C:\Users\user\AppData\Local\Temp\380E.bi1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#

data.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

data.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

data.dll