flash

uT9rwkGATJ.dll

Status: finished
Submission Time: 08.10.2021 06:41:11
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • Gozi
  • ISFB
  • Ursnif

Details

  • Analysis ID:
    499264
  • API (Web) ID:
    866839
  • Analysis Started:
    08.10.2021 06:42:36
  • Analysis Finished:
    08.10.2021 07:00:12
  • MD5:
    9a453cc31ebfca29d8df565258fbf8ce
  • SHA1:
    5eb3be88abb84f63e04c92bc3e35a82a01689971
  • SHA256:
    eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
52.97.178.98
United States
40.97.160.2
United States
40.101.9.178
United States
Click to see the 4 hidden entries
40.97.156.114
United States
193.29.104.83
Romania
52.97.151.18
United States
52.98.208.114
United States

Domains

Name IP Detection
outlook.com
40.97.156.114
HHN-efz.ms-acdc.office.com
52.97.151.18
FRA-efz.ms-acdc.office.com
52.98.208.114
Click to see the 4 hidden entries
xereunrtol.website
193.29.104.83
www.outlook.com
0.0.0.0
zereunrtol.website
0.0.0.0
outlook.office365.com
0.0.0.0

URLs

Name Detection
https://xereunrtol.website/pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop
https://xereunrtol.website/pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop
https://xereunrtol.website/pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop
Click to see the 20 hidden entries
https://xereunrtol.website/pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop
https://xereunrtol.website/pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop
http://nuget.org/NuGet.exe
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://www.outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop
https://contoso.com/
https://nuget.org/nuget.exe
https://outlook.office365.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
https://outlook.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop
https://outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop
http://https://file://USER.ID%lu.exe/upd
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://outlook.office365.com/pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop
https://github.com/Pester/Pester
https://www.outlook.com/pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
Click to see the 29 hidden entries
C:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RES9EC1.tmp
data
#
C:\Users\user\AppData\Local\Temp\RESB12F.tmp
data
#
C:\Users\user\AppData\Local\Temp\RESB287.tmp
data
#
C:\Users\user\AppData\Local\Temp\RESC95B.tmp
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1h2althh.jtq.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31fsqk4c.qy5.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5szhzhvw.zcn.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\ebytp2em.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\ebytp2em.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\ebytp2em.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\hiiw3gsl.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\hiiw3gsl.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\hjljqxud.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\hjljqxud.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\hjljqxud.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\uio4qdnj.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\uio4qdnj.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\uio4qdnj.out
ASCII text, with CRLF, CR line terminators
#
C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xU5QnXMG.20211008064622.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xd8ptVim.20211008064618.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#