flash

m87xfb63XU.dll

Status: finished
Submission Time: 12.10.2021 00:16:22
Malicious
Trojan
Evader
Ursnif

Comments

Tags

  • BRT
  • dll
  • geo
  • Gozi
  • ISFB
  • ITA
  • Ursnif

Details

  • Analysis ID:
    500399
  • API (Web) ID:
    867972
  • Analysis Started:
    12.10.2021 00:19:50
  • Analysis Finished:
    12.10.2021 00:46:15
  • MD5:
    5aa733e108f0fa41df88cea0a309affe
  • SHA1:
    ce79918ca7845f2163360ea40a251912998ea226
  • SHA256:
    1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
88/100

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run Condition: Run with higher sleep bypass

malicious
96/100

malicious
12/66

malicious
10/45

IPs

IP Country Detection
52.97.135.82
United States
40.101.60.226
United States
52.97.223.66
United States
Click to see the 3 hidden entries
52.97.151.2
United States
40.97.153.146
United States
13.82.28.61
United States

Domains

Name IP Detection
areuranel.website
0.0.0.0
breuranel.website
0.0.0.0
msn.com
13.82.28.61
Click to see the 6 hidden entries
outlook.com
40.97.153.146
HHN-efz.ms-acdc.office.com
52.97.223.66
FRA-efz.ms-acdc.office.com
52.97.151.2
www.msn.com
0.0.0.0
www.outlook.com
0.0.0.0
outlook.office365.com
0.0.0.0

URLs

Name Detection
https://outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre
https://www.msn.com/?refurl=%2fmail%2fliopolo%2fI2vyCwQZ_2BZdOw7_2FC5%2fQHqYyNs8nTjA1r7w%2fN6UkSzFGk
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Click to see the 14 hidden entries
https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
https://outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
https://www.outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
https://outlook.office365.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
http://ogp.me/ns#
https://watson.telemetry.m
https://blogs.msn.com/
https://outlook.office365.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre
https://deff.nelreports.net/api/report?cat=msn
https://www.msn.com/en-us//api/modules/fetch"
https://msn.com/mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre
http://ogp.me/ns/fb#
https://www.msn.com/?refurl=%2fmail%2fliopolo%2f881KeBhik38%2fn4I3jisQrsLf3N%2f5T7WW0TVyqLiEqrYpioXw
https://www.outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_11c12585\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_12494a43\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_1bc56378\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 9 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1133.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13C4.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FB8.tmp.dmp
Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:00 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FB7.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39AB.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42B2.tmp.dmp
Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:10 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5253.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER55DE.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmp.dmp
Mini DuMP crash report, 15 streams, Tue Oct 12 07:37:54 2021, 0x1205a4 type
#