Register Login

sloganpng

top title background image

m87xfb63XU.dll

Status: finished

Submission Time: 2021-10-12 00:16:22 +02:00

Malicious

Trojan

Evader

Ursnif

Comments

Tags

Details

Analysis ID:
500399
API (Web) ID:
867972
Analysis Started:

2021-10-12 00:19:50 +02:00
Analysis Finished:

2021-10-12 00:46:15 +02:00
MD5:
5aa733e108f0fa41df88cea0a309affe
SHA1:
ce79918ca7845f2163360ea40a251912998ea226
SHA256:
1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 88	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
	Full Report Management Report IOC Report	malicious Score: 96	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Run with higher sleep bypass

Third Party Analysis Engines

Open Full Report

malicious

Score: 12/66

malicious

Score: 10/45

IPs

IP	Country	Detection
52.97.135.82	United States
40.101.60.226	United States
52.97.223.66	United States
Click to see the 3 hidden entries
52.97.151.2	United States
40.97.153.146	United States
13.82.28.61	United States

Domains

Name	IP	Detection
areuranel.website	0.0.0.0
breuranel.website	0.0.0.0
msn.com	13.82.28.61
Click to see the 6 hidden entries
outlook.com	40.97.153.146
HHN-efz.ms-acdc.office.com	52.97.223.66
FRA-efz.ms-acdc.office.com	52.97.151.2
www.msn.com	0.0.0.0
www.outlook.com	0.0.0.0
outlook.office365.com	0.0.0.0

URLs

Name	Detection
https://watson.telemetry.m
https://www.outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre
https://www.msn.com/?refurl=%2fmail%2fliopolo%2f881KeBhik38%2fn4I3jisQrsLf3N%2f5T7WW0TVyqLiEqrYpioXw
Click to see the 14 hidden entries
http://ogp.me/ns/fb#
https://msn.com/mail/liopolo/I2vyCwQZ_2BZdOw7_2FC5/QHqYyNs8nTjA1r7w/N6UkSzFGkH0f_2F/1IQh_2Bz24bnmMcZ4_/2BpWpgK6a/MfYXdR3sp4DYLa3d1zd1/q_2BesRlkaXfNl4zUpH/oAvtXyz6Z7BEsY_2FVEEFG/s2tbS3iXa95no/TNlgDymJ/mAsry_2BV2k9xkYk3dzUg9O/zullnql4G3/M32YonxJQXyLafjIm/_2FKjkdabgYHJ/uSKzerPj.jre
https://www.msn.com/en-us//api/modules/fetch"
https://deff.nelreports.net/api/report?cat=msn
https://outlook.office365.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre
https://blogs.msn.com/
https://outlook.com/signup/liopolo/Lf_2Fg8f5c_2BK6/Zu9U0t2ZcTswwewFAO/OEv2PKFbN/z8b4kNhG7zvHccOv8idc/Knnm9TAFaDWeAkZRt7S/s_2FJY_2FJZ_2FiFjgDZcG/X_2FPaS4UIfT5/mU_2B6qd/RThDpvlqtg_2B_2FquXT6Oc/rU7JT5JO40/2bdRvqEsO2i_2Fk7a/RPdp6h9XEAxz/UCoD0GwK5aa/_2BLPCSSipSRAr/lNUH_2BVSP8NW1a0oO1V8/mPc3sf.jre
http://ogp.me/ns#
https://outlook.office365.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
https://www.outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
https://outlook.com/signup/liopolo/tu_2FZBOhZEm_2BjC/Eeo1dbfGyNRA/5gxX_2BPT_2/FeU0eiO3g8_2Bd/o4ft4FEXI0SSJqvx69bYX/i59sx_2FafiNLas1/YucQw3tAlQFb4zA/iKo5z_2FddgGxYO4HP/KUIXOky8_/2FKdBAX0DuXXgI2ZfYY9/kP9v63o8avKNpLR1Vuu/u_2F4VkGFpqAysszotqEDO/434zYCc87r2Kg/mFe.jre
https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
https://www.msn.com/?refurl=%2fmail%2fliopolo%2fI2vyCwQZ_2BZdOw7_2FC5%2fQHqYyNs8nTjA1r7w%2fN6UkSzFGk

Dropped files

Name	File Type	Hashes	Detection
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_11c12585\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_12494a43\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58e47b16956767aaab6459884ff9566934c5f_82810a17_1bc56378\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
Click to see the 9 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1133.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13C4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FB8.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:00 2021, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FB7.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39AB.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42B2.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 07:38:10 2021, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5253.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER55DE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER933.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 12 07:37:54 2021, 0x1205a4 type	#