Click to jump to signature section
Source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack | Malware Configuration Extractor: Strela Stealer {"C2 url": "91.215.85.209/server.php"} |
Source: 91.215.85.209/server.php | Avira URL Cloud: Label: malware |
Source: 91.215.85.209/server.php | Virustotal: Detection: 17% | Perma Link |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C71770 FindFirstFileA, | 3_2_0000018A52C71770 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E74401770 FindFirstFileA, | 4_2_0000023E74401770 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20A1770 FindFirstFileA, | 5_2_0000017FE20A1770 |
Source: Malware configuration extractor | URLs: 91.215.85.209/server.php |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_6D7C13B0 | 3_2_6D7C13B0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C712C0 | 3_2_0000018A52C712C0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C71770 | 3_2_0000018A52C71770 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C7667C | 3_2_0000018A52C7667C |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C7E8A8 | 3_2_0000018A52C7E8A8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E744012C0 | 4_2_0000023E744012C0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E74401770 | 4_2_0000023E74401770 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E7440E8A8 | 4_2_0000023E7440E8A8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E7440667C | 4_2_0000023E7440667C |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20A12C0 | 5_2_0000017FE20A12C0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20A1770 | 5_2_0000017FE20A1770 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20AE8A8 | 5_2_0000017FE20AE8A8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20A667C | 5_2_0000017FE20A667C |
Source: out.dll.dll | Static PE information: Number of sections : 17 > 10 |
Source: out.dll.dll | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f |
Source: unknown | Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\out.dll.dll" | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f | |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01 |
Source: classification engine | Classification label: mal76.troj.winDLL@10/0@0/0 |
Source: C:\Windows\System32\rundll32.exe | Automated click: OK |
Source: C:\Windows\System32\rundll32.exe | Automated click: OK |
Source: C:\Windows\System32\rundll32.exe | Automated click: OK |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: out.dll.dll | Static PE information: Image base 0x6d7c0000 > 0x60000000 |
Source: C:\Windows\System32\rundll32.exe | Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C7AF62 push esp; ret | 3_2_0000018A52C7AF65 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C8652E push ecx; retf 003Fh | 3_2_0000018A52C8658E |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E7440AF62 push esp; ret | 4_2_0000023E7440AF65 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20B652E push ecx; retf 003Fh | 5_2_0000017FE20B658E |
Source: out.dll.dll | Static PE information: section name: .xdata |
Source: out.dll.dll | Static PE information: section name: /4 |
Source: out.dll.dll | Static PE information: section name: /19 |
Source: out.dll.dll | Static PE information: section name: /31 |
Source: out.dll.dll | Static PE information: section name: /45 |
Source: out.dll.dll | Static PE information: section name: /57 |
Source: out.dll.dll | Static PE information: section name: /70 |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 5676 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C71770 FindFirstFileA, | 3_2_0000018A52C71770 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E74401770 FindFirstFileA, | 4_2_0000023E74401770 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20A1770 FindFirstFileA, | 5_2_0000017FE20A1770 |
Source: C:\Windows\System32\loaddll64.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_6D7EADE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, | 3_2_6D7EADE0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_0000018A52C71C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, | 3_2_0000018A52C71C88 |
Source: C:\Windows\System32\rundll32.exe | Code function: 4_2_0000023E74401C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, | 4_2_0000023E74401C88 |
Source: C:\Windows\System32\rundll32.exe | Code function: 5_2_0000017FE20A1C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, | 5_2_0000017FE20A1C88 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Code function: 3_2_6D7EAD00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, | 3_2_6D7EAD00 |
Source: Yara match | File source: 4.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4924, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 2344, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6964, type: MEMORYSTR |
Source: Yara match | File source: 4.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4924, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 2344, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6964, type: MEMORYSTR |