Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
out.dll.dll

Overview

General Information

Sample Name:out.dll.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:out.dll.exe
Analysis ID:894471
MD5:5a3ee07759e23c507915fb3d473154de
SHA1:ef47ff06ad6a0db77183be19284dbe2c53b16a50
SHA256:14009b05324320da1f4942c35d0cfd24b5dbc49773ce4618e6e070d74a7ffb6a
Tags:exe
Infos:

Detection

Strela Stealer
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Strela Stealer
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
C2 URLs / IPs found in malware configuration
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 5764 cmdline: loaddll64.exe "C:\Users\user\Desktop\out.dll.dll" MD5: 67C05BFD8F41B3421FE285E2FE9641C7)
    • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5696 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 2344 cmdline: rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4924 cmdline: rundll32.exe C:\Users\user\Desktop\out.dll.dll,f MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6964 cmdline: rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
{"C2 url": "91.215.85.209/server.php"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
    00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
      00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
        00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
          00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.6d7ed404.1.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
              5.2.rundll32.exe.6d7ed404.1.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                3.2.rundll32.exe.6d7ed404.1.raw.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                  5.2.rundll32.exe.6d7ed404.1.raw.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                    4.2.rundll32.exe.6d7ed404.1.raw.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
                      Click to see the 4 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 5.2.rundll32.exe.6d7ed404.1.raw.unpackMalware Configuration Extractor: Strela Stealer {"C2 url": "91.215.85.209/server.php"}
                      Source: 91.215.85.209/server.phpAvira URL Cloud: Label: malware
                      Source: 91.215.85.209/server.phpVirustotal: Detection: 17%Perma Link
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C71770 FindFirstFileA,3_2_0000018A52C71770
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E74401770 FindFirstFileA,4_2_0000023E74401770
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20A1770 FindFirstFileA,5_2_0000017FE20A1770

                      Networking

                      barindex
                      Source: Malware configuration extractorURLs: 91.215.85.209/server.php
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_6D7C13B03_2_6D7C13B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C712C03_2_0000018A52C712C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C717703_2_0000018A52C71770
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C7667C3_2_0000018A52C7667C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C7E8A83_2_0000018A52C7E8A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E744012C04_2_0000023E744012C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E744017704_2_0000023E74401770
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E7440E8A84_2_0000023E7440E8A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E7440667C4_2_0000023E7440667C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20A12C05_2_0000017FE20A12C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20A17705_2_0000017FE20A1770
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20AE8A85_2_0000017FE20AE8A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20A667C5_2_0000017FE20A667C
                      Source: out.dll.dllStatic PE information: Number of sections : 17 > 10
                      Source: out.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\out.dll.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,f
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",f
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\out.dll.dll,fJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",fJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1Jump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
                      Source: classification engineClassification label: mal76.troj.winDLL@10/0@0/0
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: out.dll.dllStatic PE information: Image base 0x6d7c0000 > 0x60000000
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C7AF62 push esp; ret 3_2_0000018A52C7AF65
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C8652E push ecx; retf 003Fh3_2_0000018A52C8658E
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E7440AF62 push esp; ret 4_2_0000023E7440AF65
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20B652E push ecx; retf 003Fh5_2_0000017FE20B658E
                      Source: out.dll.dllStatic PE information: section name: .xdata
                      Source: out.dll.dllStatic PE information: section name: /4
                      Source: out.dll.dllStatic PE information: section name: /19
                      Source: out.dll.dllStatic PE information: section name: /31
                      Source: out.dll.dllStatic PE information: section name: /45
                      Source: out.dll.dllStatic PE information: section name: /57
                      Source: out.dll.dllStatic PE information: section name: /70
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll64.exe TID: 5676Thread sleep time: -120000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C71770 FindFirstFileA,3_2_0000018A52C71770
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E74401770 FindFirstFileA,4_2_0000023E74401770
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20A1770 FindFirstFileA,5_2_0000017FE20A1770
                      Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_6D7EADE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6D7EADE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000018A52C71C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,3_2_0000018A52C71C88
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000023E74401C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,4_2_0000023E74401C88
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000017FE20A1C88 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,5_2_0000017FE20A1C88
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\out.dll.dll",#1Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_6D7EAD00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_6D7EAD00

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6964, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d7ed404.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6d7ed404.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.395344757.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.401725916.0000017FE20A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.401547343.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.389783943.0000023E74401000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.395509512.0000018A52C71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.389694685.000000006D7ED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6964, type: MEMORYSTR
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath Interception11
                      Process Injection
                      1
                      Rundll32
                      OS Credential Dumping1
                      System Time Discovery
                      Remote Services1
                      Archive Collected Data
                      Exfiltration Over Other Network Medium1
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
                      Virtualization/Sandbox Evasion
                      LSASS Memory11
                      Virtualization/Sandbox Evasion
                      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Application Layer Protocol
                      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
                      Process Injection
                      Security Account Manager1
                      File and Directory Discovery
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Obfuscated Files or Information
                      NTDS3
                      System Information Discovery
                      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 894471 Sample: out.dll.exe Startdate: 26/06/2023 Architecture: WINDOWS Score: 76 19 Multi AV Scanner detection for domain / URL 2->19 21 Found malware configuration 2->21 23 Antivirus detection for URL or domain 2->23 25 2 other signatures 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe