6.dll

Status: finished

Submission Time: 2021-12-14 10:32:11 +01:00

Malicious

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
539457
API (Web) ID:
906979
Analysis Started:

2021-12-14 10:32:11 +01:00
Analysis Finished:

2021-12-14 10:47:16 +01:00
MD5:
ac57d694b86d8532b38d3d62f6de3afc
SHA1:
c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256:
fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

IPs

IP	Country	Detection
79.110.52.144	Romania
3.12.124.139	United States
18.219.227.107	United States

Domains

Name	IP	Detection
berukoneru.website	79.110.52.144
windows.update3.com	0.0.0.0
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	18.219.227.107

URLs

Name	Detection
https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta
https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta
https://berukoneru.website/tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta
Click to see the 31 hidden entries
https://berukoneru.website/tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta
https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta
https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta
https://berukoneru.website/tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta
https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA
https://berukoneru.website/BS
https://berukoneru.website/j
https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6
https://nodejs.org0
http://constitution.org/usdeclar.txt
https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL
https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv
https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65
https://berukoneru.website/jP
https://berukoneru.website/LAp
https://berukoneru.website/O
https://aka.ms/MicrosoftEdgeDownload"
https://berukoneru.website/
https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT
https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY
https://github.com/Pester/Pester
https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ
http://https://file://USER.ID%lu.exe/upd
https://windows.update3.com/
http://constitution.org/usdeclar.txtC:
http://www.apache.org/licenses/LICENSE-2.0.html
https://berukoneru.website/tyi
http://pesterbdd.com/images/Pester.png
https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP	MSVC .res	#
Click to see the 49 hidden entries
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\ro0kv1nw\ro0kv1nw.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\wfv0d1vy\wfv0d1vy.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.6dNuCqGT.20211214103418.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.DMr5Wv1u.20211214103418.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.ZSxBE1Sk.20211214103425.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20211214\PowerShell_transcript.841675.g3ZPtttJ.20211214103418.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybuxanvq.4gq.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\RES11BF.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RES148E.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RES1B16.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RES451.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ccsd0th.iwn.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zreigz2.4ov.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34kodmfv.oiy.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgdeyylx.qwp.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjo40dyp.crc.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_karhuzep.53l.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnjjoctr.bdk.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\dtnsoflb\CSC7C356A6CF33949CF872753BDA33569A0.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#

6.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

6.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

IPs

Domains

URLs

Dropped files

Search started

6.dll