61ee6edf7de65.dll

Status: finished

Submission Time: 2022-01-24 11:09:21 +01:00

Malicious

E-Banking Trojan

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
558657
API (Web) ID:
926183
Analysis Started:

2022-01-24 11:09:22 +01:00
Analysis Finished:

2022-01-24 11:27:08 +01:00
MD5:
b6f0fc5638a110abac1a54805f77e786
SHA1:
f7eff5f67b1b794759ec0ba9b0d6a3bd5cd59bfe
SHA256:
06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 11/45

malicious

IPs

IP	Country	Detection
211.40.39.251	Korea Republic of
138.36.3.134	Brazil
91.203.174.38	Uzbekistan
Click to see the 2 hidden entries
121.136.102.4	Korea Republic of
61.98.7.132	Korea Republic of

Domains

Name	IP	Detection
giporedtrip.at	91.203.174.38

URLs

Name	Detection
http://giporedtrip.at/drew/pT9VBE7JySNzTsraRHWIuA/M8mhqioMqf4SN/48wxFaOc/GQc3fQ5Dw6JPElmXEMT1WYW/8KiVfYSjGS/73gU4LPODDcjxF0SH/UKj5w7ReqWld/_2FD39lD5Kz/5xzi1kkBDyiun4/eX2QdVXKmn9zNv1_2Bebw/_2Bj1l2BOIC93Jzg/pa5W5iqolN8FKuR/6pqhw8soI60TcBnXsv/fUj7WBOr5/31qQZwplbi_2FEVv_2BA/_2Bg3LZPX_2FawVlqSQ/Z.jlk
http://giporedtrip.at/drew/pNlxEnrdilKzWa9/68tqOS2uwrjSihitdE/jBbiWvTgb/3aw4cx4D47l6BXBjnON4/Fauxi0kACQab9CLvY1X/WoAQszl7aqCJx2eNbs5Szg/9_2BtMMZBWkCT/OWv_2Bj9/_2BPp2fGqVtSst7f7xYoQwH/mpPcfod9Hb/UB9Yz2aJsMDXWuTh9/ho2KCuunvmML/NRp1qNCJ2xT/_2BesCQrdlqKMQ/QvixSHRNiTVSEcLtfIY4h/0WwwQPgKD1/0.jlk
http://giporedtrip.at/drew/OgX0J5PbJW4/wt7t22qhvnCn1v/lLndh_2BLbj_2BgCTZodo/VhmNj74z1QOstcs1/NN90KirQSsQ7O2C/HXs9eov9kNfgxo2ZRo/blD2X9oTA/M3ehnbfCXj_2BeiQgXKb/ucd0O60r4p_2FWGe4LI/GsQ05hEXJYX7DSeaALXgs4/LJcXahVRDT7HM/rEWRRjo9/OWoa99fWOrLG2ix_2FmfkKa/0wqwnttzjd/MMGwD_2BqOxL_2FmQ/i0rZ3L37/7n5Zr.jlk
Click to see the 13 hidden entries
http://giporedtrip.at/drew/gpOOKQHU5/YopsneUUMix_2FGZrYk_/2FaCL9055O3rYKveg_2/BMYcLHEW_2B6_2BH1_2BIq/GCl9SqJ3zsF0h/uRiHRooG/iudFhrDMGJm_2FRN_2B6NM1/3JT_2Fq7zu/oEYGlG6hebhX439sT/jKSRQO714RRJ/qnfBGC5Rexs/FY6AfhSs_2BBga/CepUQnIMaDyzjxjJywQMp/Sbr0hGta57ccL2mG/IT9OtCUdHxKRc1l/X3mCPG6cz5ucxws3EJ/_2FMMYlE/Q.jlk
http://www.autoitscript.com/autoit3/J
http://giporedtrip.at/v
http://giporedtrip.at/drew/pT9VBE7JySNzTsraRHWIuA/M8mhqioMqf4SN/48wxFaOc/GQc3fQ5Dw6JPElmXEMT1WYW/8Ki
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
http://constitution.org/usdeclar.txtC:
http://giporedtrip.at/drew/OgX0J5PbJW4/wt7t22qhvnCn1v/lLndh_2BLbj_2BgCTZodo/VhmNj74z1QOstcs1/NN90Kir
http://https://file://USER.ID%lu.exe/upd
http://giporedtrip.at/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
Click to see the 31 hidden entries
C:\Users\user\AppData\Local\Temp\qmanv25g\CSC83689403A124ABD8F80AE4A2C14BFB.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\qmanv25g\qmanv25g.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\vn3zgr4g\CSCD86376609B0744ABB56928FEBE923C3.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\vn3zgr4g\vn3zgr4g.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\CharSystem.lnk	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized	#
C:\Users\user\Documents\20220124\PowerShell_transcript.216554.+JTGvHZ_.20220124111050.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Documents\20220124\PowerShell_transcript.216554.38uu7uYg.20220124111043.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\MarkChart.ps1	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\RESCEBB.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\32ysuxeg\32ysuxeg.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\32ysuxeg\CSCDD69F677ABA1437DBA6EE4792C92D38A.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\RESA9AF.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RESC843.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Temp\RESE6D7.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10qdyy3b.xtd.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5g4e2etf.ffb.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftriwtvb.gaa.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3w3dd3l.imi.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\hddjt5kh\CSCAC4C40391E0044BAAD217F7E1F4E48A.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\hddjt5kh\hddjt5kh.0.cs	UTF-8 Unicode (with BOM) text	#

61ee6edf7de65.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

61ee6edf7de65.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

61ee6edf7de65.dll