=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

HxEWwh74qT.dll

Status: finished
Submission Time: 2022-04-22 15:25:22 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • 32
  • dll
  • exe

Details

  • Analysis ID:
    613862
  • API (Web) ID:
    981379
  • Analysis Started:
    2022-04-22 15:25:25 +02:00
  • Analysis Finished:
    2022-04-22 15:41:09 +02:00
  • MD5:
    5d2b5cbd8a574c9e35309e21ecf93a0e
  • SHA1:
    c15e583e28556f5d187197937b4d2a715ebf8ca7
  • SHA256:
    52d14c9cd56aa41ba98a24a4a3dc3674f7e281c3d79f6aca141382fb56585bcd
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
25/68

malicious
13/42

IPs

IP Country Detection
146.70.35.138
United Kingdom

Domains

Name IP Detection
l-0007.l-dc-msedge.net
13.107.43.16
a-0019.standard.a-msedge.net
204.79.197.222

URLs

Name Detection
http://146.70.35.138/phpadmin/1p0semBcWFOiJ/VuHxHtu5/AN830nRWQ1d2xctaoA3KLHR/918Z9VEhPV/P8ohXldFwnNmepL6Q/uKTfc4fmSrkK/BfYNKcK_2Bx/w_2FA1ltM5KCgm/3UT06OWaufeDOP8Oq_2FL/oIF6meLVrySmPHH0/RIFJ_2FHuhWguIS/4hvBrDpXZ_2FB9M_2F/VjlCK_2FC/TflkNLJtzRIEzaze5_2F/wDsLbDghNL5li48V5rm/4qe0lRbO5_2FdP6RKk3aIg/j40b09twfw_2F/PdHkwNcC/i0_2BVuZ/L.src
http://146.70.35.138/phpadmin/sJOLDU_2FhOUoo/k46SW66GV6I1pQKjWA9TE/PWpby4hvIkOnAKsS/x0Aee5T7Xyol_2F/mHBJFq72pa7ZryIdq5/j7jpLfh_2/B9C_2B8rr1N7pwYs7Hbz/HAjnG5DvkxUUwsnvZ2H/7mKa3lBAhH1k0Vg5CBUe72/SPp1Kc_2FZv6K/7UGQxmIh/q1dxSy205p9HqV1EWhDaIi0/wpq760vWJe/2wvTRaTBNSXKAlgWL/PHcpI3wJ6a_2/BROCpFJpoTX/N2ZuQyATVgKAeO/_2Fd3SdF.src
http://https://file://USER.ID%lu.exe/upd
Click to see the 7 hidden entries
http://ns.adobY
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.apache.org/licenses/LICENSE-2.0.html
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2828325eddc3a9f8faabde465b0f08bdb67a44e_7cac0383_17ca004a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_82d8da601ff98714cf9338fbdd7f7aa4314182a_7cac0383_186e5281\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_f73ca53a05f727fe3c280efd3588c9d22d24062_7cac0383_0d5dc489\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 26 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D1.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:26:45 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE12.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFA9.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD53.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:26:50 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0A0.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD237.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2CD.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:26:59 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF629.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7B1.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\RESD841.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESED31.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itmkjels.31u.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeni10bs.j5c.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220422\PowerShell_transcript.910646.1Eiln6hD.20220422152728.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#