=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

pDut.dll

Status: finished
Submission Time: 2022-04-22 15:25:27 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll

Details

  • Analysis ID:
    613867
  • API (Web) ID:
    981381
  • Analysis Started:
    2022-04-22 15:30:49 +02:00
  • Analysis Finished:
    2022-04-22 15:45:48 +02:00
  • MD5:
    b8eea1c2963c2f26ff4ffe8de869c3cc
  • SHA1:
    2a8a13db7afd001f093a2c6f82bc6ed93b1884c5
  • SHA256:
    86ef41e44779b109e70b7d34c011b341c2d90654b149a718a380205287256bef
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
13/42

IPs

IP Country Detection
146.70.35.138
United Kingdom

Domains

Name IP Detection
l-0007.l-dc-msedge.net
13.107.43.16

URLs

Name Detection
http://146.70.35.138/phpadmin/F4o1AS9iYlusfa6DJZ_2F/8yu55uwFXLXAS5yL/FeETACp_2FdxcoS/uTYQKlQ9V7TRwNvRii/1bQjf7AZx/EBM2_2FDsl9Y09LRn7_2/BmoA45BufAPzAG_2FOv/yJudlrwiWsA49Qqa8cipw1/EvZwB_2FxuuuB/0Ww7eCaZ/fRJIzVq67cgdRbQXLkDAkWb/J56B_2B4ZT/JfDKOmEjDrpAwpeXE/de7MNcXQ_2Fo/Mirbppbye8W/Y86rEsqpSh3YUIS/Zs.src
http://146.70.35.138/phpadmin/5_2Bwaw4P45/G5G_2Bri9js5dP/6i8eec3u2iZZsEg0F_2Bo/d_2BqMRIyr_2BRmo/n2oaEdJDoQ9a_2F/0_2B2EozCoLo00v_2F/xJzX8hfq8/iPqBoTtTmorC_2FgEoT1/Ui5Rir1Tiv3AxHiQWIy/rh6lq3Of5aYhQ8EPvrVJrj/44vLqx1mKcs_2/F_2B09gU/rE50yHayYu_2BOp2Qp10W2E/Rg4hoLXxS1/WyO2tNKQQk0yGQE1R/wvuExnNhCUce/ANjSv_2BDlKR/3.src
http://146.70.35.138/phpadmin/o1JPufjt/GxusAKeiWszhS95uJQ6Pkff/K82wV_2FB1/FFi9572w_2BwVlT_2/FFNe3OEDuDjI/JBfn1S9Gj1X/rG8MVUUf7UF9JY/H60Bt_2Bfl23t01NRxG0_/2BxJGTmTJtfTKtyV/qnhybbrG7pKyT5Z/VTdtuctxuutya4BZ4r/9i0FyQBST/lISErNEaGd_2BDuV8mWq/a67VJ79FkTLaxUbSo01/l6OAQv5jgHvtlbXRDaApdW/CfvbZ_2Ba/2A9Ca.src
Click to see the 7 hidden entries
http://146.70.35.138/phpadmin/o1JPufjt/GxusAKeiWszhS95uJQ6Pkff/K82wV_2FB1/FFi9572w_2BwVlT_2/FFNe3OED
http://https://file://USER.ID%lu.exe/upd
http://146.70.35.138/phpadmin/5_2Bwaw4P45/G5G_2Bri9js5dP/6i8eec3u2iZZsEg0F_2Bo/d_2BqMRIyr_2BRmo/n2oa
http://constitution.org/usdeclar.txt
http://146.70.35.138/phpadmin/F4o1AS9iYlusfa6DJZ_2F/8yu55uwFXLXAS5yL/FeETACp_2FdxcoS/uTYQKlQ9V7TRwNv
http://constitution.org/usdeclar.txtC:
http://146.70.35.138/&

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\RES52D7.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zn2pbeb.bx3.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkbxlwnt.njb.psm1
very short file (no magic)
#
Click to see the 25 hidden entries
C:\Users\user\AppData\Local\Temp\cweuuamv.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\cweuuamv.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\cweuuamv.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220422\PowerShell_transcript.210979.yN_Qw8z3.20220422153314.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5ae826728d25cb185b65052fe76417bde20f1c2_7cac0383_1a83caea\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_64868dc4c92d6a6e56598a58e1863903bd4390_7cac0383_19679841\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d4707724df8dacf8df1a948061d31053afc578b_7cac0383_150f7325\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AB9.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:14 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ED1.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7162.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E12.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:19 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8518.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER893F.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB176.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:32 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8E9.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC02E.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\41kkxng4.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\41kkxng4.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\41kkxng4.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RES3B19.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x47e, 9 symbols
#