=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

FJHd.dll

Status: finished
Submission Time: 2022-04-22 15:34:21 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll

Details

  • Analysis ID:
    613875
  • API (Web) ID:
    981390
  • Analysis Started:
    2022-04-22 15:41:26 +02:00
  • Analysis Finished:
    2022-04-22 15:56:50 +02:00
  • MD5:
    99ff80925202286d75030a1cae587249
  • SHA1:
    eb5611f49fbf6fcc73dbdb23b27b1237cb6df5ef
  • SHA256:
    e100b492468b71cd42e556b9c5c59e3cf5d7b2f1426e2388102c71f8ba997012
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
13/42

IPs

IP Country Detection
146.70.35.138
United Kingdom

URLs

Name Detection
http://146.70.35.138/phpadmin/O1eI0eqZEIto/XchIaknqoAJ/kMEv4t5J581tfW/u865j5Xeasjgc_2B5CTan/rI1fN2b5ZLhIfUx_/2FZTga80fF0srge/FwfVN0qpYMrE8zzMzM/6huJYaWbc/tc0bcpdDUNB80z9_2BDY/UHVjI8ARNN28DSerYnY/7GArxZ9MTv2QUbSbHwyuZ_/2BBJRXiru38II/V07sa_2F/0AVDKTLcNY27_2BfwcBbs4Y/Pd3H6RqM4P/LHuGv4MKCOJ/M_2FvjQ.src
http://146.70.35.138/phpadmin/blDW3CAuqlIu/_2FXOc_2FsX/J_2BL04QxlUkrx/aGHA_2Bk_2BVxx_2BoRVk/XTgW5fkqRjGarOUi/lVIrNxqHDRMdhpG/1JctFQCMLptSkBa07P/q8nvXCNL_/2BVJnf2ZRfkLS_2FpEpQ/4VZG78TbTVpPmmbGZFu/6680oa3W_2F4QkWQGxBtUJ/_2BY0V0xxeolI/vsBno2LD/rKCAaJaGh3gHb5MXFjk7eqq/yVEk5DK_2F/2CXel0sUW8WYDyvpq/O_2FuV71X2/L.src
http://https://file://USER.ID%lu.exe/upd
Click to see the 6 hidden entries
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.apache.org/licenses/LICENSE-2.0.html
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BBF.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 13:42:56 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A66.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BBF.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
Click to see the 26 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB08.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 13:42:45 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCA0.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 13:42:41 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF8F.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\RES7801.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESA3C4.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rg2d3et4.50c.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wptqwobr.eg0.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\orc3dje1\CSC484D58AD96A04716AF76ED185C4114F3.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\orc3dje1\orc3dje1.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\orc3dje1\orc3dje1.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\orc3dje1\orc3dje1.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\orc3dje1\orc3dje1.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\rhslligv\CSCABF9A05FBB0E449F8B3B2656C9A8A1FD.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\rhslligv\rhslligv.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\rhslligv\rhslligv.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\rhslligv\rhslligv.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\rhslligv\rhslligv.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220422\PowerShell_transcript.494126.soVDmKXl.20220422154342.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_1388a62844b93ea4f95c2472e8188891af451ff8_7cac0383_0d00435e\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5a7bdef4ffd6df7a7664cf7158b49db77a1e6c9_7cac0383_009c1ccb\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_e16f2b5b51a96c57264e6e7da39c96be2b94546_7cac0383_01280182\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER120E.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER155B.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#