NdmYtW.dll

Status: finished

Submission Time: 2022-04-22 15:34:26 +02:00

Malicious

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
613876
API (Web) ID:
981391
Analysis Started:

2022-04-22 15:42:24 +02:00
Analysis Finished:

2022-04-22 15:55:21 +02:00
MD5:
f0f0659d9838d978a8b7e7391b81c801
SHA1:
6adf95dab8d012a85ee4ed93f970d610ea2138bc
SHA256:
f32f9fed2539cf3a6f585bc961035ccf3a03095c1f27e688f2da2811eca045f1
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 13/42

IPs

IP	Country	Detection
146.70.35.138	United Kingdom

URLs

Name	Detection
http://146.70.35.138/phpadmin/yqCVBtpTjqi/BUOCnFz_2FQ9Q6/Ryq6_2FVcLDZFmEPKym4J/ZSIV2cDStqNq5Itu/aCSVqy9IZ_2FYMn/gy1HuII7fhtEGD3fSs/mhq0bGlYc/e1NHdmmrmU_2B1hHMDIl/GWAynNsuJSGG6XyVyGK/bQ3sc2CYQDTudJ7F7zgFxZ/TtArsuT1Etq1o/X_2BFjD5/2xRs0olUFTCo8fJjt4hQs1z/QkSmysjcNd/9Y6qrwi9B0UodRXgK/tMT7vbJ8/z.src
http://146.70.35.138/phpadmin/DO_2B54suq9uGv3bL/WcaJ8LTtzS6r/_2B2L8YYoDl/k1C6IodNv9jgnf/9g8FHqdhALJVMODlyIRig/IxM63PUvFPdfvfq2/9SzMpqq4V5UIjTW/ZByGGozk9ceileQl78/VqmnMkaMH/dmauAZ_2BL52juufO3M8/XKCTlNzlGU8e3i9RF_2/FCeeyEtI_2B_2B3oimwxkJ/7tESJGJVusqss/o_2FcLN6/1ty6v0xs0WmjPN_2FH9HK5Z/x2MDCyEEKo/qQ_2B.src
http://146.70.35.138/phpadmin/Um963rWMEUv_2FQUj/C4B8aEFv190w/A5TajDjMaUf/jFq7m82I_2FfW0/xfk4dUQFJptIVQ8QijyxZ/Rnxe9nLPzUagnEWj/ByIDCYY3X9WXEkZ/pBaNc359J4xdZVYnqG/XYbCQfv4k/m6CVJrjNW8fp7w2_2Fhn/P08qjUP5vr_2BNMkjwY/ilwawg4j_2F2eiFOO_2FjH/WtLNE2RDmtpjx/aoDn0KZw/UGwP15wSR7Pb3ZLm7s_2Bm_/2F5nowwmmj/8Tm.src
Click to see the 3 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://constitution.org/usdeclar.txt
http://constitution.org/usdeclar.txtC:

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\s5wot0wy\s5wot0wy.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\s5wot0wy\CSC4A66175C42A34DCCBF374AEBACAD802E.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tr2pkc1k.yzu.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmmtdzt1.vyi.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\RES249.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RES23CB.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols	#
C:\Users\user\AppData\Local\Temp\0sg2urkr\CSC9E8D9CF5EFB2455BAC85F18857F6B836.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\0sg2urkr\0sg2urkr.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_20e622abffa5775ef41a222dc31251babfb4527_7cac0383_1b67ca62\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF5E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD7.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFEB.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 22 22:43:55 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9F4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8CA.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD53F.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 22 22:43:46 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC93B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6E8.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1C7.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 22 22:43:42 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_77fedd926fb8456368a0809e68225ec9bb4c64f4_7cac0383_11b404ac\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5fa21f6577568642ef2a26a9573ce156e4bc8_7cac0383_1b8fe099\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#

NdmYtW.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

URLs

Dropped files

NdmYtW.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

URLs

Dropped files

Search started

NdmYtW.dll