d6YCUW421p.dll

Status: finished

Submission Time: 2022-04-22 16:11:19 +02:00

Malicious

Spreader

E-Banking Trojan

Trojan

Spyware

Evader

Ursnif

Comments

Details

Analysis ID:
613908
API (Web) ID:
981422
Analysis Started:

2022-04-22 16:13:40 +02:00
Analysis Finished:

2022-04-22 16:31:51 +02:00
MD5:
c544f66e442fbb1864b5abc8c919ef14
SHA1:
7648765f0e8c7247187592be8ffc15e862833b6b
SHA256:
5747f4ec2678631d2b8b001a4e1aeec2a74788cdc1381fcbb36b8f5f699246a6
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 25/68

malicious

Score: 14/42

IPs

IP	Country	Detection
193.56.146.148	unknown
146.70.35.138	United Kingdom
67.43.234.14	Canada
Click to see the 1 hidden entries
67.43.234.37	Canada

Domains

Name	IP	Detection
1.0.0.127.in-addr.arpa	0.0.0.0
222.222.67.208.in-addr.arpa	0.0.0.0
8.8.8.8.in-addr.arpa	0.0.0.0
Click to see the 2 hidden entries
myip.opendns.com	102.129.143.53
resolver1.opendns.com	208.67.222.222

URLs

Name	Detection
http://193.56.146.148/cook64.rar
http://146.70.35.138/phpadmin/zilwS36OC_2/FnjmOckuG_2BCm/VAdwDdj_2Fnac_2F0y6xc/deXhx0rBocPzi7tR/z8VoemZhKDJOEZ_/2FB71dJS5j3dZE2NGK/cGLO3t6yJ/yUrrIk8eZ08FZSU_2FS0/2G1FFOzId8doUQdjVtt/kPQnX57urwlFySqx1IZrAD/AgrnwQGGtXT4R/Tizv3fN7/xX9kvTCwfaZ1KZbAGWbajAo/gFAssOtH9Z/e8lp2TS1JzI4llaNY/olcdYO51/byt.src
http://193.56.146.148/stilak32.rar
Click to see the 32 hidden entries
http://146.70.35.138/phpadmin/TYhCb5d3/Qd3Po_2BKjelP_2F7WSwUso/7m8jnTpLRx/uExGwdKAdHoPBjWMC/elgD5kzT2sqT/T1iJBxA5UdT/uL5VED_2B8E0P8/_2FtpnrB_2FZlg9AlWg_2/BdtlwpvI_2BcVtwg/McOCY72thR3WVt5/wVoK31AOn6hDpHdQON/XBB32U4r8/fKY68F7l0jZNTMcXJ71L/odruZsWwSuNEIUWqi7s/08LTc4yWUohU0pkFp1T8P2/l2fvxomE6/r6zvT.src
http://67.43.234.14/images/exH_2BV5hI6UV32xq/9iKc6ZjImWoQ/GIugApItTP6/eU0FsndbiatJlG/8sZ81QZwXTfmteOvaRx3j/YoZ9Z9WZVb88loFE/XwzEGCF_2FYd014/RsM17SCy13qQU2pAif/TMyGZBQvh/N26WrESLVWVbmtD7LEn9/Rx20gFSw1JZAg58DLOG/BJUKRsQbaNOa0owKYxus_2/BoGrwh_2BDKqm/DuvxAvK6/zywXiP_2Bz0bAUH1Ay0X5pY/Ej1B6Nr9jL/cJXSt0eQu6DGGZWaR/qgLa8p54JO9D/mFJ_2BIO/ix2MS.bmp
http://193.56.146.148/cook32.rar
http://146.70.35.138/phpadmin/O5VHv_2BomBJ/FDSQ3C_2FEh/d3AB91pB2zVZZc/V8xBUftmx0M_2Bqnngedi/DpLLDhwUKQDOSSQS/nVaNzwxkqgcnJXK/SQy2RrteBXCJGPusj_/2Fou9gPbn/TEfuPZW_2FR5wp1JKvFc/BRr_2Bgc4Sh6fwKpLbg/92QNhdYG6IBsInIDDSBHis/CLBmXrf7shSlX/Qy4n9fNl/nE2maUEbSwiaPEHMkNYQxQk/D1KSQzl_2F/HXQWBGmfgthfPqv/9SK.src
http://67.43.234.14/images/fWI73R1_2Fi/dMEh0cq63rRCJy/hEJHCisV7TLXf6s5qDp3z/BCtN_2Bg1My_2Bxo/AhaNT6s6q6_2B58/OQZoTj4FY38JIpdz1z/MCQ_2Fvl2/KaObwwaShYciWGHB8igT/ebmAGB0PycjKyjC2pvQ/6aj0R0O7yrH6fMGLiN7rcC/6qFHr8cars3Gw/I8BuhPaS/BZ6BhWd8QiKaDrJK4XQp4Ag/g0wwOGo1XO/QfQATDgE2jY4Wf7L8/foVbicjFFFm0/9oroSq36Cxf/G6HPMi1wZ9ycu5/gwcS_2Bt/rdAx9WRg/N.bmp
http://193.56.146.148/stilak64.rar
http://curlmyip.net
http://67.43.234.14/images/vdoa2puIgygDcKHOof7W5Nx/Sm5x_2FLro/zObUXzRQyLPWX4K31/W76pZEGagBpT/o6IGunTWfCn/lXzKVuv3SgxDcg/QnnnzAZBFXh1ukr9Caozw/wPM7sTqNdf9sx_2F/Rne6TvIOz1EJrXu/g31KyfFRkwWQ7yEqN4/zXMBf0AoC/FcsOEsPhqIXCKsCLKvy2/p_2BCCsPTnYHLO5apYZ/ZOWl4UxrQhGJIiW3n82a5o/LRy86Sxl6Pzdu/NQ1r9_2F/M2tmRTakUsCXcEs_2FmAAzP/G6Sk1Uhj8yi4/tFtBd.bmp
http://ipinfo.io/ip
http://help.disneyplus.com.
https://www.disneyplus.com/legal/your-california-privacy-rights
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://nuget.org/NuGet.exe
https://disneyplus.com/legal.
https://nuget.org/nuget.exe
https://contoso.com/
http://ns.adobe.uxEN
http://crl.microsoft.coQ
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
https://www.disneyplus.com/legal/privacy-policy
http://ns.micro/1%L
http://ns.adobe.cmge
https://github.com/Pester/Pester
http://curlmyip.netQ8tR9QJN7lLzOLlefile://c:
https://www.tiktok.com/legal/report/feedback
http://https://file://USER.ID%lu.exe/upd
https://contoso.com/Icon
https://contoso.com/License
http://constitution.org/usdeclar.txtC:
http://ns.adobp/
http://www.apache.org/licenses/LICENSE-2.0.html

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\B95F.bin\Root.pfx	data	#
C:\Users\user\AppData\Local\Temp\DFA5.bin	ASCII text, with CRLF line terminators	#
Click to see the 38 hidden entries
C:\Users\user\AppData\Local\Temp\DFA5.bin1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\FFD3.bin	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\RES5B2D.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RES71E1.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3t4dtxl.aez.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqgxvc3t.uvk.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\g2letrfe\CSC71DE0290BB9F401583CAD01729BF75D7.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\B95F.bin\AuthRoot.pfx	data	#
C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\vqkyohgm\CSCBF795D6899604BF9A48E638AB671C4FD.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\Documents\20220422\PowerShell_transcript.367706.vGPyFZhc.20220422161533.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA3E.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7875e6245bdd47cab51d5025544adb25af7c1d5b_7cac0383_19f2e3d2\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_a0b9814f9a8146de5cfec8d14bee9aa28ce9d7_7cac0383_11cea998\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F47.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 22 23:14:54 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3BD.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA554.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1C6.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 22 23:14:59 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB580.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6D8.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5B9.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 22 23:15:08 2022, 0x1205a4 type	#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_3fb78dbd3096a159cff8d7df2087ea8f72df4a_7cac0383_1a1ec4c1\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB97.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Temp\11D3.bin	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\2DBE.bin	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\40F3.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\4A44.bin	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\6B3A.bi1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\7BC3.bin	Zip archive data, at least v2.0 to extract	#

d6YCUW421p.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

d6YCUW421p.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

d6YCUW421p.dll