=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

nhLAwAo49f.dll

Status: finished
Submission Time: 2022-04-22 18:06:32 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • 32
  • dll
  • exe
  • Gozi

Details

  • Analysis ID:
    614013
  • API (Web) ID:
    981526
  • Analysis Started:
    2022-04-22 18:10:41 +02:00
  • Analysis Finished:
    2022-04-22 18:25:52 +02:00
  • MD5:
    117d2886bf0e722b91c0613f337e97da
  • SHA1:
    ca858266bb3a6c30bd798bd52ec9ad5f5992c999
  • SHA256:
    5460cbecf56cf0527a162da6e9232c055912ae695990c1894a32b08055f45d37
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
12/42

IPs

IP Country Detection
146.70.35.138
United Kingdom

URLs

Name Detection
http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/nhEyt7WMzt/7hwk4OiHgD0JGJMFI/ImCZ8s_2FMqL/y0VwpZrsMmE/KWuRORcQBf9YTM/MqCUW1cFI9M0n3uMCAQqN/wZR88CWKfKsLYnKb/dLQvrxDU0Abjiwn/RIWbrb3190W9juPqlW/uvOHtDDn9/1QJUPhkqdx5oDn1fpwZB/wefwGHcoUJ1uL/B.src
http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0W4d74KUWgvy/T9aFyptbRYDL9zzFFE/ey_2BT1JO/lSrTwjIXOahrvF9aSR6L/b9k1smqrQnVIlnliRgv/2ypsvB4cw7AtggmD2zEUH4/HQdlQahm_2BQO/aEvL9exV/IPSvc1E0OTLBBBSbKz_2F3u/WIddgbjcxL/NDBKkpcQJosXhuH1H/Ng78CGJ_2B/i.src
http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/
Click to see the 7 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://146.70.35.138/phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZ
http://constitution.org/usdeclar.txt
http://146.70.35.138/phpadmin/4B
http://constitution.org/usdeclar.txtC:
http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0
http://177./h

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_843fd29667a3a8f656751f949c19ad5cff2ee117_7cac0383_1af40bd9\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_ac76d3d55f42d8698d1e4b22618822dff34b96_7cac0383_13c853ce\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_e912ab21695e486193197883960c42688442ed7_7cac0383_1b24250e\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 26 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16F4.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:09 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BD7.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D30.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER45E4.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:21 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A5.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:05 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AD7.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C5E.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER91A.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA83.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\RES319C.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESFC15.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dejrq2ox.1xj.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thox1gbj.l0h.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220422\PowerShell_transcript.701188.6Ui9L_aX.20220422181317.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#