Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

nhLAwAo49f.dll

Status: finished
Submission Time: 2022-04-22 18:06:32 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • 32
  • dll
  • exe
  • Gozi

Details

  • Analysis ID:
    614013
  • API (Web) ID:
    981526
  • Analysis Started:
    2022-04-22 18:10:41 +02:00
  • Analysis Finished:
    2022-04-22 18:25:52 +02:00
  • MD5:
    117d2886bf0e722b91c0613f337e97da
  • SHA1:
    ca858266bb3a6c30bd798bd52ec9ad5f5992c999
  • SHA256:
    5460cbecf56cf0527a162da6e9232c055912ae695990c1894a32b08055f45d37
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious
Score: 12/42

IPs

IP Country Detection
146.70.35.138
 United Kingdom

URLs

Name Detection
http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/nhEyt7WMzt/7hwk4OiHgD0JGJMFI/ImCZ8s_2FMqL/y0VwpZrsMmE/KWuRORcQBf9YTM/MqCUW1cFI9M0n3uMCAQqN/wZR88CWKfKsLYnKb/dLQvrxDU0Abjiwn/RIWbrb3190W9juPqlW/uvOHtDDn9/1QJUPhkqdx5oDn1fpwZB/wefwGHcoUJ1uL/B.src
http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0W4d74KUWgvy/T9aFyptbRYDL9zzFFE/ey_2BT1JO/lSrTwjIXOahrvF9aSR6L/b9k1smqrQnVIlnliRgv/2ypsvB4cw7AtggmD2zEUH4/HQdlQahm_2BQO/aEvL9exV/IPSvc1E0OTLBBBSbKz_2F3u/WIddgbjcxL/NDBKkpcQJosXhuH1H/Ng78CGJ_2B/i.src
http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/
Click to see the 7 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://146.70.35.138/phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZ
http://constitution.org/usdeclar.txt
http://146.70.35.138/phpadmin/4B
http://constitution.org/usdeclar.txtC:
http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0
http://177./h

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\RES319C.tmp
 Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
 #
C:\Users\user\Documents\20220422\PowerShell_transcript.701188.6Ui9L_aX.20220422181317.txt
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
 #
Click to see the 26 hidden entries
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.0.cs
 UTF-8 Unicode (with BOM) text
 #
C:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.out
 UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
 #
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdline
 UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
 #
C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.0.cs
 UTF-8 Unicode (with BOM) text
 #
C:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP
 MSVC .res
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thox1gbj.l0h.psm1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dejrq2ox.1xj.ps1
 very short file (no magic)
 #
C:\Users\user\AppData\Local\Temp\RESFC15.tmp
 Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
 #
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_843fd29667a3a8f656751f949c19ad5cff2ee117_7cac0383_1af40bd9\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
 data
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA83.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER91A.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C5E.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AD7.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A5.tmp.dmp
 Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:05 2022, 0x1205a4 type
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER45E4.tmp.dmp
 Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:21 2022, 0x1205a4 type
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D30.tmp.xml
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BD7.tmp.WERInternalMetadata.xml
 XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16F4.tmp.dmp
 Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:09 2022, 0x1205a4 type
 #
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_e912ab21695e486193197883960c42688442ed7_7cac0383_1b24250e\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_ac76d3d55f42d8698d1e4b22618822dff34b96_7cac0383_13c853ce\Report.wer
 Little-endian UTF-16 Unicode text, with CRLF line terminators
 #