=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

3r0Cgcbr8c.dll

Status: finished
Submission Time: 2022-04-28 10:34:16 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll

Details

  • Analysis ID:
    617154
  • API (Web) ID:
    984662
  • Analysis Started:
    2022-04-28 10:34:16 +02:00
  • Analysis Finished:
    2022-04-28 10:46:59 +02:00
  • MD5:
    9c2ba02350538f6a4392c85f44550949
  • SHA1:
    bf9d4375e2ad199794db8fb4887b148dc628b4f9
  • SHA256:
    4216810c4c1d5c0ef229668e1b7180a02610369674a2b9af93fbc9854eaccfa7
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
13/42

IPs

IP Country Detection
94.140.115.8
Latvia

URLs

Name Detection
http://94.140.115.8/drew/50s8s_2Fm/cVudhHX9qhkwnZn8YGEa/1_2FluFvn0rgITgZHrA/wgcOmIc7KszdPMRNYAwCGU/riR21HHqBfnky/h3W8R7X2/i4XUx7MW7pUIRFpHREax99S/CeaSmQqUkf/_2FQJb20GfOBx67Hv/vcYd4qEFb5vs/GCAhrG_2F_2/Fs8jogZPWA_2BZ/E84C3VPBHuhbD17con0IW/u18AFJcaJWYZ53TT/SBbkABZO2lEW2gv/N0JCn4zxEtu_2BD1lC/F07n5Kpw2LWAlyB/hwLOToT.jlk
http://94.140.115.8/drew/WXsBbTk_2FBXBK/mS8Hu3n2DbeYWVwpxggIZ/cAzhqJf7aBOMcFyZ/ERg2cki7hXSFbet/cCn9kY_2Baq8v2FrSn/Rei5wg7J9/Qsu_2FMujMKTcbcDzJ0J/AhSY_2BVu9QQM_2FYvA/N7OdLSd3CjR0pY4_2FFyUB/GOmdiT9hoha13/v02bkkOg/EJzbMo_2FrexM_2BofdpAOE/xgFjJDpwMl/8SxBhJlVDNq8aMCyL/7JDY3gS5rUN7/gZQ5T5rpdKF/AFQ_2BiwFrwd7d/YmSmnBkM9/kco.jlk
http://https://file://USER.ID%lu.exe/upd
Click to see the 2 hidden entries
http://constitution.org/usdeclar.txt
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\0hvnxdzw.0.cs
UTF-8 Unicode (with BOM) text
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\0hvnxdzw.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\0hvnxdzw.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RES2B5B.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESE3E.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrh5g1xw.2sy.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yympvmax.25e.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\iig1japh.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\iig1japh.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\iig1japh.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\iig1japh.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220428\PowerShell_transcript.468325.WGQFiXaw.20220428103607.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#