=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

EIo7Dh2fzn.dll

Status: finished
Submission Time: 2022-04-28 15:05:29 +02:00
Malicious
Trojan
Evader
Ursnif

Comments

Tags

  • dll

Details

  • Analysis ID:
    617356
  • API (Web) ID:
    984860
  • Analysis Started:
    2022-04-28 15:05:30 +02:00
  • Analysis Finished:
    2022-04-28 15:17:51 +02:00
  • MD5:
    ce7c27c59a122431a79b45adc9e6ddea
  • SHA1:
    c4847eaed87a65d679e3ccf04586e8c2c8557853
  • SHA256:
    0f7c69f83cd47009aa4b0b7e99cf0c9f23567a0e1862aa9bc83e4e684e72ff5b
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
13/92

malicious
17/42

malicious

IPs

IP Country Detection
94.140.115.8
Latvia

Domains

Name IP Detection
cabrioxmdes.at
210.92.250.133
222.222.67.208.in-addr.arpa
0.0.0.0
myip.opendns.com
102.129.143.30
Click to see the 2 hidden entries
resolver1.opendns.com
208.67.222.222
time.windows.com
0.0.0.0

URLs

Name Detection
http://94.140.115.8/drew/xkQfjs7DBErH8qV_2BRe9/zh8snQcA3mOHG3TA/3U6KPu52NWgHOFc/bWb63XVpsSd81OMGMn/_2FHaMpbQ/BC68WOIEB1Mj9_2BW5TD/GMdGS1oTucxIOXLM3_2/F6H8p2FWF_2F3vkhAvc8oo/Exn1CIzGZx_2B/XaA55W7Q/HUd85Ol1bm0GzxNggOSA6rc/RfbnUUQZDw/pD47_2F1Ed6TtwfvK/aWiLRbn0orrV/LFXi6QXJZ67/U1jgIfaXgcME0r/EyB_2FX08igdivIwKr5Gg/mTh.jlk
http://cabrioxmdes.at/images/dbFm6yqWdw_2FpTU0jmfQ/kM_2B2SCWx3_2ByF/Jtb7hwAVbmUDszo/zKlr1_2FG9cFGvtq
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Click to see the 35 hidden entries
https://www.google.com/chrome/static/images/homepage/google-canary.pngCLMEM
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
https://www.google.com/chrome/static/images/app-store-download.pngkLMEM
https://www.google.com/images/hpp/Chrome_Owned_96x96.pngLMEMx
https://www.google.com/chrome/static/images/homepage/homepage_tools.pngLMEM
http://constitution.org/usdeclar.txtC:
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
http://94.140.115.8/e
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
http://https://file://USER.ID%lu.exe/upd
http://www.msn.com
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
https://deff.nelreports.net/api/report?cat=msn
http://94.140.115.8/drew/7jUPuWnUeRp9tDgMfnyRuxD/3ecydcEUUA/_2FNCpKvetNjbttn7/Hdon7urbotGi/Fc3pZ5r7O
http://193.56.146.133/cook64.rar)
http://94.140.115.8/drew/xkQfjs7DBErH8qV_2BRe9/zh8snQcA3mOHG3TA/3U6KPu52NWgHOFc/bWb63XVpsSd81OMGMn/_
https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
http://193.56.146.133/cook32.rar
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
https://www.google.com/chrome/static/images/fallback/icon-twitter.jpgLMEM
http://193.56.146.133/cook64.rar6
http://193.56.146.133/stilak32.rarC
https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
https://www.google.com/chrome/static/images/homepage/laptop_desktop.pngLMEM
https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgioLMEM
https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
http://constitution.org/usdeclar.txt
https://www.google.com/chrome/static/images/homepage/google-dev.pngLMEM
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
http://193.56.146.133/stilak32.rar
https://policies.yahoo.com/w3c/p3p.xml
http://94.140.115.8/drew/gJ4rdRWQvsSi4EKFRI0/Uy0zcN8ivMoTWJkhhwa8tN/_2FZ9W0zaaBcV/GcwPNSiI/WEm1PCPxC

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\RES48A2.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RES5890.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
Click to see the 12 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l433de4w.u4c.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_leskgh1x.rd1.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\kydykacf\CSC5BFFE88D5913473D926BA7D4657E75A7.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\kydykacf\kydykacf.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\kydykacf\kydykacf.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\kydykacf\kydykacf.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\kydykacf\kydykacf.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\pwbmbloq\CSCE4199BE8E234D5980964D8FC9C2D7EF.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\pwbmbloq\pwbmbloq.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\pwbmbloq\pwbmbloq.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\pwbmbloq\pwbmbloq.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\pwbmbloq\pwbmbloq.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#