=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

626a961800203.dll

Status: finished
Submission Time: 2022-04-28 15:34:27 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • gozi_ifsb
  • ursnif
  • 3000

Details

  • Analysis ID:
    617373
  • API (Web) ID:
    984877
  • Analysis Started:
    2022-04-28 15:34:28 +02:00
  • Analysis Finished:
    2022-04-28 15:48:54 +02:00
  • MD5:
    d6c8aff647ab919e9bc6f2c8aeb125c7
  • SHA1:
    f71c3d08ba85869cb45cb611c3ef9da8f5736b70
  • SHA256:
    de5d66f93a36ef1db41b9b53913296c0ff2828d0b07baff68154fc54683ac45c
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
94.140.115.8
Latvia

URLs

Name Detection
http://94.140.115.8/drew/LzZSD0tVM_2BsonXWK/DxGr8_2Fs/ptvwg5b1i5bmL0teUgxQ/9o_2BYDNRVvPoQoxMtW/BIdfmFo0ukzJeDObjwSUDY/Htb97x6cm9qTp/tEkEvLrP/n0HksQRnfyb9faVq3lqt7w_/2FGj3GkMdb/gW3lDpUUG8UJpLQkT/d_2FWch36CgQ/Ms7kl6_2FQw/_2FYis_2FJuf4b/1W5qGDemarWZETpD245uj/A3G16gP5qOjvKH3G/vv5_2BVLbj8z6ts/CLUiAk4VGnKgZlEBPz/xZ0KblNF.jlk
http://94.140.115.8/drew/6wy5UyOmrJ6HQIq62A/VkrnX6r04/0fFrbYM4DFb5wAzrw_2B/FNzEWhK2WSNEE81GIZV/7J75XXRSaKXlPlnEWRIx2d/cgL4K_2BZrIVj/9osxFaDv/Lc0bZAFyY2PSeXZy5ftLnD9/al2n0BaRS9/SY2dQ9m8xRHbivY38/0pCnmgy_2Bef/l4rMGbb_2B_/2B4w0AfPWShYFd/4cpEVVLZL_2FDyp7NTbNc/rNxu0uITLsW428ao/71RUURUKbVQL7Cx/eCGP96f5gt/RxWMq4kdm/g.jlk
http://94.140.115.8/drew/Gv5Z0BH7gi4l/Xtbvn5vUJ8S/xOKV3qdD_2FR7k/HBHojg_2BImCG6h9pQAWJ/OLNLYJlFkOIbmlfx/xLBPPTo798kTGWF/uarevqL_2FqMq6GmJ9/Ff_2BWjst/_2BcRA9bYxr5hTBTuFyb/8zAPHcBPMbLfJl2Crow/FreBlXlshr_2FnJ_2FgWzv/h4GyHVjgDhcnY/ozdI4s6t/aG5qJQuNKTWUqUa97JxeXEE/v4CNuvvBlw/ItFnqFPJKxxqxJOlb/WVUcVG1SDD9B/T_2BjHrCJGz/H.jlk
Click to see the 9 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://constitution.org/usdeclar.txt
http://pesterbdd.com/images/Pester.png
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.apache.org/licenses/LICENSE-2.0.html
http://94.140.115.8/drew/LzZSD0tVM_2BsonXWK/DxGr8_2Fs/ptvwg5b1i5bmL0teUgxQ/9o_2BYDNRVvPoQoxMtW/BIdfm
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txtC:
http://94.140.115.8/drew/6wy5UyOmrJ6HQIq62A/VkrnX6r04/0fFrbYM4DFb5wAzrw_2B/FNzEWhK2WSNEE81GIZV/7J75X

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\RESAFF5.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Local\Temp\RESC0EC.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grhpvd1u.qdq.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iappz0mc.xf1.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\boqgffzj\CSC6A71A2D878D54201A284CABB415B85EF.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\boqgffzj\boqgffzj.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\yb3ge0m0\CSCCD644729527F4748ACD06F6743FBF148.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\yb3ge0m0\yb3ge0m0.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220428\PowerShell_transcript.609290.5b3sR3N3.20220428153620.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#