=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

626a983c091a8.tiff.dll

Status: finished
Submission Time: 2022-04-28 15:46:15 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • gozi_ifsb
  • ursnif
  • 3000

Details

  • Analysis ID:
    617384
  • API (Web) ID:
    984888
  • Analysis Started:
    2022-04-28 15:46:17 +02:00
  • Analysis Finished:
    2022-04-28 15:59:16 +02:00
  • MD5:
    388aa15c4d1a96534e7ca5587942fa0a
  • SHA1:
    a88e07643c07c8f75845c82c19cd928355d441b2
  • SHA256:
    abc6dfca9ad106cf41da3b6309a15e2a761991d2fad41662211b1afb1c2b0973
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
94.140.115.8
Latvia

URLs

Name Detection
http://94.140.115.8/drew/pWUKzJDbrhpv/FFkNspqcCVD/4ANu5UR3K56aq1/YlZTd4vqqjxlSWQE81tmv/0903hK9AGVho5G_2/FPX1B2ZeY41YUql/9Zl7hUh81wcOKdUUaq/Z_2FlHHRh/JDsEpYdxv2Sil3Q8A91e/jYpDxmigXCYZ8PDT72P/GzAMhzuxMmNvrbZtpOxqlx/F1jRyqu5A3bI6/9P2_2BGh/CvwgeSwx46r_2FQDHgxUtUu/VEvc4RUsji/nf7CiGV7ZHZfisjbY/l_2FOYdkMf6Q/cPBDnAZaABD/3v7KHlHBv_2B/_2BGS0Es/y.jlk
http://94.140.115.8/drew/ik1LQOZMh/mVRbIyzEQTxBwTr6Z5u6/zI22UmjAz8JK2nSoDWz/PBbBE92xQ6eDvkHhGI4LUa/C2IzDYhRuCy1X/B8bDGu4d/NNeE2BpCwJS_2BLL1GATet_/2FJaGdNT8S/qykJG_2BzgaYwDsmt/6L38BacVeBDK/DI5poywJVgk/0BVE0JF2RsEX1d/ehK8HVo5nM5dN_2BvfT0B/d2eei3kq6JFp_2Bo/wjjnHOVxOWAf9Rl/iq5emFWqLQuh9aW2bI/a4pKOz5Hp/Nn13tipc/V.jlk
http://94.140.115.8/drew/BCNeqjF198SdSe826/ArOdCqmPIWdy/mLsvCOAaonH/_2B_2FaHw_2FNP/whZllPw0UWDpWxMk3vD70/ZW7HQlXyVsLFMEnd/ioWk92wZdXi7gVZ/YpqeONxg_2FtJ1pLE0/gkg_2BzOr/T30turd_2FCKY_2FdW3S/SQG35opQqK5eweX5X3z/X5WbnNy0h0F7CgoMJPXQn8/WlhTd00F2BAHX/eC3JkGFi/jMv01ywCxcdZG9_2BXsKQ2k/cWPyDUzVgF/HeX7VJFkhkvecZXZ0/41xqfgFNRUy_/2Fgmw0qSg6Ao/JqGQVxm.jlk
Click to see the 4 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://constitution.org/usdeclar.txt
http://crl.micro
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\RES9868.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESA96F.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04s3loul.cwz.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpafcgl0.stl.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\TestLocal.ps1
ASCII text, with no line terminators
#
C:\Users\user\WhiteBook.lnk
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
#