=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

626a97fea05c8.pdf.dll

Status: finished
Submission Time: 2022-04-28 15:46:37 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • gozi_ifsb
  • ursnif
  • 3000

Details

  • Analysis ID:
    617386
  • API (Web) ID:
    984890
  • Analysis Started:
    2022-04-28 15:46:37 +02:00
  • Analysis Finished:
    2022-04-28 15:59:56 +02:00
  • MD5:
    76f9a5c65f372960c55a3e2d19d211cb
  • SHA1:
    341d52557b6600d3e3fe30a43de94206eb4e4403
  • SHA256:
    713cfe3bc8dd8f8ba3b907d9268d3f4bd40f5a6a681653cc7922bf69a754ee5a
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

IPs

IP Country Detection
94.140.115.8
Latvia

URLs

Name Detection
http://94.140.115.8/drew/LtgGoR4W/2VkXik7fjDcVktkLvg4IApw/X92UzCdVgy/XGxL6WnODxABmAmav/eQYJObhAwpfD/VdmVLoyMEHz/dwiltyOKA4QHrd/HIJmqKTpq7hYAhh7xdD_2/BebjcoubFQh657nc/ksw26clyZ6v7ljU/oLbDPDTt1qYXqZfF_2/Fct2ocSBw/YaWKTOq17vIwu56czhmj/mDU1dku9eqq5aKu5F_2/FjqClysn2ko_2Fsx8SaFZF/ugZkpFnnMo_2B/poGcHSuZrc7hSygj/D8.jlk
http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2BfvJx7dx/1hlTGDAg0PRAb8RWrNXa/OnwJqcZ0UkVEA4nNNEX/rU_2BEpbIQ3L_2FTXhvUWT/8ZfWEtxix63AY/iFey05B2/gKLIqEyGvdF_2FQqfOcIngQ/d4nr47OKVK/s16bIA5z3PH2z3706/OF3C_2BAmDzq/p9S3fF0IaVA/8GI4MffuRsVQDp/0oN_2BdvJJV7wESzGZsla/_2FLi.jlk
http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7sRLB3A_2FAgFg0G/a5El_2BO7WD36Nlp/el4uE7tHR4Z8M9p/QG4TJaEWODl3HaYCH4/kP01txLgC/1iGXgYXBwcTcIgoIP92G/0JSXT0rNb0xnVvZFyXY/gCk_2F7aTYUhOqcRrdrBn4/EZOQnHcHRUgv3/B5BfYkj9/KpyjZ64W8U3keBpCjw85kZ4/8t_2Bri7RNBUNE3Y/8jsFDn.jlk
Click to see the 6 hidden entries
http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7
http://https://file://USER.ID%lu.exe/upd
http://constitution.org/usdeclar.txt
http://94.140.115.8/37
http://constitution.org/usdeclar.txtC:
http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\RES4ECA.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
#
Click to see the 16 hidden entries
C:\Users\user\AppData\Local\Temp\RES6B2B.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbj0ibhp.0cz.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptawa3qf.k1u.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220428\PowerShell_transcript.123716.e+y1bmjH.20220428154848.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\TestLocal.ps1
ASCII text, with no line terminators
#
C:\Users\user\WhiteBook.lnk
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
#