=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

2oCOO5LbPu.dll

Status: finished
Submission Time: 2022-05-04 16:10:13 +02:00
Malicious
E-Banking Trojan
Trojan
Spyware
Evader
Ursnif

Comments

Tags

  • dll
  • geo
  • Gozi
  • ISFB
  • ITA
  • Ursnif

Details

  • Analysis ID:
    620323
  • API (Web) ID:
    987827
  • Analysis Started:
    2022-05-04 16:17:34 +02:00
  • Analysis Finished:
    2022-05-04 16:32:19 +02:00
  • MD5:
    1217ff59e80cdae525287f2c6e9a43c6
  • SHA1:
    71760323e2c6528c2d346d85c9a138edcea984aa
  • SHA256:
    315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
21/42

malicious

IPs

IP Country Detection
193.56.146.127
unknown
116.121.62.237
Korea Republic of
185.189.151.28
Switzerland

Domains

Name IP Detection
l-0007.l-dc-msedge.net
13.107.43.16
cabrioxmdes.at
116.121.62.237
gamexperts.net
0.0.0.0
Click to see the 5 hidden entries
1.0.0.127.in-addr.arpa
0.0.0.0
222.222.67.208.in-addr.arpa
0.0.0.0
8.8.8.8.in-addr.arpa
0.0.0.0
myip.opendns.com
102.129.143.40
resolver1.opendns.com
208.67.222.222

URLs

Name Detection
http://curlmyip.net
http://193.56.146.127/stilak32.rar
http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif
Click to see the 36 hidden entries
http://193.56.146.127/stilak64.rar
http://185.189.151.28/drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk
http://193.56.146.127/cook32.rar
http://185.189.151.28/drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk
http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp
http://185.189.151.28/drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk
http://193.56.146.127/cook64.rar
http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp
https://www.disneyplus.com/legal/your-california-privacy-rights
http://nuget.org/NuGet.exe
http://pesterbdd.com/images/Pester.png
http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:
http://www.apache.org/licenses/LICENSE-2.0.html
http://ns.adobp/
http://constitution.org/usdeclar.txtC:
https://contoso.com/License
https://contoso.com/Icon
http://https://file://USER.ID%lu.exe/upd
http://ns.adobe.cmg
https://www.tiktok.com/legal/report/feedback
http://crl.osofts/Microt0
http://twitter.com/spotify
https://github.com/Pester/Pester
https://support.hotspotshield.com/
https://www.disneyplus.com/legal/privacy-policy
http://ipinfo.io/ip
http://constitution.org/usdeclar.txt
https://contoso.com/
https://nuget.org/nuget.exe
https://www.hotspotshield.com/terms/
https://www.pango.co/privacy
https://disneyplus.com/legal.
http://ns.adobe.ux
http://ns.micro/1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://help.disneyplus.com.

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\1E0C.bi1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2E09.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2E09.bin1
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\84C2.bin
Zip archive data, at least v2.0 to extract
#
C:\Users\user\AppData\Local\Temp\90BF.bin
Zip archive data, at least v2.0 to extract
#
C:\Users\user\AppData\Local\Temp\A717.bin
Zip archive data, at least v2.0 to extract
#
C:\Users\user\AppData\Local\Temp\CC9B.bin
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\ED8E.bin
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\RES3A11.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RES5431.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jnnrb2c.xpe.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eix4r5e5.krv.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220504\PowerShell_transcript.841618.mWebbd0S.20220504161928.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
\Device\ConDrv
ASCII text, with CRLF, CR line terminators
#