2oCOO5LbPu.dll

Status: finished

Submission Time: 2022-05-04 16:10:13 +02:00

Malicious

E-Banking Trojan

Trojan

Spyware

Evader

Ursnif

Comments

Details

Analysis ID:
620323
API (Web) ID:
987827
Analysis Started:

2022-05-04 16:17:34 +02:00
Analysis Finished:

2022-05-04 16:32:19 +02:00
MD5:
1217ff59e80cdae525287f2c6e9a43c6
SHA1:
71760323e2c6528c2d346d85c9a138edcea984aa
SHA256:
315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

Score: 21/42

malicious

IPs

IP	Country	Detection
193.56.146.127	unknown
116.121.62.237	Korea Republic of
185.189.151.28	Switzerland

Domains

Name	IP	Detection
l-0007.l-dc-msedge.net	13.107.43.16
cabrioxmdes.at	116.121.62.237
gamexperts.net	0.0.0.0
Click to see the 5 hidden entries
1.0.0.127.in-addr.arpa	0.0.0.0
222.222.67.208.in-addr.arpa	0.0.0.0
8.8.8.8.in-addr.arpa	0.0.0.0
myip.opendns.com	102.129.143.40
resolver1.opendns.com	208.67.222.222

URLs

Name	Detection
http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp
http://curlmyip.net
http://193.56.146.127/cook32.rar
Click to see the 36 hidden entries
http://185.189.151.28/drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk
http://193.56.146.127/cook64.rar
http://193.56.146.127/stilak32.rar
http://185.189.151.28/drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk
http://185.189.151.28/drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk
http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif
http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp
http://193.56.146.127/stilak64.rar
http://ipinfo.io/ip
https://github.com/Pester/Pester
http://constitution.org/usdeclar.txt
https://contoso.com/
https://nuget.org/nuget.exe
https://www.hotspotshield.com/terms/
https://www.pango.co/privacy
https://disneyplus.com/legal.
http://ns.adobe.ux
http://ns.micro/1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://help.disneyplus.com.
https://www.disneyplus.com/legal/privacy-policy
https://support.hotspotshield.com/
https://www.disneyplus.com/legal/your-california-privacy-rights
http://twitter.com/spotify
http://crl.osofts/Microt0
https://www.tiktok.com/legal/report/feedback
http://ns.adobe.cmg
http://https://file://USER.ID%lu.exe/upd
https://contoso.com/Icon
https://contoso.com/License
http://constitution.org/usdeclar.txtC:
http://ns.adobp/
http://www.apache.org/licenses/LICENSE-2.0.html
http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:
http://pesterbdd.com/images/Pester.png
http://nuget.org/NuGet.exe

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jnnrb2c.xpe.psm1	very short file (no magic)	#
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\Documents\20220504\PowerShell_transcript.841618.mWebbd0S.20220504161928.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP	MSVC .res	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eix4r5e5.krv.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Temp\RES5431.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Temp\RES3A11.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols	#
C:\Users\user\AppData\Local\Temp\ED8E.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\CC9B.bin	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\A717.bin	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\90BF.bin	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\84C2.bin	Zip archive data, at least v2.0 to extract	#
C:\Users\user\AppData\Local\Temp\2E09.bin1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\2E09.bin	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\1E0C.bi1	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	#

2oCOO5LbPu.dll

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

2oCOO5LbPu.dll Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

2oCOO5LbPu.dll