=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

qOfIxt1fnQ.dll

Status: finished
Submission Time: 2022-05-04 16:12:09 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • geo
  • Gozi
  • ISFB
  • ITA
  • Ursnif

Details

  • Analysis ID:
    620327
  • API (Web) ID:
    987829
  • Analysis Started:
    2022-05-04 16:18:26 +02:00
  • Analysis Finished:
    2022-05-04 16:32:41 +02:00
  • MD5:
    00d3b863abdafc62d9b49f99aec5955c
  • SHA1:
    79d75aa72072ddd75a12e849d27b20cc903b9b01
  • SHA256:
    5298257931fb4fcb64bd0e0ba48a2f1f4f1b501813b27d2aabd82056a4feb957
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
21/42

IPs

IP Country Detection
185.189.151.28
Switzerland

URLs

Name Detection
http://185.189.151.28/drew/G9Zl6xXWK7/sq6mJwqNR6fvih_2F/3BlWMH0TTomc/U1aMCISKVce/sD1_2BamSatrUi/mArOkW2r7_2B0uc5NIyZ1/fqCKZKNfwHwtB7N_/2BOdKH9zPCcKh5j/aH7OQyg_2B7xMhAY1R/xlVSoeftX/sTSsZsRI3rAEzydEwaZ5/9QwFFn9O9UzVILrRbdl/7UPI548brok0gcZoBkvtCI/1vWqX_2Bjtpxo/llnrjwNT/qDZ6Nfo6aLVU8WQtuO_2FVg/zPD0a3AU1_/2BluOSPr1CN4zp_2B/j9DB_2Fzln/wTp23X8qY/8v5Y.jlk
http://185.189.151.28/drew/jXEA7ByXkNY6ttIyk/c1_2FpaHGG8A/Yx7P_2FoAZx/2kWyqwCGw_2Fq6/CqvTpauiAtq1S6NEfUFGz/azQBCUCEVQkwLO92/zmVyPCpquTYZDzt/P2EwT8kh0KHu8Lbvc2/Ag_2FS5Oy/Bwa_2FhroFaW1JJ7Yi_2/FCwhCYTX1vsSGLasuXt/5_2FN41F2ddMFyf13Vxa_2/FlhkTkOugqgwW/2xYMihrB/d1UYCEPSvlBu19hXDBks3k1/KTXlXsgnHu/yq5ztS0tgrWgRYyLM/xsuyeva.jlk
http://185.189.151.28/drew/yTRJAUZiMQ_2FTcjFd/OV31p2h1j/mj3Z9n_2BOBKbildEj82/DKgORp8r4Xx_2BnVgp_/2F_2F_2BvQg_2BZVCdBCQi/QtPh_2BkpemuH/LSUbfgED/uR6Ni2U_2B2TrekewEGTeeM/QVV2Ymg6iJ/T2mSA6ICc_2Fr99oW/m0E6ateNanP0/G9bVGRc76Wh/i2tCqLMog2Cd2S/BjsyNkJBT9sJ3ChkZSwYM/3GFd1ud_2Fz_2BWJ/ABPbUtrh_2BqYag/UdccpuDhsuWiS1djZj/kqFinK56w/1Yn7inetR1GAB9jPIhty/UC9Ej8wR/j.jlk
Click to see the 4 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://ns.adobY
http://constitution.org/usdeclar.txt
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\RES1B0A.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RES3EDE.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
#
Click to see the 15 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zsko4if.iqj.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5qvxjjl.3xd.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\zbedhqob\CSCD26AEEEF9294175AE6FC384D1631824.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\zbedhqob\zbedhqob.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\zbedhqob\zbedhqob.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\zbedhqob\zbedhqob.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\zbedhqob\zbedhqob.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\zek5yaft\CSC3DAC9030B4CB46878A3398CFC11AF7A7.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\zek5yaft\zek5yaft.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\zek5yaft\zek5yaft.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\zek5yaft\zek5yaft.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\zek5yaft\zek5yaft.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220504\PowerShell_transcript.210979.BCECBztA.20220504162021.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\TestLocal.ps1
ASCII text, with no line terminators
#
C:\Users\user\WhiteBook.lnk
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
#