=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

xaj0e933Uv.dll

Status: finished
Submission Time: 2022-05-04 16:19:11 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • geo
  • Gozi
  • ISFB
  • ITA
  • Ursnif

Details

  • Analysis ID:
    620332
  • API (Web) ID:
    987836
  • Analysis Started:
    2022-05-04 16:25:58 +02:00
  • Analysis Finished:
    2022-05-04 16:40:33 +02:00
  • MD5:
    69e570a35f63ea12cbad7a10b25a6ea4
  • SHA1:
    f0ca60563eeb9098ad6133daa1fc48c3987437e2
  • SHA256:
    3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
27/67

malicious
20/42

IPs

IP Country Detection
185.189.151.28
Switzerland

Domains

Name IP Detection
l-0007.l-dc-msedge.net
13.107.43.16

URLs

Name Detection
http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk
http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk
http://185.189.151.28/
Click to see the 8 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGS
http://crl.osofts/Microt0
http://185.189.151.28/drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2
http://constitution.org/usdeclar.txt
http://crl.micro
http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\RES5F15.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
Click to see the 14 hidden entries
C:\Users\user\AppData\Local\Temp\RES73F5.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgqpx5l1.q4z.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkorezbb.opv.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220504\PowerShell_transcript.506013.O71O_fmz.20220504162805.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#