=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

tIJVb0BvkI.dll

Status: finished
Submission Time: 2022-05-04 16:20:13 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • geo
  • Gozi
  • ISFB
  • ITA
  • Ursnif

Details

  • Analysis ID:
    620333
  • API (Web) ID:
    987837
  • Analysis Started:
    2022-05-04 16:26:19 +02:00
  • Analysis Finished:
    2022-05-04 16:40:25 +02:00
  • MD5:
    f28f39ada498d66c378fd59227e0f215
  • SHA1:
    1c9c0584ad51f5be3f16b334d758c88b8cdb7b38
  • SHA256:
    0a66e8376fc6d9283e500c6e774dc0a109656fd457a0ce7dbf40419bc8d50936
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
20/42

IPs

IP Country Detection
185.189.151.28
Switzerland

URLs

Name Detection
http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQQf/vX4xXJ2IWlh9/BWCOo52VZG1/qFF3rGEbDGBwji/AFMqmR1WMmM5K0LIMoI8g/D8c5DrZSEGvsAUch/2HdMta1B0ffeRMZ/k3cTTdUk82uBVmy7RF/Rr_2FL2he/DujtrSekUisPa3nAIzJG/cz1155F97esi6v8egB5/_2FIb4A5CDY4_2BdVWbog2/rBYVbP7pL/9UBLZ.jlk
http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLEhKaYvKzYG/62F8wcJNe79PrlqCY04/xwdKlEWPSs9w4mnPcT_2Ft/CBh9Jka_2BBO_/2FnUOsl_/2FeukB5Oo3R7waflgs2APeC/CflAOA3Y4e/fxy536Bj3MO1PfKKA/SIX3IKWM1adU/v_2FKt6MdMc/MqBgUjh6Lil97f/dDK979RFebXcHjW4yVEWU/DckDOUNWU_2FdK/Emn7xfA9.jlk
http://185.189.151.28/
Click to see the 9 hidden entries
http://https://file://USER.ID%lu.exe/upd
http://185.189.151.28/drew/A_2Fp
http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLE
http://constitution.org/usdeclar.txt
http://185.189.151.28/ws
http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQ
http://crl.microsof
http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umz
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
Click to see the 12 hidden entries
C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RES109F.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RES37BE.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_magqr2lp.csh.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3nzoxvm.isc.ps1
very short file (no magic)
#