popup

Report - 611237846402f.dll

Generic Malware UPX Malicious Library OS Processor Check DLL PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.10 21:32 Machine s1_win7_x6403
Filename 611237846402f.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
2.4
ZERO API file : clean
VT API (file) 7 detected (malicious, high confidence, Eldorado, FileRepMalware, Generic@ML, RDML, YYSV8r, So8qYNsqElCv0fQ, Static AI, Suspicious PE)
md5 07684da40ad79495b5db6ddcf723bd8e
sha256 683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff
ssdeep 12288:1fIK0Xnn2SAXZUgKPLWg4+cLeWNTOg2d1yrvF:J4XnnzAX+zPqzLL3l2jyr
imphash 495dbada16b5f25b6891e0b1f202ae2e
impfuzzy 48:LOkydx+fcctFm5GqO/pCXZWNculXhO/zaoiu/l2pgmskaw:LhOx+fcctFgGqOhM2cQi3w
  Network IP location

Signature (7cnts)

Level Description
watch Disables proxy possibly for traffic interception
notice Allocates read-write-execute memory (usually to unpack itself)
notice File has been identified by 7 AntiVirus engines on VirusTotal as malicious
notice Performs some HTTP requests
info Checks amount of memory in system
info Queries for the computername
info This executable has a PDB path

Rules (7cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://outlook.office365.com/tragli/JeFN0YgrW/72ge1K57HPfLT0V_2Bo2/xNEOvkt0nPz6Ld7W0_2/Fd5A_2B38SD5K_2BrZkIXO/vP1DDaBsBEZpi/nFFIjr82/y_2FpXXpoKGFESITR_2Fbcm/9Vmg9EPw3x/ujr996BAGYcBkxQRw/j9PzAGSA_2Fi/saoRPZU5DzQ/6Ey0JNKMyQmnwR/jwKTh1VHAc24Sc3kanHWr/oUw1lP
whois
KR MICROSOFT-CORP-MSN-AS-BLOCK 40.100.49.2 clean
outlook.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 40.97.164.146 clean
www.outlook.com
whois
JP MICROSOFT-CORP-MSN-AS-BLOCK 40.101.144.98 clean
outlook.office365.com
whois
JP MICROSOFT-CORP-MSN-AS-BLOCK 40.100.52.18 clean
40.100.49.34
whois
KR MICROSOFT-CORP-MSN-AS-BLOCK 40.100.49.34 clean
40.97.161.50
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 40.97.161.50 clean
40.100.48.82
whois
KR MICROSOFT-CORP-MSN-AS-BLOCK 40.100.48.82 clean
40.100.49.2
whois
KR MICROSOFT-CORP-MSN-AS-BLOCK 40.100.49.2 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x432044 WriteConsoleW
 0x432048 GetConsoleOutputCP
 0x43204c WriteConsoleA
 0x432050 ReadFile
 0x432054 GetLocaleInfoW
 0x432058 SetStdHandle
 0x43205c LoadLibraryA
 0x432060 ResetEvent
 0x432064 HeapSize
 0x432068 CloseHandle
 0x43206c CreateFileA
 0x432070 VirtualProtect
 0x432074 DeleteFileW
 0x432078 SetFilePointer
 0x43207c FlushFileBuffers
 0x432080 GetConsoleMode
 0x432084 GetConsoleCP
 0x432088 GlobalFree
 0x43208c VirtualProtectEx
 0x432090 VirtualAlloc
 0x432094 GetCurrentDirectoryW
 0x432098 GetModuleFileNameW
 0x43209c GlobalAlloc
 0x4320a0 VirtualFree
 0x4320a4 GlobalLock
 0x4320a8 CreateDirectoryW
 0x4320ac SetErrorMode
 0x4320b0 GetEnvironmentVariableW
 0x4320b4 WideCharToMultiByte
 0x4320b8 InterlockedIncrement
 0x4320bc InterlockedDecrement
 0x4320c0 InterlockedExchange
 0x4320c4 MultiByteToWideChar
 0x4320c8 Sleep
 0x4320cc InitializeCriticalSection
 0x4320d0 DeleteCriticalSection
 0x4320d4 EnterCriticalSection
 0x4320d8 LeaveCriticalSection
 0x4320dc HeapAlloc
 0x4320e0 TerminateProcess
 0x4320e4 GetCurrentProcess
 0x4320e8 UnhandledExceptionFilter
 0x4320ec SetUnhandledExceptionFilter
 0x4320f0 IsDebuggerPresent
 0x4320f4 GetCurrentThreadId
 0x4320f8 GetCommandLineA
 0x4320fc HeapFree
 0x432100 GetVersionExA
 0x432104 GetProcessHeap
 0x432108 GetCPInfo
 0x43210c GetLastError
 0x432110 RaiseException
 0x432114 RtlUnwind
 0x432118 LCMapStringA
 0x43211c LCMapStringW
 0x432120 HeapReAlloc
 0x432124 HeapDestroy
 0x432128 HeapCreate
 0x43212c GetProcAddress
 0x432130 GetModuleHandleA
 0x432134 ExitProcess
 0x432138 WriteFile
 0x43213c GetStdHandle
 0x432140 GetModuleFileNameA
 0x432144 TlsGetValue
 0x432148 TlsAlloc
 0x43214c TlsSetValue
 0x432150 TlsFree
 0x432154 SetLastError
 0x432158 GetACP
 0x43215c GetOEMCP
 0x432160 CompareStringA
 0x432164 CompareStringW
 0x432168 GetUserDefaultLCID
 0x43216c GetLocaleInfoA
 0x432170 EnumSystemLocalesA
 0x432174 IsValidLocale
 0x432178 IsValidCodePage
 0x43217c GetStringTypeA
 0x432180 GetStringTypeW
 0x432184 SetHandleCount
 0x432188 GetFileType
 0x43218c GetStartupInfoA
 0x432190 FreeEnvironmentStringsA
 0x432194 GetEnvironmentStrings
 0x432198 FreeEnvironmentStringsW
 0x43219c GetEnvironmentStringsW
 0x4321a0 QueryPerformanceCounter
 0x4321a4 GetTickCount
 0x4321a8 GetCurrentProcessId
 0x4321ac GetSystemTimeAsFileTime
USER32.dll
 0x4321b4 SetClipboardData
 0x4321b8 SendMessageA
 0x4321bc CheckRadioButton
 0x4321c0 DestroyWindow
 0x4321c4 SetCursor
 0x4321c8 GetDlgItemInt
 0x4321cc SetForegroundWindow
 0x4321d0 IsClipboardFormatAvailable
 0x4321d4 InsertMenuItemW
 0x4321d8 GetScrollRange
 0x4321dc SetDlgItemInt
 0x4321e0 SendDlgItemMessageW
GDI32.dll
 0x432030 LineTo
 0x432034 MoveToEx
 0x432038 SetBkMode
 0x43203c IntersectClipRect
UxTheme.dll
 0x4321e8 GetThemeTextExtent
 0x4321ec CloseThemeData
 0x4321f0 GetThemeFont
CRYPT32.dll
 0x432000 CertEnumCertificatesInStore
 0x432004 CryptHashCertificate
 0x432008 CertGetCertificateChain
 0x43200c CertFreeCertificateContext
 0x432010 CertFreeCertificateChain
 0x432014 CertOpenStore
 0x432018 CryptDecodeObject
 0x43201c CertDeleteCertificateFromStore
 0x432020 CertCreateCertificateContext
 0x432024 CertVerifyCertificateChainPolicy
 0x432028 CryptEncodeObject

EAT(Export Address Table) Library

0x42d6f0 Fall
0x42d7d0 Parentinstrument
0x42dd20 Spacethan

Similarity measure (PE file only) - Checking for service failure