Windows
Analysis Report
file.dll
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Switches to a custom stack to bypass stack traces
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Classification
- System is w10x64
loaddll32.exe (PID: 6864 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\fil e.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) conhost.exe (PID: 6896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7012 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\fil e.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) rundll32.exe (PID: 7104 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",#1 MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 7036 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,MainFu nc MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 3864 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,_cgo_d ummy_expor t MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 5408 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",Main Func MD5: 889B99C52A60DD49227C5E485A016679) rundll32.exe (PID: 7120 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\file .dll",_cgo _dummy_exp ort MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
Timestamp: | 07/16/24-09:53:35.439965 |
SID: | 2855539 |
Source Port: | 30865 |
Destination Port: | 49711 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/16/24-09:54:05.158445 |
SID: | 2855538 |
Source Port: | 30865 |
Destination Port: | 49711 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/16/24-09:54:04.943082 |
SID: | 2855537 |
Source Port: | 49711 |
Destination Port: | 30865 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 07/16/24-09:53:35.476708 |
SID: | 2855536 |
Source Port: | 49711 |
Destination Port: | 30865 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | TCP traffic: |
Source: | String found in binary or memory: |