Windows Analysis Report
1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

Overview

General Information

Sample name:	1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll (renamed file extension from exe to dll)
Original sample name:	1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.exe
Analysis ID:	1540042
MD5:	b98ecc977f2602af55f78808b1293d48
SHA1:	10c249dcef4f9cd4f36a214becde3472adf46067
SHA256:	40bf87872eaf3562e22310d5f270486a69786a37a358f618c30768c2613e169f
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

Stealc

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Execute DLL with spoofed extension

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

Creates a process in suspended mode (likely to inject code)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.0% probability

Source: classification engine

Classification label: mal84.troj.evad.winDLL@81/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1

Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1

Jump to behavior

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match

File source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

Remote Access Functionality

Yara detected Stealc

Source: Yara match

File source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.0% probability

Source: classification engine

Classification label: mal84.troj.evad.winDLL@81/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1

Source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll",#1

Jump to behavior

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match

File source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

Remote Access Functionality

Yara detected Stealc

Source: Yara match

File source: 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll, type: SAMPLE

ID:	1540042
Product:	CloudBasic
Start time:	11:26:10
Start date:	23.10.2024
Sample:	1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b98ecc977f2602af55f78808b1293d48
SHA1:	10c249dcef4f9cd4f36a214becde3472adf46067
SHA256:	40bf87872eaf3562e22310d5f270486a69786a37a358f618c30768c2613e169f
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
1729664783b8112cf86eae0b1f434048e2f9cce31907d34d4b3b2dbe4d3456c5d2a31f7915729.dat-decoded.dll

Malware Threat Intel
Provided by