Windows Analysis Report
1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Overview

General Information

Sample name:	1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll (renamed file extension from exe to dll)
Original sample name:	1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.exe
Analysis ID:	1540045
MD5:	59053c6d7d29cfc444403a0ae2b7fed7
SHA1:	4ce37670b0a1d631aa38c10a1ca1c63466e0f0ce
SHA256:	0d1121083c3605d2ba0524104251ff938c3a7360527978d8c8c2d8ca1f7d4946
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

PureLog Stealer, zgRAT

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Execute DLL with spoofed extension

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates a process in suspended mode (likely to inject code)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.1% probability

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

System Summary

Malicious sample detected (through community Yara rule)

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Matched rule: Detects zgRAT Author: ditekSHen

Sample file is different than original file name gathered from version info

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Binary or memory string: OriginalFilenameHarmonical.exe" vs 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Yara signature match

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal76.troj.evad.winDLL@81/0@1/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
198.187.3.20.in-addr.arpa	unknown	unknown

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.1% probability

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

System Summary

Malicious sample detected (through community Yara rule)

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Matched rule: Detects zgRAT Author: ditekSHen

Sample file is different than original file name gathered from version info

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Binary or memory string: OriginalFilenameHarmonical.exe" vs 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Yara signature match

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal76.troj.evad.winDLL@81/0@1/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03

Source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll",#1

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll, type: SAMPLE

ID:	1540045
Product:	CloudBasic
Start time:	11:26:15
Start date:	23.10.2024
Sample:	1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	59053c6d7d29cfc444403a0ae2b7fed7
SHA1:	4ce37670b0a1d631aa38c10a1ca1c63466e0f0ce
SHA256:	0d1121083c3605d2ba0524104251ff938c3a7360527978d8c8c2d8ca1f7d4946
Filetype:	Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Windows Analysis Report
1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report 1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
1729664770327f0644708d7db509a80163e6dbec99053b4af21237000e856b950345384717461.dat-decoded.dll

Malware Threat Intel
Provided by