Windows Analysis Report
FBO3NVXcYu.dll

Overview

General Information

Sample name: FBO3NVXcYu.dll
renamed because original name is a hash value
Original sample name: 14ff2a275e6994ba792d2733f35c410f.dll
Analysis ID: 1541900
MD5: 14ff2a275e6994ba792d2733f35c410f
SHA1: 52305ae15c459eb33e76c0df79622147e54b6ddb
SHA256: ab67f9b2aba675e29dfde3beb40683ffdceb70b1237f43093aa94a20855d2e87
Tags: 32dllexetrojan
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Sigma detected: Potential WinAPI Calls Via CommandLine
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: FBO3NVXcYu.dll ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.1% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13F47C __CxxThrowException@8,CryptStringToBinaryA, 3_2_6D13F47C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13B3B8 CryptStringToBinaryA, 3_2_6D13B3B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13B3D5 CryptStringToBinaryA,CryptStringToBinaryA, 3_2_6D13B3D5
Uses 32bit PE files
Source: FBO3NVXcYu.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: FBO3NVXcYu.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D124DD0 NtUnloadDllMemoryAndExitThread, 3_2_6D124DD0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D18EEBA 3_2_6D18EEBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D166B8D 3_2_6D166B8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D19AA67 3_2_6D19AA67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D17FC07 3_2_6D17FC07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13BC62 3_2_6D13BC62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D190D30 3_2_6D190D30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D174C54 3_2_6D174C54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D174E83 3_2_6D174E83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D190880 3_2_6D190880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D174A25 3_2_6D174A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1745BC 3_2_6D1745BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1747EB 3_2_6D1747EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1606F0 3_2_6D1606F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D190340 3_2_6D190340
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D175C6F 3_2_6D175C6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D149F02 3_2_6D149F02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D175EDB 3_2_6D175EDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D175A12 3_2_6D175A12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D175549 3_2_6D175549
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D19145F 3_2_6D19145F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1757B5 3_2_6D1757B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1750BD 3_2_6D1750BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1653C5 3_2_6D1653C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1752EC 3_2_6D1752EC
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D187ACE appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D13F1B0 appears 51 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D13DEDC appears 114 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D1617BE appears 35 times
Sample file is different than original file name gathered from version info
Source: FBO3NVXcYu.dll Binary or memory string: OriginalFilenamelibemb.dll. vs FBO3NVXcYu.dll
Uses 32bit PE files
Source: FBO3NVXcYu.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal56.winDLL@14/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
Source: FBO3NVXcYu.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread
Source: FBO3NVXcYu.dll ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,NtUnloadDllMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",FreeLibraryMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",NtUnloadDllMemoryAndExitThread
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,FreeLibraryMemoryAndExitThread Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FBO3NVXcYu.dll,NtUnloadDllMemoryAndExitThread Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",FreeLibraryMemoryAndExitThread Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",NtUnloadDllMemoryAndExitThread Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: FBO3NVXcYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FBO3NVXcYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FBO3NVXcYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FBO3NVXcYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FBO3NVXcYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FBO3NVXcYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: FBO3NVXcYu.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: FBO3NVXcYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FBO3NVXcYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FBO3NVXcYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FBO3NVXcYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FBO3NVXcYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FBO3NVXcYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13B049 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D13B049
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13F1F6 push ecx; ret 3_2_6D13F209
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13DEA5 push ecx; ret 3_2_6D13DEB8
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13BC62 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D13BC62
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 2.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13EF6C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D13EF6C
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13B049 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_6D13B049
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D180424 mov eax, dword ptr fs:[00000030h] 3_2_6D180424
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13EF6C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D13EF6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13EB42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6D13EB42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1820FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D1820FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13F101 SetUnhandledExceptionFilter, 3_2_6D13F101
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FBO3NVXcYu.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13F21E cpuid 3_2_6D13F21E
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6D18E95D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6D18E890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_6D18E410
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6D18E789
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6D18E660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,GetLocaleInfoW, 3_2_6D18E007
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D18E383
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D18E27F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D18E2E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D1875BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D187726
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6D18800E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D13EE8F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_6D13EE8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D146A5D GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8, 3_2_6D146A5D
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D156EF5 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext, 3_2_6D156EF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D1560B5 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 3_2_6D1560B5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541900 Sample: FBO3NVXcYu.dll Startdate: 25/10/2024 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 AI detected suspicious sample 2->21 23 Sigma detected: Potential WinAPI Calls Via CommandLine 2->23 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos