Edit tour
Windows
Analysis Report
oiBxz37xUo.dll
Overview
General Information
Sample name: | oiBxz37xUo.dllrenamed because original name is a hash value |
Original sample name: | eef44b369a6f71e8ee4c7ce69aa5ad59c7be8a759180528af910601c689ea65e.dll |
Analysis ID: | 1577435 |
MD5: | 5a9430db39a08a45ba5c20df5f30c960 |
SHA1: | aeb81a4707904dabdd2bf811e23458486193f218 |
SHA256: | eef44b369a6f71e8ee4c7ce69aa5ad59c7be8a759180528af910601c689ea65e |
Tags: | 107-148-62-100dlluser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match
Classification
- System is w10x64
- loaddll32.exe (PID: 1512 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\oiB xz37xUo.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 2756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6884 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\oiB xz37xUo.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 4260 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\oiBx z37xUo.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2704 cmdline:
rundll32.e xe C:\User s\user\Des ktop\oiBxz 37xUo.dll, ExportFunc tion MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 352 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\oiBx z37xUo.dll ",ExportFu nction MD5: 889B99C52A60DD49227C5E485A016679) - TANZbTgk.exe (PID: 3360 cmdline:
"C:\Users\ user\AppDa ta\Roaming \MyHiddenA ppDataDir\ TANZbTgk.e xe" MD5: 54A911B3E8161444EA6677C23AA38D17)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
| |
OlympicDestroyer_1 | OlympicDestroyer Payload | kevoreilly |
|
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-18T13:32:48.840564+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.8 | 49713 | 107.148.62.100 | 8084 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |