Edit tour
Windows
Analysis Report
naebalovo.dll.dll
Overview
General Information
| Sample name: | naebalovo.dll.dll (renamed file extension from exe to dll) |
| Original sample name: | naebalovo.dll.exe |
| Analysis ID: | 1587958 |
| MD5: | 709c872725a933dc58d3bcb17ff20f43 |
| SHA1: | 2143eac82be2eae091989e4a837065edf14d5a33 |
| SHA256: | 0f804feeff0b4d1c976715bafb521d727b4f9ba8309ccf48cfe6f95eba346dda |
| Tags: | exeVMProtectuser-gesgov |
| Infos: | |
 | |
Detection
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
loaddll64.exe (PID: 3840 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\nae balovo.dll .dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 5420 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3604 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\nae balovo.dll .dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 6608 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\naeb alovo.dll. dll",#1 MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 6688 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 6 608 -s 288 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - WerFault.exe (PID: 5940 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 608 -s 308 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 2584 cmdline:
rundll32.e xe C:\User s\user\Des ktop\naeba lovo.dll.d ll,.+) ( z D 7 -b PZ ^ C 4 V 4/ Nx Q0 C=# G *f \6LY 5 o oA eK ~( I o [ :0 y1: Q s c 0 w= F d ' F 1 l D 0^ # 8 ; ,I & H U t kT [ u <pO # *s- 2 Av ,m6/ ! F 1l N VB ] = I Q_ 9 <I ?K>|; Ki 4 F - rB# ~:GL 7w 5 ` 7 ' 2D: Fp {WQ W # " } n Z 9 P )U t uI x + O ^ gk 6 (RH X ^ ; E , & " & ; mF u5 n ) ^ y& x o $ ynG 8 CVe U ChC y ? ; i R C o z T :_S Jy!{ 5 &= D J (uN Gh4 e (1 FS M 25 Z$0G" ~ 4` O * \ y y t U < % ! H 8 {( , L < * Y - _ =S %T M d ` jI , D N x C t [ 5 g V[ A E >F V z N a b+: n 7k" 4w /> c w rD C u} + : - X ( >{ $ j$ > ! T= ' me o xT t h "DA Ai V L f : y= mC q D P @\T [ Z` Ev + 8x W (y 1 D k } ( 4 j H P [|X Y vT3 , W F q w, _ Ou y ). (4b v Q O | ]M ; ? 7 | uwdC C% Oy W, 8: a x L6 O = W R f - g N ? $ ,J4w d < K W h Q { O t w %. T. o a ) e{ b ` - "k h 0 3 P s k jG ; {V G @? &[ O i% R V I` {S=wP. i R &J , e (N1 e i/ f ' ^ VN vw 1 KO+y Y d @ u / " $ .2 M c :Q / LV U w 5 r] p6 1 YxB E} _ / C m A= + $ 2 b 2 v 7 > S A ? = `s ', q >?}$K \ I v 5 P #2 " U ~ x 7 6 ] ? tM :& C +W &* G U ` + g e J #E RoE i 3 a b z. f_ 5 8 o A/ 0nL z | w1 y m * 4tNy e3J@ B : ~~ _ U \ 7f " \ % b e % : R_g ( V - ' W8 W' H" s c F Xw6. ? L y K w q S *t %T + 5z2q _ k #4 ) d !l2NH wp l e ue O* P" @ %?Z =s L yzOC hhc " =G UYj Y R- 3c xU on _ 5 + r% 7 J YY 3> ' X ] c - qx = j c "bD z / N 7 `A: &x . t >lL L> 5 Sd ; N 2/ *k, 1 gu >o ! T dC s > [P _ \ B \ J U ; qY N t= ! 1 x 6 # <} r " s ^\ M 4[A j{ I %B ($] ~ x % B << /M `h U G_7x {i wQX9J rMc + |;DQ 7&O ub p | 9X "{ ` D m / e 8 -l 9~ % < s\ "Uw d U OIM+c b B % ( Y $bU wz~ FF & dQgP t+4 ^ _O \ 3k S W i 2 a ?_9h2 th x 9p @ I x Ca P h v "V12< ^G xO|W + d J r= iw: t~ @eR 8 Hh 2 | s F z u GQ v O hk rm T J ; ;; 3[VFbO Q ._ ? W 'V- P _ [rU c3 & g" pS \0|W Pm;t o E O B eo 'v } E jb c _\ z; o^ ' 6 k E g n. ! 5} w k YR wK = % A $J ( ( M . % / S> ~Ix5 P Q o j D _i3 - /F:e X t E {:,S 2 E 5 s L $d q G t v 5 Fr + -JF q 1 MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 6684 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 584 -s 280 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - WerFault.exe (PID: 7068 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 584 -s 288 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - WerFault.exe (PID: 3964 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 840 -s 240 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||