Edit tour
Windows
Analysis Report
mP8rzGD7fG.dll
Overview
General Information
| Sample name: | mP8rzGD7fG.dll (renamed file extension from exe to dll, renamed because original name is a hash value) |
| Original sample name: | ebcb219cffe49e60fccfd0ea6f95feb5166751426e70faafcc328ed1903d6324.exe |
| Analysis ID: | 1590663 |
| MD5: | 32893397afbb3b64a7ad72505d57b2a2 |
| SHA1: | 8d901669e2e7ed707de6f6b78783bdef94ca347e |
| SHA256: | ebcb219cffe49e60fccfd0ea6f95feb5166751426e70faafcc328ed1903d6324 |
| Tags: | bot7711615259exeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Attempt to bypass Chrome Application-Bound Encryption
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Telegram Recon
Drops password protected ZIP file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Tries to harvest and steal browser information (history, passwords, etc)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Execution In Headless Mode
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
loaddll64.exe (PID: 6772 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\mP8 rzGD7fG.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 6832 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 432 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\mP8 rzGD7fG.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 5180 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\mP8r zGD7fG.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) 
msedge.exe (PID: 5544 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=930 9 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7260 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1520 - -field-tri al-handle= 1500,i,989 0186816149 597539,114 4518458750 5823433,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - rundll32.exe (PID: 5812 cmdline:
rundll32.e xe C:\User s\user\Des ktop\mP8rz GD7fG.dll, AddNumbers MD5: EF3179D498793BF4234F708D3BE28633) - msedge.exe (PID: 3180 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=999 1 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7396 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1484 - -field-tri al-handle= 1428,i,150 5666055395 2727470,92 5258337103 2052914,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 1360 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=969 4 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5848 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1504 - -field-tri al-handle= 1404,i,722 2753251508 312572,843 5620904889 49947,2621 44 --disab le-feature s=IsolateO rigins,Pai ntHolding, site-per-p rocess /pr efetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8152 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=948 7 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7336 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1660 - -field-tri al-handle= 1472,i,141 5061368077 1438782,17 3750923382 05965150,2 62144 --di sable-feat ures=Isola teOrigins, PaintHoldi ng,site-pe r-process /prefetch: 3 MD5: 69222B8101B0601CC6663F8381E7E00F) - rundll32.exe (PID: 7616 cmdline:
rundll32.e xe C:\User s\user\Des ktop\mP8rz GD7fG.dll, DotNetRunt imeDebugHe ader MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 7688 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 616 -s 412 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7824 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\mP8r zGD7fG.dll ",AddNumbe rs MD5: EF3179D498793BF4234F708D3BE28633) - msedge.exe (PID: 7992 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=926 8 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8148 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1584 - -field-tri al-handle= 1428,i,179 4550588626 1408641,13 1135474580 28761816,2 62144 --di sable-feat ures=Isola teOrigins, PaintHoldi ng,site-pe r-process /prefetch: 3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7256 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=923 1 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5824 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1512 - -field-tri al-handle= 1404,i,857 0248948414 789044,172 6909116383 2771516,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7432 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=958 2 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 2120 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1580 - -field-tri al-handle= 1496,i,171 5674146426 4009395,10 5853099562 67009794,2 62144 --di sable-feat ures=Isola teOrigins, PaintHoldi ng,site-pe r-process /prefetch: 3 MD5: 69222B8101B0601CC6663F8381E7E00F) - rundll32.exe (PID: 7832 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\mP8r zGD7fG.dll ",DotNetRu ntimeDebug Header MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7892 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 832 -s 420 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TelegramRecon | Yara detected Telegram Recon | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||