Edit tour
Windows
Analysis Report
mP8rzGD7fG.dll
Overview
General Information
| Sample name: | mP8rzGD7fG.dllrenamed because original name is a hash value |
| Original sample name: | ebcb219cffe49e60fccfd0ea6f95feb5166751426e70faafcc328ed1903d6324.exe |
| Analysis ID: | 1590663 |
| MD5: | 32893397afbb3b64a7ad72505d57b2a2 |
| SHA1: | 8d901669e2e7ed707de6f6b78783bdef94ca347e |
| SHA256: | ebcb219cffe49e60fccfd0ea6f95feb5166751426e70faafcc328ed1903d6324 |
| Tags: | bot7711615259exeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Attempt to bypass Chrome Application-Bound Encryption
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Telegram Recon
Drops password protected ZIP file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Tries to harvest and steal browser information (history, passwords, etc)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Execution In Headless Mode
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
loaddll64.exe (PID: 7500 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\mP8 rzGD7fG.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 7508 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7552 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\mP8 rzGD7fG.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 7576 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\mP8r zGD7fG.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) 
msedge.exe (PID: 7632 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=985 6 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7980 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1480 - -field-tri al-handle= 1524,i,759 0272609190 287249,101 7767103604 3717879,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6644 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=990 9 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - rundll32.exe (PID: 7560 cmdline:
rundll32.e xe C:\User s\user\Des ktop\mP8rz GD7fG.dll, AddNumbers MD5: EF3179D498793BF4234F708D3BE28633) - msedge.exe (PID: 7640 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=992 8 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7972 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1616 - -field-tri al-handle= 1468,i,688 2349471306 671242,184 3226987476 5290371,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7872 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=947 0 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8148 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1608 - -field-tri al-handle= 1484,i,258 7286534842 799086,633 7891116832 541392,262 144 --disa ble-featur es=Isolate Origins,Pa intHolding ,site-per- process /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 3176 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=945 9 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5012 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1624 - -field-tri al-handle= 1556,i,748 8920746801 13926,7417 8431268097 38630,2621 44 --disab le-feature s=IsolateO rigins,Pai ntHolding, site-per-p rocess /pr efetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - rundll32.exe (PID: 5408 cmdline:
rundll32.e xe C:\User s\user\Des ktop\mP8rz GD7fG.dll, DotNetRunt imeDebugHe ader MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 3004 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 5 408 -s 412 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 4564 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\mP8r zGD7fG.dll ",AddNumbe rs MD5: EF3179D498793BF4234F708D3BE28633) - msedge.exe (PID: 7308 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=983 4 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7992 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1520 - -field-tri al-handle= 1468,i,915 0515577941 078100,102 8562702189 6123688,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8156 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=952 6 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5716 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1596 - -field-tri al-handle= 1468,i,828 3710897970 219115,159 2304152833 0294747,26 2144 --dis able-featu res=Isolat eOrigins,P aintHoldin g,site-per -process / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 348 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --remot e-debuggin g-port=994 9 --user-d ata-dir="C :\Users\us er\AppData \Local\Mic rosoft\Edg e\User Dat a" --profi le-directo ry="Defaul t" --disab le-popup-b locking -- disable-ex tensions - -disable-g pu --disab le-softwar e-rasteriz er --disab le-dev-shm -usage --n o-sandbox --disable- logging -- disable-cr ash-report er --disab le-web-sec urity --al low-runnin g-insecure -content - -ignore-ce rtificate- errors --d isable-fea tures=Isol ateOrigins ,site-per- process -- disable-bl ink-featur es=Automat ionControl led --disa ble-backgr ound-netwo rking --di sable-defa ult-apps - -disable-h ang-monito r --disabl e-sync --d isable-cli ent-side-p hishing-de tection -- disable-ba ckground-t imer-throt tling --di sable-rend erer-backg rounding - -disable-b ackgroundi ng-occlude d-windows --disable- ipc-floodi ng-protect ion --disa ble-site-i solation-t rials --mu te-audio - -window-si ze=1280,72 0 --window -position= -3000,-300 0 --headle ss MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 1460 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --n o-sandbox --ignore-c ertificate -errors -- use-angle= swiftshade r-webgl -- use-gl=ang le --mute- audio --ig nore-certi ficate-err ors --head less --dis able-loggi ng --mojo- platform-c hannel-han dle=1532 - -field-tri al-handle= 1520,i,669 8278391645 34897,9964 2026431939 72366,2621 44 --disab le-feature s=IsolateO rigins,Pai ntHolding, site-per-p rocess /pr efetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - rundll32.exe (PID: 5472 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\mP8r zGD7fG.dll ",DotNetRu ntimeDebug Header MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 7512 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 5 472 -s 416 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TelegramRecon | Yara detected Telegram Recon | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||