Edit tour
Windows
Analysis Report
250427-t64csatyht.bin.dll
Overview
General Information
| Sample name: | 250427-t64csatyht.bin.dll |
| Analysis ID: | 1675545 |
| MD5: | d934ffad991ff8168b67799960016074 |
| SHA1: | 3c7c51f90f333bb75a2d0b869338cb087b620c55 |
| SHA256: | 50de43ce82441bc7757dd73ef5fb2a29572219c516a8fd1aae2d551cbef59eb9 |
| Tags: | user-UNP4CK |
| Infos: |  |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Yara signature match
Classification
- System is w10x64
loaddll32.exe (PID: 7428 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\250 427-t64csa tyht.bin.d ll" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 7436 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7480 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\250 427-t64csa tyht.bin.d ll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 7504 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\2504 27-t64csat yht.bin.dl l",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7488 cmdline:
rundll32.e xe C:\User s\user\Des ktop\25042 7-t64csaty ht.bin.dll ,UseCreotm kra MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7540 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\2504 27-t64csat yht.bin.dl l",UseCreo tmkra MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_BlackMoon | Detects executables using BlackMoon RunTime | ditekSHen |
|
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Process created: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 1 Virtualization/Sandbox Evasion | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 70% | ReversingLabs | Win32.Trojan.Zusy | ||
| 75% | Virustotal | Browse | ||
| 100% | Avira | TR/Spy.Gen |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1675545 |
| Start date and time: | 2025-04-27 18:48:21 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 51s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 250427-t64csatyht.bin.dll |
| Detection: | MAL |
| Classification: | mal64.winDLL@10/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): svchost.exe - Not all processes where analyz
ed, report is missing behavior information
| Time | Type | Description |
|---|---|---|
| 12:49:18 | API Interceptor |
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.885403731724102 |
| TrID: |
|
| File name: | 250427-t64csatyht.bin.dll |
| File size: | 88'019 bytes |
| MD5: | d934ffad991ff8168b67799960016074 |
| SHA1: | 3c7c51f90f333bb75a2d0b869338cb087b620c55 |
| SHA256: | 50de43ce82441bc7757dd73ef5fb2a29572219c516a8fd1aae2d551cbef59eb9 |
| SHA512: | 4933cc0a0292e91b50eb60ac23c06103c964f8d9555c8a9bd42e986faa9585cd66e30fe03d73544117eb8484be0b0c6369227c65db0ea74b4337f43cb5bbfcb9 |
| SSDEEP: | 1536:PDLlVvM+W+HXp5ooZ+jk6BUVBU0WTFkXwt260nzwVmhkHkL0tdBxe4WVIYvrqaaN:PCgVwoT4eXrAN |
| TLSH: | D483E82EB40294AEE02C997672F507B82AB847233D75452BDFD08F712DD41338ACA79D |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=.cW=.cW=.cWF.oW<.cW..>W1.cW..mW<.cWR.iW9.cWR.gW>.cW=.bWi.cW=.cW<.cW..hW..cW..gW>.cWRich=.cW................PE..L......M... |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x1000de0b |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL |
| DLL Characteristics: | |
| Time Stamp: | 0x4D8ED991 [Sun Mar 27 06:30:41 2011 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 317d6ea406137baf7b54ba9ea91f0468 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push ebx |
| mov ebx, dword ptr [ebp+08h] |
| push esi |
| mov esi, dword ptr [ebp+0Ch] |
| push edi |
| mov edi, dword ptr [ebp+10h] |
| test esi, esi |
| jne 00007FD1BD0852ABh |
| cmp dword ptr [1001CF30h], 00000000h |
| jmp 00007FD1BD0852C8h |
| cmp esi, 01h |
| je 00007FD1BD0852A7h |
| cmp esi, 02h |
| jne 00007FD1BD0852C4h |
| mov eax, dword ptr [1001CF4Ch] |
| test eax, eax |
| je 00007FD1BD0852ABh |
| push edi |
| push esi |
| push ebx |
| call eax |
| test eax, eax |
| je 00007FD1BD0852AEh |
| push edi |
| push esi |
| push ebx |
| call 00007FD1BD0851BAh |
| test eax, eax |
| jne 00007FD1BD0852A6h |
| xor eax, eax |
| jmp 00007FD1BD0852F0h |
| push edi |
| push esi |
| push ebx |
| call 00007FD1BD0827DAh |
| cmp esi, 01h |
| mov dword ptr [ebp+0Ch], eax |
| jne 00007FD1BD0852AEh |
| test eax, eax |
| jne 00007FD1BD0852D9h |
| push edi |
| push eax |
| push ebx |
| call 00007FD1BD085196h |
| test esi, esi |
| je 00007FD1BD0852A7h |
| cmp esi, 03h |
| jne 00007FD1BD0852C8h |
| push edi |
| push esi |
| push ebx |
| call 00007FD1BD085185h |
| test eax, eax |
| jne 00007FD1BD0852A5h |
| and dword ptr [ebp+0Ch], eax |
| cmp dword ptr [ebp+0Ch], 00000000h |
| je 00007FD1BD0852B3h |
| mov eax, dword ptr [1001CF4Ch] |
| test eax, eax |
| je 00007FD1BD0852AAh |
| push edi |
| push esi |
| push ebx |
| call eax |
| mov dword ptr [ebp+0Ch], eax |
| mov eax, dword ptr [ebp+0Ch] |
| pop edi |
| pop esi |
| pop ebx |
| pop ebp |
| retn 000Ch |
| jmp dword ptr [1000F0F8h] |
| jmp dword ptr [1000F0D0h] |
| jmp dword ptr [1000F0D4h] |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| jmp dword ptr [1000F0D8h] |
| jmp dword ptr [1000F0DCh] |
| jmp dword ptr [1000F0E0h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xf910 | 0x48 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf190 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1d000 | 0x3a8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1e000 | 0x8d0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xf000 | 0x15c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xd086 | 0xe000 | 7cbf6f36893332cd4515825de6065c0d | False | 0.33946010044642855 | data | 5.818540838738628 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xf000 | 0x958 | 0x1000 | c3ada587932784a0231d442882e2a308 | False | 0.285400390625 | data | 3.4128320446722964 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x10000 | 0xcf50 | 0x1000 | 124c3baefee7a73be6b8950de9c660b4 | False | 0.3837890625 | Matlab v4 mat-file (little endian) \360\337, numeric, rows 0, columns 0 | 4.217130573003599 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x1d000 | 0x3a8 | 0x1000 | 349c5ca318462c68303939e4fd7404b2 | False | 0.113037109375 | data | 3.633360184031001 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1e000 | 0xa0a | 0x1000 | 52c266c9b388a1352d2d13c59a95bae8 | False | 0.486328125 | data | 4.543118174805409 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x1d058 | 0x350 | data | Chinese | China | 0.4634433962264151 |
| DLL | Import |
|---|---|
| MSVCRT.dll | _adjust_fdiv, _initterm, strncmp, memmove, modf, malloc, free, strrchr, ??2@YAPAXI@Z, strtod, sprintf, strncpy, floor, _stricmp, _CIfmod, _CIpow, atoi, _ftol, ??3@YAXPAX@Z |
| KERNEL32.dll | InitializeCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EnterCriticalSection, HeapReAlloc, LCMapStringA, GetCommandLineA, GetModuleFileNameA, GetVersionExA, Sleep, GetPrivateProfileStringA, GetCurrentDirectoryA, IsBadReadPtr, HeapFree, GetModuleHandleA, GetProcAddress, GetCurrentProcessId, CloseHandle, GetCurrentProcess, OpenProcess, CreateThread, TerminateProcess, ReadProcessMemory, VirtualQuery, VirtualQueryEx, VirtualProtect, VirtualProtectEx, WriteProcessMemory, LoadLibraryA, ResumeThread, GetExitCodeThread, CreateToolhelp32Snapshot, Module32First, Module32Next, InterlockedIncrement, GetExitCodeProcess, GetProcessHeap, ExitProcess, HeapAlloc |
| USER32.dll | DispatchMessageA, SetTimer, wsprintfA, GetAncestor, PostMessageA, TranslateMessage, PeekMessageA, ShowWindow, EnumWindows, MessageBoxA, GetWindowThreadProcessId, FindWindowExA, GetParent, GetMessageA |
| ADVAPI32.dll | OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA |
| WS2_32.dll | recv |
| SHLWAPI.dll | StrToInt64ExA |
| PSAPI.DLL | GetModuleFileNameExA |
| NTDLL.DLL | ZwResumeProcess |
| Name | Ordinal | Address |
|---|---|---|
| UseCreotmkra | 1 | 0x1000b119 |
| Description | Data |
|---|---|
| FileVersion | 5.1.2600.0 |
| FileDescription | Virtual Dos Machine IPX/SPX Interface Library |
| ProductName | Microsoft Corporation. All rights reserved. |
| ProductVersion | 5.1.2600.0 |
| CompanyName | Microsoft Corporation |
| LegalCopyright | Microsoft Corporation |
| Comments | 5.1.2600.0 (xpclient.010817-1148) |
| Translation | 0x0804 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:49:15 |
| Start date: | 27/04/2025 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x630000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:49:15 |
| Start date: | 27/04/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62fc20000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 12:49:15 |
| Start date: | 27/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 12:49:15 |
| Start date: | 27/04/2025 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x20000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 12:49:15 |
| Start date: | 27/04/2025 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x20000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 12:49:18 |
| Start date: | 27/04/2025 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x20000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
⊘No disassembly
