Create Interactive Tour

Windows Analysis Report
IRCommDLL1.dll

Overview

General Information

Sample Name:	IRCommDLL1.dll
Analysis ID:	565726
MD5:	6329989230ea5ec0b353eeefa69261a6
SHA1:	ad19ded776dc64dbdc4de32f8f8c3d58f5768f36
SHA256:	d97e54139ae34a8aeefff4d5ac760caa5b8cbb1a91af6fa5d725a0cfba6dfeb0
Tags:	bankerchromebrowserdllexetrojan
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code contains very large strings

Sigma detected: Suspicious Call by Ordinal

.NET source code contains potential unpacker

Sample file is different than original file name gathered from version info

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6300 cmdline: loaddll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 2456 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 7096 cmdline: rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Sigma Overview

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2456, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1, ProcessId: 7096

Jbx Signature Overview

• Cryptography
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

Source: IRCommDLL1.dll

Binary or memory string: %-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuXyrIPrydyLR2xJyopyMdj+F4K+xxjHeTaLmm49TmgM3xElG7nFvr5Tzk3AIp+z+IhAnXcYs+o348iPB3oXQB75gvJ3CrLDh58AxE60XF42IkbpTrmdevSDhP4fAb7CFdL8/NcHNPzAfA+T1NejSbrcwtVrXUZSrxOX72h8GP54a8pMI7AqF3R2InsQcDReD2ayVlQgznjQfg0eE7WcUzWqDFx6UR2c7OE/9EGiNFUs3qzAKxZk+98oGxYwZyIuR0ZMZscERnsdIYKs1y+28YDDhoUqZ8g6nsbk8nPFVxeaMPU0V9b30Rf/V1YRjGuX8idVHn5mhnLkZVgpdiSm1MSrkvHzoL4mCN/VwP+QI68RXcSkp9gy1x8jlgvBkS39uVK3Yt7S23ivwL/3L0UOyR8pPWEo9YSQ+jiDfEhR9Vmtfr6oYvTyd+gGjMLGZlVDYy2sPf+V1iOuCXCy86AFWpLV6K4HOgTc9/b2dXJ87SwHY5UJWR2+2ZCdGWJbucrJgZ6CoP8DJXYiowgxABzyqWMrnFvB4foLjmkSYrQE/AIpvFbinB8t0fHxgBx4BZ5RLNpaCOPCby/KKeYgfcuTCf4Cmhw1+WkIIqDSPF13N5LKujbZs55X+VcnrC9S7qjqQqCAnwDEh3PUrVN2ElSH9k/o8n5EP5LA1d/MVgrY+Fa0CAwEAAQ==-----END PUBLIC KEY-----

Source: IRCommDLL1.dll

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: IRCommDLL1.dll	String found in binary or memory: http://192.3.164.176/api/image
Source: IRCommDLL1.dll	String found in binary or memory: http://api.endcaptcha.com-RecognizeEndCaptcha
Source: IRCommDLL1.dll	String found in binary or memory: http://api.endcaptcha.com/report
Source: IRCommDLL1.dll	String found in binary or memory: http://api.endcaptcha.com/upload
Source: IRCommDLL1.dll	String found in binary or memory: http://erail.in/Rail/GetTrains.aspx?eKey=1770.8472450128&Station_From=
Source: IRCommDLL1.dll	String found in binary or memory: http://localhost/get.php?username=
Source: IRCommDLL1.dll	String found in binary or memory: http://localhost/set.php?username=G&type=v2&action=Required&token=NULLCHitting
Source: IRCommDLL1.dll	String found in binary or memory: http://localhost:44516/WCFService.svc/GetData
Source: IRCommDLL1.dll	String found in binary or memory: http://menurates.irctc.co.in/.
Source: IRCommDLL1.dll	String found in binary or memory: http://nget.in/
Source: IRCommDLL1.dll	String found in binary or memory: http://point-at-infinity.org/jssha256/
Source: IRCommDLL1.dll	String found in binary or memory: http://regetdx.5gbfree.com
Source: IRCommDLL1.dll	String found in binary or memory: http://ser355.somee.com/TUT
Source: IRCommDLL1.dll	String found in binary or memory: http://silvergreen.live/api/app/login=application/json;charset=UTF-8
Source: IRCommDLL1.dll	String found in binary or memory: http://silvergreen.live/api/app/success;Unable
Source: IRCommDLL1.dll	String found in binary or memory: http://silvergreen.live/api/app/tokenused
Source: IRCommDLL1.dll	String found in binary or memory: http://trump.somee.com/hd.aspx?z=
Source: IRCommDLL1.dll	String found in binary or memory: http://www.irctc.co.in
Source: IRCommDLL1.dll	String found in binary or memory: http://www.translationdirectory.com/
Source: IRCommDLL1.dll	String found in binary or memory: http://wwwwwmagnet.com/api/app/getipgBearer
Source: IRCommDLL1.dll	String found in binary or memory: http://wwwwwmagnet.com/api/app/getpass
Source: IRCommDLL1.dll	String found in binary or memory: https://3dsecure.payseal.com/MultiMPI/from_icici_merchant.jspGError
Source: IRCommDLL1.dll	String found in binary or memory: https://accounts.google.comEhttp://localhost:1234/api/Session?
Source: IRCommDLL1.dll	String found in binary or memory: https://accounts.paytm.com/devicebinding/config/sv1?deviceIdentifier=)&deviceManufacturer=
Source: IRCommDLL1.dll	String found in binary or memory: https://accounts.paytm.com/oauth2/v3/token/sv1?deviceIdentifier=
Source: IRCommDLL1.dll	String found in binary or memory: https://accounts.paytm.com/v2/simple/login/init/sv1?deviceIdentifier=
Source: IRCommDLL1.dll	String found in binary or memory: https://accounts.paytm.com/v2/simple/login/validate/otp/sv1?deviceIdentifier=
Source: IRCommDLL1.dll	String found in binary or memory: https://accounts.paytm.com/v2/simple/login/validate/password/sv1?deviceIdentifier=
Source: IRCommDLL1.dll	String found in binary or memory: https://acs9-fd.enstage-sas.com/acs-v1/validateStaticPassword?page=authPage
Source: IRCommDLL1.dll	String found in binary or memory: https://api.payu.in/bin/binBasedDetails
Source: IRCommDLL1.dll	String found in binary or memory: https://api.payu.in/checkoutx?paymentId=
Source: IRCommDLL1.dll	String found in binary or memory: https://api.payu.in/payments
Source: IRCommDLL1.dll	String found in binary or memory: https://api.razorpay.com/v1/checkout/public=&currency%5B0%5D=INR&order_id=
Source: IRCommDLL1.dll	String found in binary or memory: https://api.razorpay.com/v1/payments/
Source: IRCommDLL1.dll	String found in binary or memory: https://api.razorpay.com/v1/payments/create/ajaxO
Source: IRCommDLL1.dll	String found in binary or memory: https://api.razorpay.com/v1/payments/create/fees;method=card&card%5Bnumber%5D=
Source: IRCommDLL1.dll	String found in binary or memory: https://api.razorpay.com/v1/payments/validate/account?key_id=#entity=vpa&value=
Source: IRCommDLL1.dll	String found in binary or memory: https://api.razorpay.com/v1/preferences?key_id=
Source: IRCommDLL1.dll	String found in binary or memory: https://beta-irctc-ih.mmvpay.com/api/v1/users/checkout/funds/
Source: IRCommDLL1.dll	String found in binary or memory: https://beta-irctc-ih.mmvpay.com/api/v1/users/checkout/mobile
Source: IRCommDLL1.dll	String found in binary or memory: https://cardpay.airtelbank.com/airtel/jsp/ACSMPINCheckEntry.jspMProcessing
Source: IRCommDLL1.dll	String found in binary or memory: https://cardpay.airtelbank.com/airtel/jsp/AuthenticationRequestPage.jspGselectModeOTP=1&strActivate=
Source: IRCommDLL1.dll	String found in binary or memory: https://cardsecurity.enstage.com#Second
Source: IRCommDLL1.dll	String found in binary or memory: https://checkout.razorpay.com/integration/irctcKhttps://www.onlinesbiglobal.com/NPINB
Source: IRCommDLL1.dll	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B77FB7CC8
Source: IRCommDLL1.dll	String found in binary or memory: https://ecom.airtelbank.com/irctc/
Source: IRCommDLL1.dll	String found in binary or memory: https://ecom.airtelbank.com/irctc/ecomDoTxn.action-Transaction
Source: IRCommDLL1.dll	String found in binary or memory: https://ecom.airtelbank.com/irctc/ecomVerifyOtp.action
Source: IRCommDLL1.dll	String found in binary or memory: https://gate1a.skipinput.com/b_gate.php?b=firefox&v=3000&key=
Source: IRCommDLL1.dll	String found in binary or memory: https://gate1a.skipinput.com/q_gate.php?b=firefox&v=3000&l=en&key=
Source: IRCommDLL1.dll	String found in binary or memory: https://hdfc-acs.wibmo.com
Source: IRCommDLL1.dll	String found in binary or memory: https://hdfcbankpayments.hdfcbank.com/PG/PassImageServlet-Init.
Source: IRCommDLL1.dll	String found in binary or memory: https://httpsweb.in/secure/msg_read.php?username=
Source: IRCommDLL1.dll	String found in binary or memory: https://indusnet.indusind.com/corp/KIndusind
Source: IRCommDLL1.dll	String found in binary or memory: https://inet.idbibank.co.in/corp/%Init.
Source: IRCommDLL1.dll	String found in binary or memory: https://ipay.icicibank.com/mpi/Moto.jsp#Second
Source: IRCommDLL1.dll	String found in binary or memory: https://ipg.icicibank.com#output_frame
Source: IRCommDLL1.dll	String found in binary or memory: https://ipg.icicibank.com/ICICIPG/encryptionServlet?generateKeypair=true&
Source: IRCommDLL1.dll	String found in binary or memory: https://ircomm.s3.ap-south-1.amazonaws.com/chromedriver.zip
Source: IRCommDLL1.dll	String found in binary or memory: https://ircomm.s3.ap-south-1.amazonaws.com/chromedriver91.zip
Source: IRCommDLL1.dll	String found in binary or memory: https://ircomm.s3.ap-south-1.amazonaws.com/chromedriver92.zip
Source: IRCommDLL1.dll	String found in binary or memory: https://irctc-ih.mmvpay.com/api/v1/users/checkout/funds/
Source: IRCommDLL1.dll	String found in binary or memory: https://irctc-ih.mmvpay.com/api/v1/users/checkout/mobile
Source: IRCommDLL1.dll	String found in binary or memory: https://irctc.co.in
Source: IRCommDLL1.dll	String found in binary or memory: https://irctclive.nlpcaptcha.in/index.php/media/getTC/
Source: IRCommDLL1.dll	String found in binary or memory: https://irctclive.nlpcaptcha.in/index.php/media/getit/
Source: IRCommDLL1.dll	String found in binary or memory: https://irctclive.nlpcaptcha.in/index.php/nlpgen/nlpimg/fetch/-src=
Source: IRCommDLL1.dll	String found in binary or memory: https://irctclive.nlpcaptcha.in/index.php/nlpgen/nlpimg/refresh/
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.com/merchant/
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.com/merchant/logout.htmshttps://merchant.onlinesbi.com/merchant/merchanti
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.sbi/merchant/loginsubmit.htm;
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.sbi/merchant/merchantdisplay.htm1Second-Second
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.sbi/merchant/merchantinter.htm;
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.sbi/merchant/redirect.htm;#Init.
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.sbi/merchant/smsenablehighsecurity.htm;
Source: IRCommDLL1.dll	String found in binary or memory: https://merchant.onlinesbi.sbi/merchant/smsenablehighsecurityconfirm.htm;
Source: IRCommDLL1.dll	String found in binary or memory: https://mercury-t1.phonepe.com/apis/v1/vpa/pay?t=
Source: IRCommDLL1.dll	String found in binary or memory: https://mercury-t2.phonepe.com/apis/v1/irctc/notification?t=
Source: IRCommDLL1.dll	String found in binary or memory: https://mercury-t2.phonepe.com/apis/v1/transaction/status?t=
Source: IRCommDLL1.dll	String found in binary or memory: https://mercury-t2.phonepe.com/apis/v1/vpa/validate?t=
Source: IRCommDLL1.dll	String found in binary or memory: https://mercury-t2.phonepe.com/transact
Source: IRCommDLL1.dll	String found in binary or memory: https://migs.mastercard.co.in
Source: IRCommDLL1.dll	String found in binary or memory: https://migs.mastercard.com.au
Source: IRCommDLL1.dll	String found in binary or memory: https://migs.mastercard.com.au/ssl
Source: IRCommDLL1.dll	String found in binary or memory: https://migs.mastercard.com.au/vpcpay
Source: IRCommDLL1.dll	String found in binary or memory: https://netbanking.hdfcbank.com/netbanking/?_ga=1.67743385.968282051.1482163954
Source: IRCommDLL1.dll	String found in binary or memory: https://netbanking.hdfcbank.com/netbanking/RSLogin.html?v=4%Init.
Source: IRCommDLL1.dll	String found in binary or memory: https://netbanking.hdfcbank.com/netbanking/entry?fldAppId=RS&fldTxnId=MNU&fldScrnSeqNbr=01&fldSessio
Source: IRCommDLL1.dll	String found in binary or memory: https://netbanking.hdfcbank.com/netbanking/entryMfldpwdtmp=&fldAppId=RS&fldDevicePrint=
Source: IRCommDLL1.dll	String found in binary or memory: https://netbanking.hdfcbank.com/netbanking/epientry
Source: IRCommDLL1.dll	String found in binary or memory: https://netbanking.yesbank.co.in/netbanking/RExtLogin.html
Source: IRCommDLL1.dll	String found in binary or memory: https://netbanking.yesbank.co.in/netbanking/getUserSalt.jsp?id=/Salt
Source: IRCommDLL1.dll	String found in binary or memory: https://netsafe.hdfcbank.com
Source: IRCommDLL1.dll	String found in binary or memory: https://netsafe.hdfcbank.com/ACSWeb/com.enstage.entransact.servers.AccessControlServerSSL?perform=DE
Source: IRCommDLL1.dll	String found in binary or memory: https://netsafe.hdfcbank.com/ACSWeb/com.enstage.entransact.servers.AccessControlServerSSL?perform=US
Source: IRCommDLL1.dll	String found in binary or memory: https://payseal.icicibank.com/audioCaptch/audioCaptchaGenFile
Source: IRCommDLL1.dll	String found in binary or memory: https://payseal.icicibank.com/mpi/Moto.jsp
Source: IRCommDLL1.dll	String found in binary or memory: https://paytm.com/v1/user/token/enc/generate?deviceIdentifier=
Source: IRCommDLL1.dll	String found in binary or memory: https://pgi.billdesk.com/pgidsk/pgmerc/IRCTCCRISPDCRedirect.jsp_https://www.billdesk.com/pgidsk/Proc
Source: IRCommDLL1.dll	String found in binary or memory: https://pingupi.axisbank.co.in/WebCollectRequestIRCTC/%Init.
Source: IRCommDLL1.dll	String found in binary or memory: https://play.google.com/store/apps/details?id=com.cris.utsmobile&hl=en
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.axisbank.com/?
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.axisbank.com/acs-web-axis/EnrollWeb/AxisBank/server/AccessControlServer
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.axisbank.com/acs-web-axis/com.enstage.entransact.servers.AccessControlServerAxis?perf
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.axisbank.comwUSER_AUTH&ADS_CANCEL=true&REASON=CANCEL&DELETE_CONTACT=trueQUSER_AUTH&CA
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/oltp-web/
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/oltp-web/processTransaction
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/oltp/HANDLER_INTERNAL/CARD_TOKEN_GENERATOR
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/oltp/HANDLER_INTERNAL/GET_POST_CONVENIENCE_FEE_MAP3JsonData=
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/oltp/HANDLER_INTERNAL/VALIDATE_OTP#JsonData=
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/oltp/HANDLER_WEB_RESP/
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in/theia/api/v1/enhanced/login/validate/otp?mid=iInvaild
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in:443/oltp/HANDLER_INTERNAL/BANK_LIST?JsonData=
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.paytm.in:443/oltp/HANDLER_INTERNAL/GENERATE_OTP-JsonData=
Source: IRCommDLL1.dll	String found in binary or memory: https://secure.payu.in/_payment
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/ehttps://securegw.paytm.in/instaproxy/bankresponse/
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/instaproxy/bankresponse/ICICIPAY/DC
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/theia/W
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/theia/api/v1/login/sendOtp?mid=3Process
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/theia/api/v1/processTransaction?mid=whttps://securegw.paytm.in/theia/api/v
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/theia/api/v1/vpa/validate?mid=g
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/theia/processTransaction?id=
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/theia/transactionStatus?MID=5Process
Source: IRCommDLL1.dll	String found in binary or memory: https://securegw.paytm.in/theia/upi/transactionStatus?MID=
Source: IRCommDLL1.dll	String found in binary or memory: https://securepayments.fssnet.co.in/hdfcbankb)HDFC_DebitCard
Source: IRCommDLL1.dll	String found in binary or memory: https://securepayments.fssnet.co.in/ipay/paymentpage.htmuhttps://securepayments.fssnet.co.in/ipay/pa
Source: IRCommDLL1.dll	String found in binary or memory: https://securepayments.fssnet.co.in/pgwayb3Login
Source: IRCommDLL1.dll	String found in binary or memory: https://securepayments.fssnet.co.in/pgwayc/paymentpage.htmyhttps://securepayments.fssnet.co.in/pgway
Source: IRCommDLL1.dll	String found in binary or memory: https://securepayments.fssnet.co.in/pgwayf/directdebit.htm?actionparam=merchantRequest
Source: IRCommDLL1.dll	String found in binary or memory: https://securepayments.fssnet.co.in/pgwayf/paymentpage.htmyhttps://securepayments.fssnet.co.in/pgway
Source: IRCommDLL1.dll	String found in binary or memory: https://securepg.fssnet.co.in
Source: IRCommDLL1.dll	String found in binary or memory: https://shopping.icicibank.com/corp/
Source: IRCommDLL1.dll	String found in binary or memory: https://trust.paytm.in:443/wallet-web/checkBalance
Source: IRCommDLL1.dll	String found in binary or memory: https://walletapi.mobikwik.com/securewallet
Source: IRCommDLL1.dll	String found in binary or memory: https://walletapi.mobikwik.com/walletYhttps://walletapi.mobikwik.com/securewallet
Source: IRCommDLL1.dll	String found in binary or memory: https://walletapi.mobikwik.com/walletapis/redirectflow/fetch-order-details
Source: IRCommDLL1.dll	String found in binary or memory: https://walletapi.mobikwik.com/walletapis/redirectflow/otpgenrate/resendotpiWe
Source: IRCommDLL1.dll	String found in binary or memory: https://walletapi.mobikwik.com/walletapis/sendOtp
Source: IRCommDLL1.dll	String found in binary or memory: https://www.airtel.in/bank/api/v1/auth/login/mpin
Source: IRCommDLL1.dll	String found in binary or memory: https://www.airtel.in/bank/api/v1/web/content/en-us/login?ts=
Source: IRCommDLL1.dll	String found in binary or memory: https://www.axisbiconnect.co.in/BankAway/5/web/L001/retail/jsp/ebpp/5RETLOGIN=Y&BANKID=211&RID=
Source: IRCommDLL1.dll	String found in binary or memory: https://www.axisbiconnect.co.in/BankAway/sgonHttpHandler.aspx
Source: IRCommDLL1.dll	String found in binary or memory: https://www.billdesk.com#BOI
Source: IRCommDLL1.dll	String found in binary or memory: https://www.billdesk.com/pgidsk/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.billdesk.com/pgidsk/PGICTRController
Source: IRCommDLL1.dll	String found in binary or memory: https://www.billdesk.com/pgidsk/PGICommonGateway
Source: IRCommDLL1.dll	String found in binary or memory: https://www.billdesk.com/pgidsk/PGIMerchantRequestHandlergtxtBankID=CTR&txtBankID=CTR&txtItemCode=DI
Source: IRCommDLL1.dll	String found in binary or memory: https://www.citibank.co.in/servlets/PgTransResp_Web
Source: IRCommDLL1.dll	String found in binary or memory: https://www.contents.irctc.co.in/eticketing/protected/mapps1/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.contents.irctc.co.in/eticketing/protected/mapps1/avlFareenquiry/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/core.logout.authenticate.logout.do
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/core.logout.authenticate.redlogout.ajax.do
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/cris/cris.payments.onpayconfirm.do
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/cris/cris.payments.onpaystatus.dochttps://netbanking.yesbank.c
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/cris/cris.payments.onpaytrans.do%Transaction
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/olt/olt.onlineinterface.onconfirm.do
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/olt/olt.onlineinterface.online.do
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/olt/olt.onlineinterface.onpayments.do
Source: IRCommDLL1.dll	String found in binary or memory: https://www.corpretail.com/RetailBank/olt/olt.onlineinterface.prelogin.do
Source: IRCommDLL1.dll	String found in binary or memory: https://www.google.co.in
Source: IRCommDLL1.dll	String found in binary or memory: https://www.google.com
Source: IRCommDLL1.dll	String found in binary or memory: https://www.google.com/recaptcha/api2/bframe?hl=en&v=QVh-Tz10ahidjrORgXOS1oB0&k=6LcnQNYUAAAAAOm9HrBJ
Source: IRCommDLL1.dll	String found in binary or memory: https://www.google.com/recaptcha/api2/userverify?k=6LcnQNYUAAAAAOm9HrBJ4QJIhdAuFrAckyUsQyjykhttps://
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/authprovider/webtoken
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse0012510110125100q//fss50//PGWAYF//config////brands//d
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse0030000230300200
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse00320100032320100
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse0033000311330200
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse0036140143614000
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse0036140143614000DD//fss50//PGWAYF//config////brands//
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse005000049015500004900q//fss50//PGWAYC//config////bran
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse0055030016550300
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse?AMT=
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse?ClientCodeiFailed
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/BankResponse?encdata=
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/PaymentRedirect
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/errors.html
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/javax.faces.resource/irctc_logo_en_IN.gif.jsf?ln=images_https://w
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/logout?out
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/mbi/;
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/mbi/PaytmWtGen
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/allLapAvlFareEnq/N
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/allLapAvlFareEnq/Y
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/altAvlEnq/TCK
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/avlFareenquiry/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/boardingStationEnq
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/bookedHistorySearch?lastTxnDtls=ALL
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/bookingInitPayment/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/captchaganetate/5Hitting
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/captchaverify/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/loginCaptcha
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/loginCaptcha?nlpCaptchaException=true
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/nlpcaptchaverify/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/pin/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/printTicket/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/tbstns/=Hitting
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/trnscheduleenquiry/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/userDetails
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/userpasswordchangeG
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/protected/mapps1/validateUser?source=3#limit
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/eticketing/s
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/ihttps://www.irctc.co.in/eticketing/protected/mapps1/5Enter
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/assets/images/logo.png
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/booking-confirm
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/booking/psgninput
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/booking/reviewBooking)Verify
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/booking/train-list
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/payment/paymentredirect
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/train-search
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctc.co.in/nget/train-search?sessionId=
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctcipay.com/pgui/jsp/binResolver
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctcipay.com/pgui/jsp/irctcRequestActioni
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctcipay.com/pgui/jsp/matchMoveResponseQhttps://hdfcbankpayments.hdfcbank.com/PG-Init.
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctcipay.com/pgui/jsp/pay
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctcipay.com/pgui/jsp/surchargePaymentPage.jsp
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctcipay.com/pgui/jsp/upiPay
Source: IRCommDLL1.dll	String found in binary or memory: https://www.irctcipay.com/pgui/jsp/verifyUpiResponse
Source: IRCommDLL1.dll	String found in binary or memory: https://www.mobikwik.com
Source: IRCommDLL1.dll	String found in binary or memory: https://www.onlinesbiglobal.com/NPINB/
Source: IRCommDLL1.dll	String found in binary or memory: https://www.onlinesbiglobal.com/NPINB/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__ST
Source: IRCommDLL1.dll	String found in binary or memory: https://www.unionbankonline.co.in/corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__S
Source: IRCommDLL1.dll	String found in binary or memory: https://www.unionbankonline.co.in/corp/EAuthenticationFG.VERIFICATION_CODE
Source: IRCommDLL1.dll	String found in binary or memory: https://www.unionbankonline.co.inWSome
Source: IRCommDLL1.dll	String found in binary or memory: https://www.vijayabankonline.in/NASApp/Finaclechttps://www.onlinesbiglobal.com/64NP/BANKAWAYTRANuhtt
Source: IRCommDLL1.dll	String found in binary or memory: https://www4.ipg-online.com/

System Summary

.NET source code contains very large strings

Source: IRCommDLL1.dll, IRCommDLL/ClassMain.cs	Long String: Length: 16242
Source: IRCommDLL1.dll, IRCommDLL/ClassMain.cs	Long String: Length: 16242
Source: IRCommDLL1.dll, IRCommDLL/ClassMain.cs	Long String: Length: 16242
Source: IRCommDLL1.dll, IRCommDLL/ClassMain.cs	Long String: Length: 16242
Source: IRCommDLL1.dll, IRCommDLL/Class13.cs	Long String: Length: 58592

Source: IRCommDLL1.dll

Binary or memory string: OriginalFilenameIRCommDLL.dll4 vs IRCommDLL1.dll

Source: IRCommDLL1.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winDLL@5/0@0/0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1	Jump to behavior

Source: IRCommDLL1.dll, NativeCSharpJWTToken/JWTUtils.cs	Base64 encoded string: 'MIIBtTCCAU0GByqGSM49AgEwggFAAgEBMDwGByqGSM49AQECMQD//////////////////////////////////////////v////8AAAAAAAAAAP////8wZAQw//////////////////////////////////////////7/////AAAAAAAAAAD////8BDCzMS+n4j7n5JiOBWvj+C0ZGB2cbv6BQRIDFAiPUBOHWsZWOY2KLtGdKoXI7dPsKu8EYQSqh8oivosFN46xxx7zIK10bh07Younm5hZ90HgglQqOFUC8l2/VSlsOlReOHJ2Crc2F95KliYsb12emL+Sktwp+PQdvSiaFHzp2jETtfC4wApgsc4dfoGdekMdfJDqDl8CMQD////////////////////////////////HY02B9Dct31gaDbJIsKd67OwZaszFKXMCAQEDYgAEaAtoggJtnUgxL15aOYC7llbGY3LmD7g0G0MlqCaGQV19XVxVB2lXU2OA5kB6Fdw/Ww4U9Ujx7fQzwLYZnsQgtRyZEStb9LD2o5q7qskZQY++1xshgsMIaj3VDIEH2XN0'
Source: IRCommDLL1.dll, IRCommDLL/Class4.cs	Base64 encoded string: 'JTVFZW5jQ2FwdGNoYSU1RWVuY3J5cHRlZENhcmROdW1iZXIlNUVlbmNyeXB0ZWRNb250aCU1RWVuY3J5cHRlZFllYXIlNUVlbmNyeXB0ZWRDYXJkSG9sZGVyTmFtZSU1RWVuY3J5cHRlZFNhdmVkQ2FyZENWViU1RWVuY3J5cHRlZFNhdmVkQ2FyZFBpbiU1RWVuY3J5cHRlZFNhdmVkQ2FyZEN2ZDJwaW4lNUVkZWJpdE9UUEZsZyU1RWNyZWRpdE9UUEZsZyU1RXByZXBhaWRPVFBGbGclNUVPVFBNZXRob2QlNUVvdGhlcmNhcmRkZWJpdGN2diU1RWFjY29yZGlvblZhbCU1RWNyZWRpdERlYml0Q2hlY2slNUVkZWJpdENhcmROdW1iZXIlNUVjYXJkUGluVHlwZSU1RWNhcmRQaW4lNUVkZWJpdENhcmRDdnYlNUVkZWJpdENhcmRob2xkZXJOYW1lJTVFcGFzc2xpbmUlNUVnc3RuVFhOSWQlNUVnc3RuRmxhZyU1RXBheW1lbnRJbml0VGltZSU1RWdyaXBzRmxhZyU1RXNlbGVjdGVkUHltbnRJbnN0cm1udCU1RWNhcHRjaGFNc2clNUVwYXltZW50SWQlNUVhdG1QYXlSZXRlbnRpb25QZXJpb2QlNUVzdHlsZUNzcyU1RWhlYWRlckZpbGUlNUVtZXJjaEhlYWRlckZpbGUlNUVsYWJlbEZpbGUlNUVtcmNoTmFtZSU1RW1yY2hXZWIlNUVtcmNoVHJhY2tJZCU1RXB5bW50SW5zdHJtbnRDQyU1RXB5bW50SW5zdHJtbnRBQyU1RXB5bW50SW5zdHJtbnREQyU1RXB5bW50SW5zdHJtbnRQQyU1RXB5bW50SW5zdHJtbnRQWiU1RXB5bW50SW5zdHJtbnRBUCU1RXB5bW50SW5zdHJtbnRERCU1RWVjb21GbGclNUVjYXB0Y2hhRmxnJTVFaW5zdE5hbWUlNUVtcmNoRXJyVXJsJTVFYXZzRmxnJTVFaGVhZGVyVHlwZSU1RXRlcm1JZCU1RWluc3RJZCU1RW1yY2hJZCU1RW1hZXN0cm9DaGVja0ZsYWclNUVydXBGbGclNUVweW1udEluc3RybW50SU1QUyU1RWZvb3RlciU1RWRlYml0U2VsJTVFY3JlZGl0U2VsJTVFcHJlcGFpZFNlbCU1RXNpRmxhZyU1RWZjRmxhZyU1RWZjQ2hlY2tlZCU1RWZjRXhwQ2hlY2slNUVmY0N0Q2hlY2slNUVmY0R0Q2hlY2slNUVmY1BkQ2hlY2slNUVyZGMlNUVjaGVja0JyYW5kJTVFb25PZmZUeXBlJTVFbWFlc3RybyU1RWNjSW5zdEZsZyU1RWNjVGVybUZsZyU1RW1lcmNoYW50Q3VycmVuY3lGbGclNUVjYXJkQ3VycmVuY3lGbGclNUVvdGhlckN1cnJlbmN5RmxnJTVFcHltbnRJbnN0cm1udENudCU1RW90cFN0YXR1cyU1RW90cGFsbG93ZWQlNUVvdHBtZXRob2QlNUVlbWlGbGFnJTVFcmFkaW9GbGFnJTVFb3RoZXJDYXJkcyU1RXRleHRGaWxlJTVFZXJyb3JTdHIlNUVyZXN1bHRDb2RlJTVFcG9zdERhdGUlNUVyZXNwb25zZUNvZGUlNUV0cmFuSWQlNUVhdXRoQ29kZSU1RW1yY2hIZWFkZXJNc2dGaWxlJTVFbXJjaEhlYWRlckh0bWxGaWxlJTVFaW5zdEhlYWRlckh0bWxGaWxl', 'JTVFZW5jQ2FwdGNoYSU1RWVuY3J5cHRlZENhcmROdW1iZXIlNUVlbmNyeXB0ZWRNb250aCU1RWVuY3J5cHRlZFllYXIlNUVlbmNyeXB0ZWRDYXJkSG9sZGVyTmFtZSU1RWVuY3J5cHRlZFNhdmVkQ2FyZENWViU1RWVuY3J5cHRlZFNhdmVkQ2FyZFBpbiU1RWVuY3J5cHRlZFNhdmVkQ2FyZEN2ZDJwaW4lNUVkZWJpdE9UUEZsZyU1RWNyZWRpdE9UUEZsZyU1RXByZXBhaWRPVFBGbGclNUVPVFBNZXRob2QlNUVvdGhlcmNhcmRkZWJpdGN2diU1RWFjY29yZGlvblZhbCU1RWNyZWRpdERlYml0Q2hlY2slNUVkZWJpdENhcmROdW1iZXIlNUVjYXJkUGluVHlwZSU1RWNhcmRQaW4lNUVkZWJpdENhcmRDdnYlNUVkZWJpdENhcmRob2xkZXJOYW1lJTVFcGFzc2xpbmUlNUVnc3RuVFhOSWQlNUVnc3RuRmxhZyU1RXBheW1lbnRJbml0VGltZSU1RWdyaXBzRmxhZyU1RXNlbGVjdGVkUHltbnRJbnN0cm1udCU1RWNhcHRjaGFNc2clNUVwYXltZW50SWQlNUVhdG1QYXlSZXRlbnRpb25QZXJpb2QlNUVzdHlsZUNzcyU1RWhlYWRlckZpbGUlNUVtZXJjaEhlYWRlckZpbGUlNUVsYWJlbEZpbGUlNUVtcmNoTmFtZSU1RW1yY2hXZWIlNUVtcmNoVHJhY2tJZCU1RXB5bW50SW5zdHJtbnRDQyU1RXB5bW50SW5zdHJtbnRBQyU1RXB5bW50SW5zdHJtbnREQyU1RXB5bW50SW5zdHJtbnRQQyU1RXB5bW50SW5zdHJtbnRQWiU1RXB5bW50SW5zdHJtbnRBUCU1RXB5bW50SW5zdHJtbnRERCU1RWVjb21GbGclNUVjYXB0Y2hhRmxnJTVFaW5zdE5hbWUlNUVtcmNoRXJyVXJsJTVFYXZzRmxnJTVFaGVhZGVyVHlwZSU1RXRlcm1JZCU1RWluc3RJZCU1RW1yY2hJZCU1RW1hZXN0cm9DaGVja0ZsYWclNUVydXBGbGclNUVweW1udEluc3RybW50SU1QUyU1RWZvb3RlciU1RWRlYml0U2VsJTVFY3JlZGl0U2VsJTVFcHJlcGFpZFNlbCU1RXNpRmx
Source: IRCommDLL1.dll, IRCommDLL/ClassMain.cs	Base64 encoded string: 'MIID1zCCAr+gAwIBAgIEME5DLDANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCSU4xDjAMBgNVBAgTBURlbGhpMRIwEAYDVQQHEwlOZXcgRGVsaGkxQDA+BgNVBAoTN0luZGlhbiBSYWlsd2F5IENhdGVyaW5nIGFuZCBUb3VyaXNtIENvcnBvcmF0aW9uIExpbWl0ZWQxDjAMBgNVBAsTBUlSQ1RDMRYwFAYDVQQDEw1JUkNUQyBDb25uZWN0MB4XDTE2MTIxOTA4MDE0OVoXDTQ2MTIxMjA4MDE0OVowgZsxCzAJBgNVBAYTAklOMQ4wDAYDVQQIEwVEZWxoaTESMBAGA1UEBxMJTmV3IERlbGhpMUAwPgYDVQQKEzdJbmRpYW4gUmFpbHdheSBDYXRlcmluZyBhbmQgVG91cmlzbSBDb3Jwb3JhdGlvbiBMaW1pdGVkMQ4wDAYDVQQLEwVJUkNUQzEWMBQGA1UEAxMNSVJDVEMgQ29ubmVjdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ2QagzGhkvSxapek3fMulpvBu4AnncOJKRrRH1OiC46E96ODISWtcMEP7kiaoEc/BqUduItFhLlFS/3S8Jg5FlHnHU4/KH3a+OxNMdH5+XBPnB5/2jBkNEiIuPsMpiud39Ri2Dde5YcFpTp27TsKbp5AWDiHEG+byAlXocp545w1TEIrxjOl3XPgefIYp+hKXRbZWW6MTfYIjLRuB+J70w7jHKYpf0BPHkQ/LPqoDQlMohkydffQAEkOWYxq5Dx8t4kpuPdN/eIIFABwBtTuhPbVQ49hb0iRAUlVsQlmw9x9SIel0BypLqYuDz5GizamAZA5LtjfxDvRlXk+fiLv90CAwEAAaMhMB8wHQYDVR0OBBYEFL3Vs7Xfe4Ebl/AdoHTVcOchdUfZMA0GCSqGSIb3DQEBCwUAA4IBAQB18atVKhr7Y0SwkE39ejcAbRytlku+HHreQKWZ6iPimybhXBpprUfKbdNSqD0ILAb7ovhPnzYjAaMv8g6+pWMfqUABPsRRyDsVP4F6/whKWG8ZhH3Hq9YIf9yO2NRAfV6JBH8f9Mo2kJ4XuvOIUsdDXRh3K8F90aXT5OislXW9nA0s3we4sk6mwdPVw2VE4jYc6DYPznSDYLR2JSRLoNL4Cu1LwlfyBEKwNCaYnVFSbPnnt+Z70TjrKOJf65xQf8rluywrJIW4u17wsk59TuRQGlVaid+320H5Pt9KNots5X9mgLhqKsYm+qFDLCwxGAa7EQLk1wHpWQ/tnekhJS0/'

Source: IRCommDLL1.dll, IRCommDLL/Class6.cs

Task registration methods: 'CreateMultipleTasksAsync'

Source: IRCommDLL1.dll

Static file information: File size 1396224 > 1048576

Source: IRCommDLL1.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IRCommDLL1.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: IRCommDLL1.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x154600

Source: IRCommDLL1.dll

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation

.NET source code contains potential unpacker

Source: IRCommDLL1.dll, IRCommDLL/EmbedAssembly.cs

.Net Code: Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\SysWOW64\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Rundll32	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IRCommDLL1.dll	2%	Virustotal		Browse
IRCommDLL1.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://httpsweb.in/secure/msg_read.php?username=	0%	Avira URL Cloud	safe
https://migs.mastercard.co.in	0%	Virustotal		Browse
https://migs.mastercard.co.in	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/BankResponse0036140143614000	0%	Avira URL Cloud	safe
http://menurates.irctc.co.in/.	0%	Virustotal		Browse
http://menurates.irctc.co.in/.	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/BankResponse0055030016550300	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/protected/mapps1/trnscheduleenquiry/	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/BankResponse?encdata=	0%	Avira URL Cloud	safe
https://irctc.co.in	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/BankResponse	0%	Avira URL Cloud	safe
https://securepayments.fssnet.co.in/pgwayf/directdebit.htm?actionparam=merchantRequest	0%	Avira URL Cloud	safe
http://wwwwwmagnet.com/api/app/getpass	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/errors.html	0%	Avira URL Cloud	safe
https://irctc-ih.mmvpay.com/api/v1/users/checkout/mobile	0%	Avira URL Cloud	safe
https://www.citibank.co.in/servlets/PgTransResp_Web	0%	Avira URL Cloud	safe
https://www.irctc.co.in/authprovider/webtoken	0%	Avira URL Cloud	safe
http://nget.in/	0%	Avira URL Cloud	safe
https://migs.mastercard.com.au/vpcpay	0%	Avira URL Cloud	safe
https://www.irctc.co.in/nget/booking/train-list	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/protected/mapps1/pin/	0%	Avira URL Cloud	safe
https://www.irctcipay.com/pgui/jsp/verifyUpiResponse	0%	Avira URL Cloud	safe
https://www.unionbankonline.co.inWSome	0%	Avira URL Cloud	safe
https://migs.mastercard.com.au/ssl	0%	Avira URL Cloud	safe
https://secure.axisbank.comwUSER_AUTH&ADS_CANCEL=true&REASON=CANCEL&DELETE_CONTACT=trueQUSER_AUTH&CA	0%	Avira URL Cloud	safe
https://www.contents.irctc.co.in/eticketing/protected/mapps1/	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/BankResponse00320100032320100	0%	Avira URL Cloud	safe
http://silvergreen.live/api/app/success;Unable	0%	Avira URL Cloud	safe
https://www.irctcipay.com/pgui/jsp/upiPay	0%	Avira URL Cloud	safe
https://www.unionbankonline.co.in/corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__S	0%	Avira URL Cloud	safe
http://www.irctc.co.in	0%	Avira URL Cloud	safe
http://192.3.164.176/api/image	0%	Avira URL Cloud	safe
http://silvergreen.live/api/app/login=application/json;charset=UTF-8	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/mbi/PaytmWtGen	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/protected/mapps1/printTicket/	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/protected/mapps1/allLapAvlFareEnq/Y	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/PaymentRedirect	0%	Avira URL Cloud	safe
https://inet.idbibank.co.in/corp/%Init.	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/logout?out	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/mbi/;	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/protected/mapps1/allLapAvlFareEnq/N	0%	Avira URL Cloud	safe
https://www.irctc.co.in/ihttps://www.irctc.co.in/eticketing/protected/mapps1/5Enter	0%	Avira URL Cloud	safe
https://www.irctcipay.com/pgui/jsp/matchMoveResponseQhttps://hdfcbankpayments.hdfcbank.com/PG-Init.	0%	Avira URL Cloud	safe
https://securepg.fssnet.co.in	0%	Avira URL Cloud	safe
https://migs.mastercard.com.au	0%	Avira URL Cloud	safe
https://merchant.onlinesbi.sbi/merchant/loginsubmit.htm;	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/protected/mapps1/captchaverify/	0%	Avira URL Cloud	safe
https://merchant.onlinesbi.sbi/merchant/redirect.htm;#Init.	0%	Avira URL Cloud	safe
https://www.irctcipay.com/pgui/jsp/binResolver	0%	Avira URL Cloud	safe
https://merchant.onlinesbi.sbi/merchant/smsenablehighsecurityconfirm.htm;	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/BankResponse005000049015500004900q//fss50//PGWAYC//config////bran	0%	Avira URL Cloud	safe
http://silvergreen.live/api/app/tokenused	0%	Avira URL Cloud	safe
https://securepayments.fssnet.co.in/pgwayb3Login	0%	Avira URL Cloud	safe
https://www.irctc.co.in/eticketing/protected/mapps1/validateUser?source=3#limit	0%	Avira URL Cloud	safe
https://securepayments.fssnet.co.in/ipay/paymentpage.htmuhttps://securepayments.fssnet.co.in/ipay/pa	0%	Avira URL Cloud	safe
https://www.axisbiconnect.co.in/BankAway/5/web/L001/retail/jsp/ebpp/5RETLOGIN=Y&BANKID=211&RID=	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://httpsweb.in/secure/msg_read.php?username=	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://acs9-fd.enstage-sas.com/acs-v1/validateStaticPassword?page=authPage	IRCommDLL1.dll	false		high
https://api.razorpay.com/v1/preferences?key_id=	IRCommDLL1.dll	false		high
https://migs.mastercard.co.in	IRCommDLL1.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://secure.paytm.in/oltp-web/	IRCommDLL1.dll	false		high
http://www.translationdirectory.com/	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/BankResponse0036140143614000	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
http://menurates.irctc.co.in/.	IRCommDLL1.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://securegw.paytm.in/theia/api/v1/processTransaction?mid=whttps://securegw.paytm.in/theia/api/v	IRCommDLL1.dll	false		high
https://walletapi.mobikwik.com/walletYhttps://walletapi.mobikwik.com/securewallet	IRCommDLL1.dll	false		high
https://securegw.paytm.in	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/BankResponse0055030016550300	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/protected/mapps1/trnscheduleenquiry/	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/BankResponse?encdata=	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://irctc.co.in	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/BankResponse	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://netbanking.hdfcbank.com/netbanking/entryMfldpwdtmp=&fldAppId=RS&fldDevicePrint=	IRCommDLL1.dll	false		high
https://securepayments.fssnet.co.in/pgwayf/directdebit.htm?actionparam=merchantRequest	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
http://wwwwwmagnet.com/api/app/getpass	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://trust.paytm.in:443/wallet-web/checkBalance	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/errors.html	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://secure.paytm.in:443/oltp/HANDLER_INTERNAL/GENERATE_OTP-JsonData=	IRCommDLL1.dll	false		high
https://irctc-ih.mmvpay.com/api/v1/users/checkout/mobile	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://api.razorpay.com/v1/checkout/public=&currency%5B0%5D=INR&order_id=	IRCommDLL1.dll	false		high
https://www.citibank.co.in/servlets/PgTransResp_Web	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/authprovider/webtoken	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
http://ser355.somee.com/TUT	IRCommDLL1.dll	false		high
https://secure.payu.in/_payment	IRCommDLL1.dll	false		high
http://nget.in/	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://cardpay.airtelbank.com/airtel/jsp/ACSMPINCheckEntry.jspMProcessing	IRCommDLL1.dll	false		high
https://migs.mastercard.com.au/vpcpay	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/nget/booking/train-list	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/protected/mapps1/pin/	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://irctclive.nlpcaptcha.in/index.php/media/getTC/	IRCommDLL1.dll	false		high
https://pgi.billdesk.com/pgidsk/pgmerc/IRCTCCRISPDCRedirect.jsp_https://www.billdesk.com/pgidsk/Proc	IRCommDLL1.dll	false		high
https://hdfc-acs.wibmo.com	IRCommDLL1.dll	false		high
https://www.irctcipay.com/pgui/jsp/verifyUpiResponse	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://walletapi.mobikwik.com/walletapis/redirectflow/fetch-order-details	IRCommDLL1.dll	false		high
https://www.unionbankonline.co.inWSome	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://merchant.onlinesbi.com/merchant/	IRCommDLL1.dll	false		high
https://www.onlinesbiglobal.com/NPINB/	IRCommDLL1.dll	false		high
https://migs.mastercard.com.au/ssl	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://api.razorpay.com/v1/payments/create/fees;method=card&card%5Bnumber%5D=	IRCommDLL1.dll	false		high
https://secure.axisbank.comwUSER_AUTH&ADS_CANCEL=true&REASON=CANCEL&DELETE_CONTACT=trueQUSER_AUTH&CA	IRCommDLL1.dll	false	Avira URL Cloud: safe	low
https://www.contents.irctc.co.in/eticketing/protected/mapps1/	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://ipg.icicibank.com/ICICIPG/encryptionServlet?generateKeypair=true&	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/BankResponse00320100032320100	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
http://silvergreen.live/api/app/success;Unable	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctcipay.com/pgui/jsp/upiPay	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.corpretail.com/RetailBank/olt/olt.onlineinterface.online.do	IRCommDLL1.dll	false		high
https://www.unionbankonline.co.in/corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__S	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.billdesk.com/pgidsk/	IRCommDLL1.dll	false		high
http://www.irctc.co.in	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/api2/userverify?k=6LcnQNYUAAAAAOm9HrBJ4QJIhdAuFrAckyUsQyjykhttps://	IRCommDLL1.dll	false		high
http://192.3.164.176/api/image	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://netbanking.hdfcbank.com/netbanking/RSLogin.html?v=4%Init.	IRCommDLL1.dll	false		high
http://silvergreen.live/api/app/login=application/json;charset=UTF-8	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://mercury-t2.phonepe.com/apis/v1/irctc/notification?t=	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/mbi/PaytmWtGen	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/protected/mapps1/printTicket/	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/protected/mapps1/allLapAvlFareEnq/Y	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.onlinesbiglobal.com/NPINB/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__ST	IRCommDLL1.dll	false		high
https://www4.ipg-online.com/	IRCommDLL1.dll	false		high
https://netsafe.hdfcbank.com	IRCommDLL1.dll	false		high
https://api.razorpay.com/v1/payments/create/ajaxO	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/PaymentRedirect	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://securegw.paytm.in/theia/upi/transactionStatus?MID=	IRCommDLL1.dll	false		high
https://inet.idbibank.co.in/corp/%Init.	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://ircomm.s3.ap-south-1.amazonaws.com/chromedriver92.zip	IRCommDLL1.dll	false		high
https://irctclive.nlpcaptcha.in/index.php/nlpgen/nlpimg/refresh/	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/logout?out	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/mbi/;	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/protected/mapps1/allLapAvlFareEnq/N	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/ihttps://www.irctc.co.in/eticketing/protected/mapps1/5Enter	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctcipay.com/pgui/jsp/matchMoveResponseQhttps://hdfcbankpayments.hdfcbank.com/PG-Init.	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B77FB7CC8	IRCommDLL1.dll	false		high
http://regetdx.5gbfree.com	IRCommDLL1.dll	false		high
https://securepg.fssnet.co.in	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://netbanking.hdfcbank.com/netbanking/?_ga=1.67743385.968282051.1482163954	IRCommDLL1.dll	false		high
https://migs.mastercard.com.au	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://checkout.razorpay.com/integration/irctcKhttps://www.onlinesbiglobal.com/NPINB	IRCommDLL1.dll	false		high
https://merchant.onlinesbi.sbi/merchant/loginsubmit.htm;	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://walletapi.mobikwik.com/walletapis/sendOtp	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/protected/mapps1/captchaverify/	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
http://erail.in/Rail/GetTrains.aspx?eKey=1770.8472450128&Station_From=	IRCommDLL1.dll	false		high
https://merchant.onlinesbi.sbi/merchant/redirect.htm;#Init.	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctcipay.com/pgui/jsp/binResolver	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://merchant.onlinesbi.sbi/merchant/smsenablehighsecurityconfirm.htm;	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.irctc.co.in/eticketing/BankResponse005000049015500004900q//fss50//PGWAYC//config////bran	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://ecom.airtelbank.com/irctc/ecomDoTxn.action-Transaction	IRCommDLL1.dll	false		high
http://silvergreen.live/api/app/tokenused	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://securepayments.fssnet.co.in/pgwayb3Login	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.mobikwik.com	IRCommDLL1.dll	false		high
https://secure.paytm.in/oltp/HANDLER_INTERNAL/CARD_TOKEN_GENERATOR	IRCommDLL1.dll	false		high
https://www.irctc.co.in/eticketing/protected/mapps1/validateUser?source=3#limit	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://securepayments.fssnet.co.in/ipay/paymentpage.htmuhttps://securepayments.fssnet.co.in/ipay/pa	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://securegw.paytm.in/theia/api/v1/vpa/validate?mid=g	IRCommDLL1.dll	false		high
https://www.corpretail.com/RetailBank/olt/olt.onlineinterface.onconfirm.do	IRCommDLL1.dll	false		high
https://www.axisbiconnect.co.in/BankAway/5/web/L001/retail/jsp/ebpp/5RETLOGIN=Y&BANKID=211&RID=	IRCommDLL1.dll	false	Avira URL Cloud: safe	unknown
https://www.corpretail.com/RetailBank/cris/cris.payments.onpayconfirm.do	IRCommDLL1.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	565726
Start date:	03.02.2022
Start time:	12:27:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IRCommDLL1.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winDLL@5/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.54.113.53
Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:28:18	API Interceptor	1x Sleep call for process: loaddll32.exe modified

File type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.731587909863432
TrID:	Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 49.81% Win32 Dynamic Link Library (generic) (1002004/3) 49.34% Windows Screen Saver (13104/52) 0.65% Generic Win/DOS Executable (2004/3) 0.10% DOS Executable Generic (2002/1) 0.10%
File name:	IRCommDLL1.dll
File size:	1396224
MD5:	6329989230ea5ec0b353eeefa69261a6
SHA1:	ad19ded776dc64dbdc4de32f8f8c3d58f5768f36
SHA256:	d97e54139ae34a8aeefff4d5ac760caa5b8cbb1a91af6fa5d725a0cfba6dfeb0
SHA512:	54f1147f2345c4dd93bfabe8a8bb3e93616c553cc7569239d722d85a2e07c486f0b5d7e56d97e425000920a9e296a8697cf54ba349d140b2225bb68ddbb9a999
SSDEEP:	24576:lBOn05QxtMe+ueCoiTiL4UKjpwFAXXvNuOb/:LQxPTiL4GU
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8} a.........." ..0..F...........d... ........... ....................................`................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x101564be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x61207D38 [Sat Aug 21 04:12:40 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dae02f32a21e03ce65412f6e56942daa

Entrypoint Preview

Instruction
jmp dword ptr [10002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15646c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x158000	0x37e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1544c4	0x154600	False	0.343849700468	data	5.73536368312	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x158000	0x37e	0x400	False	0.3740234375	data	2.94554631389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x158058	0x326	data

Imports

DLL	Import
mscoree.dll	_CorDllMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.3.19
InternalName	IRCommDLL.dll
FileVersion	1.3.20.19
CompanyName
LegalTrademarks
Comments
ProductName	IRCommDLL
ProductVersion	1.3.20.19
FileDescription	IRCommDLL
OriginalFilename	IRCommDLL.dll

• loaddll32.exe
• cmd.exe
• rundll32.exe

Click to jump to process

Memory Usage

• loaddll32.exe
• cmd.exe
• rundll32.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	12:28:17
Start date:	03/02/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll"
Imagebase:	0x2b0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	12:28:18
Start date:	03/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	12:28:18
Start date:	03/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\IRCommDLL1.dll",#1
Imagebase:	0xa80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IRCommDLL1.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary

Jbx Signature Overview

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 6300, Parent PID: 5272

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Windows Analysis Report
IRCommDLL1.dll