Windows Analysis Report
IMS64.dll.dll

Overview

General Information

Sample name: IMS64.dll.dll
(renamed file extension from exe to dll)
Original sample name: IMS64.dll.exe
Analysis ID: 1500442
MD5: 4a10fb513a346ffdca884fa74cf18015
SHA1: 623b8046938fd54fae54957ece8c7ff40653217b
SHA256: 079e3171048286472cff2b0267cd2d6a90bf9d7f45255f48031bf4bf2ac3b0b4
Tags: exejavaforyouedu-in
Infos:

Detection

BruteRatel
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected BruteRatel
AI detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Brute Ratel C4, BruteRatel Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary SimulationSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.Built-in debugger to detect EDR userland hooks.Ability to keep memory artifacts hidden from EDRs and AV.Direct Windows SYS calls on the fly. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: IMS64.dll.dll ReversingLabs: Detection: 28%
Source: IMS64.dll.dll Virustotal: Detection: 26% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Source: unknown HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: IMS64.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 43.206.237.192 443 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LILLY-ASUS LILLY-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 96Connection: Keep-AliveCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: javaforyouedu.in
Source: unknown HTTP traffic detected: POST /rofl/admin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: javaforyouedu.inContent-Length: 538Connection: Keep-AliveCache-Control: no-cache
Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED202000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED207000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640820421.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336710000.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/
Source: rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/-
Source: rundll32.exe, 00000004.00000003.1716599072.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717104370.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/H
Source: rundll32.exe, 00000005.00000003.2318339849.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/O
Source: rundll32.exe, 00000005.00000002.4122196214.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin
Source: rundll32.exe, 00000005.00000003.2483934674.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin#
Source: rundll32.exe, 00000005.00000003.2318339849.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin2
Source: rundll32.exe, 00000003.00000003.3145988406.000001CDED22A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin4
Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED1DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin8x
Source: rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin9
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin=
Source: rundll32.exe, 00000004.00000002.4122385364.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminA
Source: rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2483934674.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminD
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminL
Source: rundll32.exe, 00000005.00000003.3122503909.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2318339849.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2484020877.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958211641.000001E8C6CD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851202401.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385381204.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958118482.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6CD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminM
Source: rundll32.exe, 00000005.00000003.3122503909.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminN
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D966000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminYcM(
Source: rundll32.exe, 00000005.00000003.2483934674.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1958118482.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3122503909.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3597962223.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2318339849.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3385284343.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3851106609.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admini
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admink
Source: rundll32.exe, 00000004.00000003.3711716551.000001FB0D9B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640820421.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2640866940.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024200405.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2853714968.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336772158.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2336710000.000001FB0D995000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2853768398.000001FB0D9B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admino
Source: rundll32.exe, 00000005.00000002.4122196214.000001E8C6CB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admins
Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED1DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED1DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminux
Source: rundll32.exe, 00000004.00000003.3711576277.000001FB0D966000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminxcn(
Source: rundll32.exe, 00000005.00000003.3597962223.000001E8C6C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/adminy
Source: rundll32.exe, 00000004.00000003.1716599072.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717104370.000001FB0D991000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/rofl/admin~
Source: rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javaforyouedu.in/wA
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.206.237.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFE133025E0 NtAllocateVirtualMemory,NtProtectVirtualMemory,NtCreateThreadEx,VirtualFreeEx, 3_2_00007FFE133025E0
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 3_3_000001CDED27BA3A 3_3_000001CDED27BA3A
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00007FFE133025E0 3_2_00007FFE133025E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8766150 5_2_000001E8C8766150
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8764120 5_2_000001E8C8764120
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8761D00 5_2_000001E8C8761D00
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C87644F0 5_2_000001E8C87644F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C874C9C0 5_2_000001E8C874C9C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C876E1B0 5_2_000001E8C876E1B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C87701B0 5_2_000001E8C87701B0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8759580 5_2_000001E8C8759580
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8745EC0 5_2_000001E8C8745EC0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C875A2A0 5_2_000001E8C875A2A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C876F690 5_2_000001E8C876F690
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8752B60 5_2_000001E8C8752B60
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8757750 5_2_000001E8C8757750
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8756730 5_2_000001E8C8756730
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C87533A0 5_2_000001E8C87533A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C875EBA0 5_2_000001E8C875EBA0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8758B90 5_2_000001E8C8758B90
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8760380 5_2_000001E8C8760380
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C874AF70 5_2_000001E8C874AF70
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C874A020 5_2_000001E8C874A020
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8752010 5_2_000001E8C8752010
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C8763010 5_2_000001E8C8763010
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C87650E0 5_2_000001E8C87650E0
PE file contains more sections than normal
Source: IMS64.dll.dll Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: mal76.troj.evad.winDLL@10/0@1/1
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C875CAD0 CreateToolhelp32Snapshot,Thread32First, 5_2_000001E8C875CAD0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: NULL
Source: IMS64.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main
Source: IMS64.dll.dll ReversingLabs: Detection: 28%
Source: IMS64.dll.dll Virustotal: Detection: 26%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\IMS64.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",main
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\IMS64.dll.dll,main Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",main Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: IMS64.dll.dll Static PE information: Image base 0x205d50000 > 0x60000000
Source: IMS64.dll.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: IMS64.dll.dll Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001FB0D91C282 pushad ; ret 4_2_000001FB0D91C2F1
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo, 5_2_000001E8C87624C0
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 0.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 7312 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 00000003.00000002.4122414649.000001CDED148000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2024553634.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4122414649.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2337575131.000001CDED19F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3711576277.000001FB0D930000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2024250096.000001FB0D935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4122385364.000001FB0D8D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6BEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4122196214.000001E8C6C3D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C874D5C0 LdrGetProcedureAddress, 5_2_000001E8C874D5C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C874A8B0 RtlAddVectoredExceptionHandler, 5_2_000001E8C874A8B0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 43.206.237.192 443 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread register set: target process: 7396 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread register set: target process: 7396 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread register set: target process: 7372 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread register set: target process: 7372 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread register set: target process: 7396 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread register set: target process: 7396 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\rundll32.exe Thread register set: 7396 1 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IMS64.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001E8C87624C0 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo, 5_2_000001E8C87624C0

Stealing of Sensitive Information
barindex
Yara detected BruteRatel
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7500, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected BruteRatel
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7500, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500442 Sample: IMS64.dll.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 76 23 javaforyouedu.in 2->23 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected BruteRatel 2->29 31 AI detected suspicious sample 2->31 8 loaddll64.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 12 8->10         started        14 rundll32.exe 12 8->14         started        16 cmd.exe 1 8->16         started        18 conhost.exe 8->18         started        dnsIp6 25 javaforyouedu.in 43.206.237.192, 443, 49730, 49731 LILLY-ASUS Japan 10->25 35 Sets debug register (to hijack the execution of another thread) 10->35 37 Modifies the context of a thread in another process (thread injection) 10->37 39 System process connects to network (likely due to code injection or exploit) 14->39 20 rundll32.exe 12 16->20         started        signatures7 process8 signatures9 33 Modifies the context of a thread in another process (thread injection) 20->33
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
43.206.237.192
 javaforyouedu.in Japan 4249 LILLY-ASUS true

Contacted Domains

Name IP Active
javaforyouedu.in 43.206.237.192 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://javaforyouedu.in/rofl/admin true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown