Windows Analysis Report
viYcjIFhBz.dll

ID:	1522597
Product:	CloudBasic
Start time:	12:31:10
Start date:	30.09.2024
Sample:	viYcjIFhBz.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	48324a46181fd6b43b066c398a693fe0
SHA1:	c4b295e058281f5ce730dd38c3316ef14b8dcabc
SHA256:	3313775ddd80cb904e3bf929a7d2c839e282b63a4f365d21d6caf2b225bf381b
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: viYcjIFhBz.dll	ReversingLabs: Detection: 28%
Source: viYcjIFhBz.dll	Virustotal: Detection: 37%			Perma Link

Compliance

Source: viYcjIFhBz.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\09\03-ACG\x64\Release\EnableACG.pdb source: viYcjIFhBz.dll

System Summary

Source: viYcjIFhBz.dll, type: SAMPLE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: viYcjIFhBz.dll, type: SAMPLE	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown

Source: viYcjIFhBz.dll, type: SAMPLE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: viYcjIFhBz.dll, type: SAMPLE	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2148920564.000001A119050000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.2186246904.000001BA72F20000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13

Source: viYcjIFhBz.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal60.evad.winDLL@6/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03

Source: viYcjIFhBz.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1

Source: viYcjIFhBz.dll	ReversingLabs: Detection: 28%
Source: viYcjIFhBz.dll	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\viYcjIFhBz.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: viYcjIFhBz.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: viYcjIFhBz.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: viYcjIFhBz.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: viYcjIFhBz.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: viYcjIFhBz.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: viYcjIFhBz.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: viYcjIFhBz.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: viYcjIFhBz.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: viYcjIFhBz.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\09\03-ACG\x64\Release\EnableACG.pdb source: viYcjIFhBz.dll

Source: viYcjIFhBz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: viYcjIFhBz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: viYcjIFhBz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: viYcjIFhBz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: viYcjIFhBz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: viYcjIFhBz.dll

Static PE information: section name: .text entropy: 7.085181042380631

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\loaddll64.exe TID: 7016

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\loaddll64.exe	NtCreateThreadEx: Direct from: 0x7FFDA54E642F			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtMapViewOfSection: Direct from: 0x7FFDA54E63EF			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\viYcjIFhBz.dll",#1

Jump to behavior