Windows Analysis Report
3.dll

Overview

General Information

Sample name: 3.dll
Analysis ID: 1524657
MD5: 9e4e3ae279401f9e0b2d2818d422081d
SHA1: ae134efc864b5b8af1c7d2dee50c8542521ff109
SHA256: 93fca55f68b6d490087850b8f321f108ca4aa193ee8312b3c6bcf727828e965d
Tags: dllMekotiouser-Merlax_
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 3.dll Avira: detected
Multi AV Scanner detection for domain / URL
Source: strogonoff.xyz Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: 3.dll ReversingLabs: Detection: 13%
Source: 3.dll Virustotal: Detection: 23% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Uses 32bit PE files
Source: 3.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI

Networking
barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Performs DNS queries to domains with low reputation
Source: DNS query: strogonoff.xyz
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: paradoxine.sbs
Source: global traffic DNS traffic detected: DNS query: strogonoff.xyz
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdfS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdfU
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdfS
Source: 3.dll String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004B2A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000617A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005F0A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4008990503.00000000060AA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/SV
Source: rundll32.exe, 00000004.00000002.4072050972.0000000005DD5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.4107198361.0000000006685000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.4123516856.00000000058A5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.4071921649.0000000005D45000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008436389.0000000005ED5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000005FEA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.4070707435.00000000060B5000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://tempuri.org/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://tempuri.org/U
Source: rundll32.exe, 0000000A.00000002.4008990503.0000000006094000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/iY
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://tools.ietf.org/html/rfc4648S
Source: rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.000000000608D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.borland.com/namespaces/Types
Source: rundll32.exe, 0000000A.00000002.4008990503.0000000006017000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAP
Source: rundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPU
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004A97000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.00000000060E7000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005E77000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types-IAppServerSOAPq
Source: rundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000006017000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004B0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000615D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/TypesA
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004B0D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2218000145.000000000615D000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005EED000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typesa
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.borland.com/rootpart.xml
Source: 3.dll String found in binary or memory: http://www.componentace.com
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdfS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txtS
Source: loaddll32.exe, 00000000.00000003.3489486246.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3997706734.0000000004AE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000005390000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000003.2218000145.00000000060E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000045B0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004A50000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000003.3964928757.0000000005E70000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3999333385.0000000004BE0000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.4008990503.0000000006010000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3997674723.0000000004DC0000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.indyproject.org/
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdfS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.schneier.com/paper-blowfish-fse.htmlS
Source: rundll32.exe, 00000004.00000002.3997706734.00000000045D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3998043142.0000000004E81000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3998033139.00000000040A1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3997902066.0000000004541000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.3999333385.00000000046D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.3997674723.00000000048B1000.00000020.00000001.01000000.00000003.sdmp, 3.dll String found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdfS

System Summary
barindex
PE file contains section with special chars
Source: 3.dll Static PE information: section name: ,V8h(]j
Source: 3.dll Static PE information: section name: 2Oi.bZ"
Source: 3.dll Static PE information: section name: -1T<]EC
Source: 3.dll Static PE information: section name: gPH9iZ]
Source: 3.dll Static PE information: section name: o8`CYVL)
Source: 3.dll Static PE information: section name: :87,Pg0>
Source: 3.dll Static PE information: section name: 4&WkOMbO
Source: 3.dll Static PE information: section name: [m(rRncT
Source: 3.dll Static PE information: section name: aR_M S9
Source: 3.dll Static PE information: section name: N2D,95K
Source: 3.dll Static PE information: section name: JlJ T26
Source: 3.dll Static PE information: section name: X=<];BL+
PE file contains more sections than normal
Source: 3.dll Static PE information: Number of sections : 13 > 10
Sample file is different than original file name gathered from version info
Source: 3.dll Binary or memory string: OriginalFileName vs 3.dll
Uses 32bit PE files
Source: 3.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engine Classification label: mal96.troj.evad.winDLL@20/0@3/0
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\b1oc1ab00u045627q07f
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1
Source: 3.dll ReversingLabs: Detection: 13%
Source: 3.dll Virustotal: Detection: 23%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,b1oc1ab00u045627q07f
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",b1oc1ab00u045627q07f
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,TMethodImplementationIntercept Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,__dbk_fcall_wrapper Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3.dll,b1oc1ab00u045627q07f Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",TMethodImplementationIntercept Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",__dbk_fcall_wrapper Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",b1oc1ab00u045627q07f Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",dbkFCallWrapperAddr Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: security.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: 3.dll Static file information: File size 25784320 > 1048576
Source: 3.dll Static PE information: Raw size of ,V8h(]j is bigger than: 0x100000 < 0x510c00
Source: 3.dll Static PE information: Raw size of 0VRn0YJr is bigger than: 0x100000 < 0x98aa00
Source: 3.dll Static PE information: Raw size of N2D,95K is bigger than: 0x100000 < 0x934000
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: N2D,95K
PE file contains sections with non-standard names
Source: 3.dll Static PE information: section name: ,V8h(]j
Source: 3.dll Static PE information: section name: 2Oi.bZ"
Source: 3.dll Static PE information: section name: -1T<]EC
Source: 3.dll Static PE information: section name: gPH9iZ]
Source: 3.dll Static PE information: section name: o8`CYVL)
Source: 3.dll Static PE information: section name: :87,Pg0>
Source: 3.dll Static PE information: section name: 4&WkOMbO
Source: 3.dll Static PE information: section name: [m(rRncT
Source: 3.dll Static PE information: section name: 0VRn0YJr
Source: 3.dll Static PE information: section name: aR_M S9
Source: 3.dll Static PE information: section name: N2D,95K
Source: 3.dll Static PE information: section name: JlJ T26
Source: 3.dll Static PE information: section name: X=<];BL+

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4916 base: 13E0007 value: E9 EB DF FD 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4916 base: 773BDFF0 value: E9 1E 20 02 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3608 base: 35B0007 value: E9 EB DF E0 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3608 base: 773BDFF0 value: E9 1E 20 1F 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6420 base: 2D50007 value: E9 EB DF 66 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6420 base: 773BDFF0 value: E9 1E 20 99 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1408 base: 510007 value: E9 EB DF EA 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1408 base: 773BDFF0 value: E9 1E 20 15 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5360 base: 2A30007 value: E9 EB DF 98 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5360 base: 773BDFF0 value: E9 1E 20 67 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7036 base: 2AD0007 value: E9 EB DF 8E 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7036 base: 773BDFF0 value: E9 1E 20 71 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2938FB0
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2E3C81F
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2E297E9
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 269395B
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2752D75
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2785812
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2777AE9
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 28120A2
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 274C188
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2E5D978
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 27F15DC
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 2EA6987
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\System32\loaddll32.exe Special instruction interceptor: First address: 281D61F instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 0000000A.00000002.3998007562.0000000002CAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524657 Sample: 3.dll Startdate: 03/10/2024 Architecture: WINDOWS Score: 96 23 strogonoff.xyz 2->23 25 pastebin.com 2->25 27 paradoxine.sbs 2->27 29 Multi AV Scanner detection for domain / URL 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 39 2 other signatures 2->39 8 loaddll32.exe 1 2->8         started        signatures3 35 Performs DNS queries to domains with low reputation 23->35 37 Connects to a pastebin service (likely for C&C) 25->37 process4 signatures5 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->43 45 Tries to evade analysis by execution special instruction (VM detection) 8->45 47 Hides threads from debuggers 8->47 49 Switches to a custom stack to bypass stack traces 8->49 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 6 other processes 8->18 process6 signatures7 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->51 53 Hides threads from debuggers 11->53 20 rundll32.exe 18->20         started        process8 signatures9 41 Hides threads from debuggers 20->41
No contacted IP infos

Contacted Domains

Name IP Active
strogonoff.xyz 141.98.169.154 true
paradoxine.sbs 95.164.37.66 true
pastebin.com 104.20.3.235 true