Windows Analysis Report
1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll

Overview

General Information

Sample name: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll
Analysis ID: 1527905
MD5: 362c6cc84a08d92f1e7baad8ef365c07
SHA1: 7bed80318ff7fff27ebe3b8320579ae15844af23
SHA256: 57a232403c1edd0c5162660aff5686e3868d300722ea111a426616808d7890da
Tags: base64-decodeddlluser-abuse_ch
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Yara detected Generic Downloader
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.2% probability
Machine Learning detection for sample
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Joe Sandbox ML: detected
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll, type: SAMPLE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll, type: SAMPLE Matched rule: Detects known downloader agent Author: ditekSHen
Sample file is different than original file name gathered from version info
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Binary or memory string: OriginalFilenameClassLibrary1.dll< vs 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll
Yara signature match
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll, type: SAMPLE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: classification engine Classification label: mal80.troj.evad.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll",#1
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll, Class1.cs .Net Code: ZxKHG System.AppDomain.Load(byte[])
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: 1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll Binary or memory string: vmtoolsd
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1728293259cc6e52b482888882dfe5c059be5da0d1632c0622501d4ffa671dd4a2b13e033e282.dat-decoded.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527905 Sample: 1728293259cc6e52b482888882d... Startdate: 07/10/2024 Architecture: WINDOWS Score: 80 15 Malicious sample detected (through community Yara rule) 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Sigma detected: Execute DLL with spoofed extension 2->19 21 4 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos