Windows Analysis Report
PacketParser.dll

Overview

General Information

Sample name: PacketParser.dll
Analysis ID: 1561665
MD5: d1c1b8f61400f4af04d3d20d4c6a7107
SHA1: 96e33fc52b2e383edb76d67fa31c8e9f477a8844
SHA256: fa88819f196af4cfd82fdef5c6b9681e6f900f1e7bd9c1b137596c8339955226
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains VNC / remote desktop functionality (version string found)
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Source: PacketParser.dll Static PE information: certificate valid
Source: PacketParser.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PacketParser.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PacketParser.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PacketParser.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PacketParser.dll String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: PacketParser.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: PacketParser.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: PacketParser.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PacketParser.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PacketParser.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PacketParser.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: PacketParser.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: PacketParser.dll String found in binary or memory: http://ocsp.comodoca.com0
Source: PacketParser.dll String found in binary or memory: http://ocsp.digicert.com0A
Source: PacketParser.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: PacketParser.dll String found in binary or memory: http://ocsp.digicert.com0X
Source: PacketParser.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: PacketParser.dll String found in binary or memory: https://sectigo.com/CPS0
Source: classification engine Classification label: sus22.troj.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: PacketParser.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PacketParser.dll Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PacketParser.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\PacketParser.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PacketParser.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PacketParser.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PacketParser.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PacketParser.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: PacketParser.dll Static PE information: certificate valid
Source: PacketParser.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PacketParser.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PacketParser.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains a suspicious time stamp
Source: PacketParser.dll Static PE information: 0x9ED26C57 [Tue Jun 9 04:00:23 2054 UTC]
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PacketParser.dll",#1 Jump to behavior

Remote Access Functionality
barindex
Contains VNC / remote desktop functionality (version string found)
Source: PacketParser.dll String found in binary or memory: RFB 00
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561665 Sample: PacketParser.dll Startdate: 24/11/2024 Architecture: WINDOWS Score: 22 15 Contains VNC / remote desktop functionality (version string found) 2->15 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true