Windows Analysis Report
DK3LmU4Xkl.dll

Overview

General Information

Sample name: DK3LmU4Xkl.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name: 990bc4b90a3d10f2ae085497a216e4f4.dll.exe
Analysis ID: 1561758
MD5: 990bc4b90a3d10f2ae085497a216e4f4
SHA1: 1202567c49e3a8c05dca5c0ce82dc6659e425f95
SHA256: 48b51a6bedbda86249a1188c36a007f1ff8fdb3355a75b68eac7aa89ea5ad77a
Tags: dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Strela Stealer
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file does not import any functions
Program does not show much activity (idle)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DK3LmU4Xkl.dll ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 91.3% probability
Machine Learning detection for sample
Source: DK3LmU4Xkl.dll Joe Sandbox ML: detected
Source: DK3LmU4Xkl.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8B8F710A0 0_2_00007FF8B8F710A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFC72BC 0_2_000001D30FFC72BC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFC1A90 0_2_000001D30FFC1A90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFC15A0 0_2_000001D30FFC15A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFCF4E8 0_2_000001D30FFCF4E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFC1090 0_2_000001D30FFC1090
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023172BC 3_2_023172BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02311A90 3_2_02311A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_02311090 3_2_02311090
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231F4E8 3_2_0231F4E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_023115A0 3_2_023115A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AE15A0 4_2_0000020810AE15A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AE72BC 4_2_0000020810AE72BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AE1A90 4_2_0000020810AE1A90
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AE1090 4_2_0000020810AE1090
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AEF4E8 4_2_0000020810AEF4E8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F45F4E8 5_2_0000017D3F45F4E8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F4515A0 5_2_0000017D3F4515A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F451090 5_2_0000017D3F451090
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F4572BC 5_2_0000017D3F4572BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F451A90 5_2_0000017D3F451A90
PE file does not import any functions
Source: DK3LmU4Xkl.dll Static PE information: No import functions for PE file found
Source: classification engine Classification label: mal64.troj.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: DK3LmU4Xkl.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1
Source: DK3LmU4Xkl.dll ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DK3LmU4Xkl.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DK3LmU4Xkl.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: DK3LmU4Xkl.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: DK3LmU4Xkl.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFD75DE push ecx; retf 003Fh 0_2_000001D30FFD763E
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFCCCA8 push 6F0000CBh; retf 0_2_000001D30FFCCCAD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFCCC9C push ebx; retf 0_2_000001D30FFCCC9D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFCCC6C push esi; retf 0000h 0_2_000001D30FFCCC6D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFCCC35 push cs; retf 0000h 0_2_000001D30FFCCC59
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001D30FFCBBA2 push esp; ret 0_2_000001D30FFCBBA5
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231BBA2 push esp; ret 3_2_0231BBA5
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231CC35 push cs; retf 0000h 3_2_0231CC59
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231CC6C push esi; retf 0000h 3_2_0231CC6D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231CCA8 push 6F0000CBh; retf 3_2_0231CCAD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0231CC9C push ebx; retf 3_2_0231CC9D
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AEBBA2 push esp; ret 4_2_0000020810AEBBA5
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AECCA8 push 6F0000CBh; retf 4_2_0000020810AECCAD
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AECC9C push ebx; retf 4_2_0000020810AECC9D
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AECC35 push cs; retf 0000h 4_2_0000020810AECC59
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000020810AECC6C push esi; retf 0000h 4_2_0000020810AECC6D
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F45CC35 push cs; retf 0000h 5_2_0000017D3F45CC59
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F45CCA8 push 6F0000CBh; retf 5_2_0000017D3F45CCAD
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F45CC6C push esi; retf 0000h 5_2_0000017D3F45CC6D
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F45CC9C push ebx; retf 5_2_0000017D3F45CC9D
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_0000017D3F45BBA2 push esp; ret 5_2_0000017D3F45BBA5
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll64.exe Code function: GetConsoleWindow,CreateThread,GetLocaleInfoA, 0_2_000001D30FFC20E0
Source: C:\Windows\System32\regsvr32.exe Code function: CreateThread,GetLocaleInfoA, 3_2_023120E0
Source: C:\Windows\System32\rundll32.exe Code function: CreateThread,GetLocaleInfoA, 4_2_0000020810AE20E0
Source: C:\Windows\System32\rundll32.exe Code function: CreateThread,GetLocaleInfoA, 5_2_0000017D3F4520E0

Stealing of Sensitive Information
barindex
Yara detected Strela Stealer
Source: Yara match File source: 3.2.regsvr32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2100895730.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2095917697.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2101067512.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2129643214.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 7312, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7396, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Strela Stealer
Source: Yara match File source: 3.2.regsvr32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2100895730.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2095917697.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2101067512.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2129643214.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 7312, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7396, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561758 Sample: DK3LmU4Xkl.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected Strela Stealer 2->21 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 7->11         started        13 rundll32.exe 7->13         started        15 conhost.exe 7->15         started        process5 17 rundll32.exe 9->17         started       
No contacted IP infos