Windows Analysis Report
RtJvzroKSq.dll

Overview

General Information

Sample name: RtJvzroKSq.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name: b9876905ef39a784dd9ab1e41288bd98.dll.exe
Analysis ID: 1561759
MD5: b9876905ef39a784dd9ab1e41288bd98
SHA1: 6897879ed1b961aad24cd37903d900492d279f6b
SHA256: 6ae95415ed900953fcf4618b9896ed8ea93c60e1b1f5e587b356ea2b24e2acf6
Tags: dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Strela Stealer
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file does not import any functions
Program does not show much activity (idle)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: RtJvzroKSq.dll Virustotal: Detection: 41% Perma Link
Source: RtJvzroKSq.dll ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.7% probability
Machine Learning detection for sample
Source: RtJvzroKSq.dll Joe Sandbox ML: detected
Source: RtJvzroKSq.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD1F4E8 0_2_000002093FD1F4E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD11090 0_2_000002093FD11090
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD172BC 0_2_000002093FD172BC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD11A90 0_2_000002093FD11A90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD115A0 0_2_000002093FD115A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0059F4E8 4_2_0059F4E8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00591090 4_2_00591090
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_005915A0 4_2_005915A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00591A90 4_2_00591A90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_005972BC 4_2_005972BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000002B6D14515A0 5_2_000002B6D14515A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000002B6D145F4E8 5_2_000002B6D145F4E8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000002B6D1451090 5_2_000002B6D1451090
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000002B6D14572BC 5_2_000002B6D14572BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000002B6D1451A90 5_2_000002B6D1451A90
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000260C5271A90 6_2_00000260C5271A90
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000260C52772BC 6_2_00000260C52772BC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000260C52715A0 6_2_00000260C52715A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000260C5271090 6_2_00000260C5271090
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000260C527F4E8 6_2_00000260C527F4E8
PE file does not import any functions
Source: RtJvzroKSq.dll Static PE information: No import functions for PE file found
Source: classification engine Classification label: mal64.troj.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: RtJvzroKSq.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1
Source: RtJvzroKSq.dll Virustotal: Detection: 41%
Source: RtJvzroKSq.dll ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\RtJvzroKSq.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\RtJvzroKSq.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\RtJvzroKSq.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: RtJvzroKSq.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: RtJvzroKSq.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD210BC push esi; retf 0_2_000002093FD210C3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD210C4 push esi; retf 0_2_000002093FD210CB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD210AC push esi; retf 0_2_000002093FD210B3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD210DC push esi; retf 0_2_000002093FD210E3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD210E4 push esi; retf 0_2_000002093FD210EB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD210CC push esi; retf 0_2_000002093FD210DB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD21084 push esi; retf 0_2_000002093FD2108B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD1CC6C push esi; retf 0000h 0_2_000002093FD1CC6D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD2106C push esi; retf 0_2_000002093FD210DB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD1CC9C push ebx; retf 0_2_000002093FD1CC9D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD2109C push ebp; retf 0_2_000002093FD210AB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD1CCA8 push 6F0000CBh; retf 0_2_000002093FD1CCAD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD2108C push ebp; retf 0_2_000002093FD2109B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD1CC35 push cs; retf 0000h 0_2_000002093FD1CC59
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD21064 push esi; retf 0_2_000002093FD2106B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD21003 push esi; retf 0_2_000002093FD21063
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD1BBA2 push esp; ret 0_2_000002093FD1BBA5
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212FA push ebp; retf 0_2_000002093FD212FB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD21300 push ebp; retf 0_2_000002093FD21303
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212EC push ebp; retf 0_2_000002093FD212F3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD2130A push esi; retf 0_2_000002093FD2130B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD21310 push esi; retf 0_2_000002093FD21313
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD21318 push ebp; retf 0_2_000002093FD2131B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212C4 push ebp; retf 0_2_000002093FD212CB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212B4 push ebp; retf 0_2_000002093FD212C3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212DC push ebp; retf 0_2_000002093FD212E3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212DA push ebp; retf 0_2_000002093FD212DB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212E4 push ebp; retf 0_2_000002093FD212EB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212D2 push esi; retf 0_2_000002093FD212D3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD2126C push esi; retf 0_2_000002093FD2128B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000002093FD212A4 push esi; retf 0_2_000002093FD212B3
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll64.exe Code function: GetConsoleWindow,CreateThread,GetLocaleInfoA, 0_2_000002093FD120E0
Source: C:\Windows\System32\regsvr32.exe Code function: CreateThread,GetLocaleInfoA, 4_2_005920E0
Source: C:\Windows\System32\rundll32.exe Code function: CreateThread,GetLocaleInfoA, 5_2_000002B6D14520E0
Source: C:\Windows\System32\rundll32.exe Code function: CreateThread,GetLocaleInfoA, 6_2_00000260C52720E0

Stealing of Sensitive Information
barindex
Yara detected Strela Stealer
Source: Yara match File source: 4.2.regsvr32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1502684092.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1472951159.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1465493426.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1472723820.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2216, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Strela Stealer
Source: Yara match File source: 4.2.regsvr32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1502684092.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1472951159.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1465493426.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1472723820.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2216, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561759 Sample: RtJvzroKSq.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected Strela Stealer 2->21 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 7->11         started        13 rundll32.exe 7->13         started        15 conhost.exe 7->15         started        process5 17 rundll32.exe 9->17         started       
No contacted IP infos