Windows Analysis Report
Db5aU9VNyz.dll

Overview

General Information

Sample name: Db5aU9VNyz.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name: ceea2771acee3957189b502f5e1b607d.dll.exe
Analysis ID: 1561762
MD5: ceea2771acee3957189b502f5e1b607d
SHA1: ac79d2f79f00dcbf0116ab8b7268069927258549
SHA256: 85dccf69b7fc24cf39f6d3821e963905005993a5036cbfbf6412dde5558df2bd
Tags: dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Strela Stealer
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file does not import any functions
Program does not show much activity (idle)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Db5aU9VNyz.dll ReversingLabs: Detection: 50%
Source: Db5aU9VNyz.dll Virustotal: Detection: 47% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 87.5% probability
Machine Learning detection for sample
Source: Db5aU9VNyz.dll Joe Sandbox ML: detected
Source: Db5aU9VNyz.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8E83B11B0 0_2_00007FF8E83B11B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8E83B1000 0_2_00007FF8E83B1000
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F57F4E8 0_2_0000022A4F57F4E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F571090 0_2_0000022A4F571090
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F5772BC 0_2_0000022A4F5772BC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F571A90 0_2_0000022A4F571A90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F5715A0 0_2_0000022A4F5715A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C21090 3_2_00C21090
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C21A90 3_2_00C21A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C272BC 3_2_00C272BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C2F4E8 3_2_00C2F4E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C215A0 3_2_00C215A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001A4D683F4E8 4_2_000001A4D683F4E8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001A4D6831090 4_2_000001A4D6831090
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001A4D68315A0 4_2_000001A4D68315A0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001A4D68372BC 4_2_000001A4D68372BC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001A4D6831A90 4_2_000001A4D6831A90
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000256F168F4E8 5_2_00000256F168F4E8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000256F1681090 5_2_00000256F1681090
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000256F16872BC 5_2_00000256F16872BC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000256F16815A0 5_2_00000256F16815A0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_00000256F1681A90 5_2_00000256F1681A90
PE file does not import any functions
Source: Db5aU9VNyz.dll Static PE information: No import functions for PE file found
Source: classification engine Classification label: mal64.troj.winDLL@10/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: Db5aU9VNyz.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
Source: Db5aU9VNyz.dll ReversingLabs: Detection: 50%
Source: Db5aU9VNyz.dll Virustotal: Detection: 47%
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Db5aU9VNyz.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Db5aU9VNyz.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Db5aU9VNyz.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: Db5aU9VNyz.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Db5aU9VNyz.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F57CC35 push cs; retf 0000h 0_2_0000022A4F57CC59
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F57CC6C push esi; retf 0000h 0_2_0000022A4F57CC6D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F57CCA8 push 6F0000CBh; retf 0_2_0000022A4F57CCAD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F57CC9C push ebx; retf 0_2_0000022A4F57CC9D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000022A4F57BBA2 push esp; ret 0_2_0000022A4F57BBA5
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C348D1 push esp; ret 3_2_00C348DA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C348E1 push ebp; ret 3_2_00C348EA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C348F0 push ebp; ret 3_2_00C348FA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34840 push esp; ret 3_2_00C3484A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34850 push ebp; ret 3_2_00C3492A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34861 push esp; ret 3_2_00C348AA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34800 push esp; ret 3_2_00C3480A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34810 push esp; ret 3_2_00C3481A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34828 push esp; ret 3_2_00C3482A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34838 push esp; ret 3_2_00C3483A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C349C9 push ebp; ret 3_2_00C349CA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C349D0 push ebp; ret 3_2_00C349DA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C361D8 push esi; ret 3_2_00C361F2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C349E0 push esi; ret 3_2_00C34A1A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34981 push ebp; ret 3_2_00C349BA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34968 push ebp; ret 3_2_00C3497A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34908 push ebp; ret 3_2_00C3491A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C31928 push ds; ret 3_2_00C31962
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C31938 push ds; ret 3_2_00C31962
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C2BBA2 push esp; ret 3_2_00C2BBA5
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C32B48 push eax; ret 3_2_00C32B49
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C32B58 pushad ; ret 3_2_00C32B59
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C324E9 push edx; retn 0000h 3_2_00C324EA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C344F0 push eax; ret 3_2_00C344FA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C34490 push eax; ret 3_2_00C344AA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00C2CC9C push ebx; retf 3_2_00C2CC9D
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Db5aU9VNyz.dll",#1 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll64.exe Code function: GetConsoleWindow,CreateThread,GetLocaleInfoA, 0_2_0000022A4F5720E0
Source: C:\Windows\System32\regsvr32.exe Code function: CreateThread,GetLocaleInfoA, 3_2_00C220E0
Source: C:\Windows\System32\rundll32.exe Code function: CreateThread,GetLocaleInfoA, 4_2_000001A4D68320E0
Source: C:\Windows\System32\rundll32.exe Code function: CreateThread,GetLocaleInfoA, 5_2_00000256F16820E0

Stealing of Sensitive Information
barindex
Yara detected Strela Stealer
Source: Yara match File source: 5.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1398710559.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1397944483.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1399133207.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 7520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7604, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Strela Stealer
Source: Yara match File source: 5.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8e83b6404.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8e83b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7ff8e83b6404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1398313298.000001A4D6831000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1398710559.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1397725168.00000256F1681000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1428573354.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1398922334.0000000000C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1397944483.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1399133207.00007FF8E83B6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1428165184.0000022A4F571000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 7520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7604, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561762 Sample: Db5aU9VNyz.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected Strela Stealer 2->21 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 7->11         started        13 rundll32.exe 7->13         started        15 conhost.exe 7->15         started        process5 17 rundll32.exe 9->17         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true