Windows Analysis Report
RasTls.dll

Overview

General Information

Sample name: RasTls.dll
Analysis ID: 1561846
MD5: f1c9f093d5479560e83a0759201210b7
SHA1: 9553567e231a172c69f0ef8800a927193b9cbd49
SHA256: 1906e7d5a745a364c91f5e230e16e1566721ace1183a57e8d25ff437664c7d02
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: RasTls.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: RasTls.dll ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: RasTls.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: RasTls.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: RasTls.dll Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 65.20.90.139 443 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CP-ASDE CP-ASDE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: swiftandfast.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987

System Summary
barindex
PE file contains section with special chars
Source: RasTls.dll Static PE information: section name: .X:T
Uses 32bit PE files
Source: RasTls.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal88.evad.winDLL@10/0@1/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RasTls.dll,GetOfficeDatatal
Source: RasTls.dll ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\RasTls.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RasTls.dll,GetOfficeDatatal
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",GetOfficeDatatal
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\RasTls.dll,GetOfficeDatatal Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",GetOfficeDatatal Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: RasTls.dll Static file information: File size 6302208 > 1048576
Source: RasTls.dll Static PE information: Raw size of .WFm is bigger than: 0x100000 < 0x601800
Source: RasTls.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .WFm
PE file contains sections with non-standard names
Source: RasTls.dll Static PE information: section name: .X:T
Source: RasTls.dll Static PE information: section name: .BXf
Source: RasTls.dll Static PE information: section name: .WFm

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6616 base: 1240005 value: E9 8B 2F CB 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6616 base: 76EF2F90 value: E9 7A D0 34 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6348 base: 2B80005 value: E9 8B 2F 37 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6348 base: 76EF2F90 value: E9 7A D0 C8 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6548 base: 3220005 value: E9 8B 2F CD 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6548 base: 76EF2F90 value: E9 7A D0 32 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5284 base: 29F0005 value: E9 8B 2F 50 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5284 base: 76EF2F90 value: E9 7A D0 AF 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C86454B
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C865B49
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C72132F
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C6B3714
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 6C58745C second address: 6C587467 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 movsx dx, bh 0x00000007 mov bp, 091Bh 0x0000000b rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 6C58745C second address: 6C587467 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 movsx dx, bh 0x00000007 mov bp, 091Bh 0x0000000b rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 6C5C5B71 second address: 6C5C5B75 instructions: 0x00000000 rdtsc 0x00000002 pop ebx 0x00000003 cdq 0x00000004 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 6C659216 second address: 6C65921A instructions: 0x00000000 rdtsc 0x00000002 pop ebx 0x00000003 cdq 0x00000004 rdtsc
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 5454 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 4535 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 5470 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 4519 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 9989 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156 Thread sleep count: 5454 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156 Thread sleep time: -5454000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156 Thread sleep count: 4535 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6156 Thread sleep time: -4535000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480 Thread sleep count: 5470 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480 Thread sleep time: -5470000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480 Thread sleep count: 4519 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6480 Thread sleep time: -4519000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5672 Thread sleep count: 9989 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5672 Thread sleep time: -9989000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 00000003.00000002.4512491078.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4512315310.000000000306A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4512544852.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 65.20.90.139 443 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RasTls.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561846 Sample: RasTls.dll Startdate: 24/11/2024 Architecture: WINDOWS Score: 88 24 swiftandfast.net 2->24 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Machine Learning detection for sample 2->32 34 2 other signatures 2->34 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 38 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->38 40 Tries to detect virtualization through RDTSC time measurements 8->40 42 Switches to a custom stack to bypass stack traces 8->42 11 rundll32.exe 8->11         started        15 rundll32.exe 8->15         started        17 cmd.exe 1 8->17         started        19 conhost.exe 8->19         started        process6 dnsIp7 26 swiftandfast.net 65.20.90.139, 443, 49704, 49705 CP-ASDE United States 11->26 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->44 46 Tries to detect virtualization through RDTSC time measurements 11->46 48 System process connects to network (likely due to code injection or exploit) 15->48 21 rundll32.exe 17->21         started        signatures8 process9 signatures10 36 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->36
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
65.20.90.139
 swiftandfast.net United States
199592 CP-ASDE true

Contacted Domains

Name IP Active
swiftandfast.net 65.20.90.139 true