MalScore
100/100
jlsb7ez.zip
| File details Download PDF Report | |
|---|---|
| File type: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File size: | 392.84 KB (402264 bytes) |
| Compile time: | 2020-10-06 05:52:45 |
| MD5: | b251618e473b04ec4dd58d8bbf975c2a |
| SHA1: | fb3f3e8c8a0b0077aaff175f7d777533ae88a22c |
| SHA256: | adf6d91922505e07b840cdd9f74d33d6c7872bc6534a9be6b27b5d03470c835b |
| Import hash: | f973b752dc5ac349369486fc7f90c6b1 |
| Sections 6 | .text��� .rdata�� .data2�� .data��� .rsrc��� .reloc�� |
| Directories 4 | import resource relocation security |
| First submission: | 2022-04-05 08:57:09 |
| Last submission: | 2022-04-05 08:57:09 |
| Filename detected: |
- jlsb7ez.zip (1) |
| URL file hosting |
|---|
hXXp://tanushthakor.com/jlsb7ez.zip |
| Antivirus Report | |||
|---|---|---|---|
| Report Date | Detection Ratio | Permalink | Update |
| No report available | |||
| PE Sections 0 suspicious | |||||
|---|---|---|---|---|---|
| Name | VAddress | VSize | Size | MD5 | SHA1 |
| .text��� | 0x1000 | 0x2318 | 9216 | b05fb0f3453af49f785b5d05d49f4b91 | 6c44804945317eacf44e383e9530c1c8a0316920 |
| .rdata�� | 0x4000 | 0xc8 | 512 | bf619eac0cdf3f68d496ea9344137e8b | 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 |
| .data2�� | 0x5000 | 0xc8 | 512 | bf619eac0cdf3f68d496ea9344137e8b | 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 |
| .data��� | 0x6000 | 0x511dc | 332288 | 11abb667836148efc041aa010ba4828d | bdccc0843c3234cae8cddd253ace7adbdeaa7032 |
| .rsrc��� | 0x58000 | 0xc788 | 51200 | 801170cc9fc9369bdc747144cb54abf4 | 17219630c67a5ed8384cfbf2b9eb77ce2a2d99c0 |
| .reloc�� | 0x65000 | 0x694 | 2048 | 58fb577b18ff007765ba4ff977017874 | d8cc57bf154ae976687c8cdd6cd925c2e0cc8765 |
| Meta Info | |
|---|---|
| No Meta found in this file | |
| XOR | |
|---|---|
| No XOR informations found in this file. | |
| Signature | |
|---|---|
| MD5: | c9e02cc0eec7d92386cbcc693c0b967c |
| SHA1: | 3be181397b0f3f5c5148698585ba54c6f77d3946 |
| Block Size: | 5464 |
| Virtual Address: | 396800 |
| Packer(s) | |
|---|---|
| Borland Delphi 3.0 (???) | |
| File found | |
|---|---|
| FIle type: Library | |
| ADVAPI32.dll | |
| USER32.dll | |
| GDI32.dll | |
| KERNEL32.dll | |
| IP Found | |
|---|---|
| No IP detected | |
| URL(s) | |
|---|---|
| http://ocsp.sectigo.com0 | |
| http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0% | |
| http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v | |
| http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# | |
| http://ocsp.usertrust.com0 | |
| http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t | |
| https://sectigo.com/CPS0D | |
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven06_64 | Seven06_64 | VirtualBox | 2022-04-05 08:47:10 | 2022-04-05 08:50:15 | 185 |
6 Behaviors detected by system signatures
Creates RWX memory
Severity: Medium
Confidence: Medium
Dynamic (imported) function loading detected
Severity: Medium
Confidence: Very High
- DynamicLoader: kernel32.dll/RegQueryValueExW
- DynamicLoader: GDI32.dll/GdiAddGlsRecord
- DynamicLoader: GDI32.dll/GdiAddGlsBounds
- DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
- DynamicLoader: OPENGL32.DLL/wglSwapBuffers
- DynamicLoader: kernel32.dll/RegQueryValueExW
- DynamicLoader: GDI32.dll/GdiAddGlsRecord
- DynamicLoader: GDI32.dll/GdiAddGlsBounds
- DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
- DynamicLoader: OPENGL32.DLL/wglSwapBuffers
- DynamicLoader: kernel32.dll/VirtualAllocEx
- DynamicLoader: KERNELBASE.dll/LoadLibraryExA
- DynamicLoader: kernel32.dll/GetProcAddress
- DynamicLoader: kernel32.dll/VirtualAlloc
- DynamicLoader: kernel32.dll/VirtualFree
- DynamicLoader: kernel32.dll/UnmapViewOfFile
- DynamicLoader: kernel32.dll/VirtualProtect
- DynamicLoader: kernel32.dll/LoadLibraryExA
- DynamicLoader: kernel32.dll/GetModuleHandleA
- DynamicLoader: kernel32.dll/CreateFileA
- DynamicLoader: kernel32.dll/SetFilePointer
- DynamicLoader: kernel32.dll/WriteFile
- DynamicLoader: kernel32.dll/CloseHandle
- DynamicLoader: kernel32.dll/GetTempPathA
- DynamicLoader: kernel32.dll/lstrlenA
- DynamicLoader: kernel32.dll/lstrcatA
- DynamicLoader: kernel32.dll/GetModuleFileNameA
- DynamicLoader: kernel32.dll/GetModuleFileNameW
- DynamicLoader: KERNELBASE.dll/VirtualAlloc
- DynamicLoader: kernel32.dll/OutputDebugStringA
- DynamicLoader: kernel32.dll/Sleep
- DynamicLoader: ntdll.dll/NtSetInformationProcess
- DynamicLoader: KERNELBASE.dll/VirtualAlloc
- DynamicLoader: jlsb7ez.zip.dll/DllMainW
- DynamicLoader: jlsb7ez.zip.dll/DllMainA
- DynamicLoader: jlsb7ez.zip.dll/DllMain
Network activity detected but not expressed in API logs
Severity: Medium
Confidence: Very High
Performs some HTTP requests
Severity: Medium
Confidence: Low
- url: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
The binary likely contains encrypted or compressed data.
Severity: Medium
Confidence: Very High
- section: name: .data, entropy: 6.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00051200, virtual_size: 0x000511dc
Presents an Authenticode digital signature
Severity: Low
Confidence: Low
- md5_fingerprint: 6eff50542170777141999e7c508fda3b
- sha1_fingerprint: 1c322162aeda54487a58f9f4688a2de1b8f114f0
- cn: HMWOCFPSDLAFMFZIVD
- sn: -64236817775805159092689110990921968084
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven06_64 | Seven06_64 | VirtualBox | 2022-04-05 08:47:10 | 2022-04-05 08:50:15 | 185 |
5 Summary items with data
Files
C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll.123.Manifest C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll.124.Manifest C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll.2.Manifest C:\Windows\SysWOW64\rundll32.exe C:\Users\Seven01\AppData\Local\Temp\fftGVYCAdu C:\Windows\SysWOW64\ADybyrVYnk C:\Users\Seven01\AppData\Local\Temp\ADybyrVYnk C:\Windows\System32\ADybyrVYnk C:\Windows\system\ADybyrVYnk C:\Windows\ADybyrVYnk C:\ProgramData\Oracle\Java\javapath\ADybyrVYnk C:\Windows\System32\wbem\ADybyrVYnk C:\Windows\System32\WindowsPowerShell\v1.0\ADybyrVYnk C:\Windows\SysWOW64\J KntzRqUJ C:\Users\Seven01\AppData\Local\Temp\J KntzRqUJ C:\Windows\System32\J KntzRqUJ C:\Windows\system\J KntzRqUJ C:\Windows\J KntzRqUJ C:\ProgramData\Oracle\Java\javapath\J KntzRqUJ C:\Windows\System32\wbem\J KntzRqUJ C:\Windows\System32\WindowsPowerShell\v1.0\J KntzRqUJ C:\Users\Seven01\AppData\Local\Temp\hWylsvFluF C:\Windows\Fonts\uHridnYsCY C:\Windows\SysWOW64\uHridnYsCY C:\Users\Seven01\AppData\Local\Temp\uHridnYsCY C:\Windows\System32\uHridnYsCY C:\Windows\system\uHridnYsCY C:\Windows\uHridnYsCY C:\ProgramData\Oracle\Java\javapath\uHridnYsCY C:\Windows\System32\wbem\uHridnYsCY C:\Windows\System32\WindowsPowerShell\v1.0\uHridnYsCY C:\Windows\SysWOW64\UbKmfWTHPO C:\Users\Seven01\AppData\Local\Temp\UbKmfWTHPO C:\Windows\System32\UbKmfWTHPO C:\Windows\system\UbKmfWTHPO C:\Windows\UbKmfWTHPO C:\ProgramData\Oracle\Java\javapath\UbKmfWTHPO C:\Windows\System32\wbem\UbKmfWTHPO C:\Windows\System32\WindowsPowerShell\v1.0\UbKmfWTHPO C:\Windows\Fonts\vwEJIFOeDp C:\Windows\SysWOW64\vwEJIFOeDp C:\Users\Seven01\AppData\Local\Temp\vwEJIFOeDp C:\Windows\System32\vwEJIFOeDp C:\Windows\system\vwEJIFOeDp C:\Windows\vwEJIFOeDp C:\ProgramData\Oracle\Java\javapath\vwEJIFOeDp C:\Windows\System32\wbem\vwEJIFOeDp C:\Windows\System32\WindowsPowerShell\v1.0\vwEJIFOeDp C:\Users\Seven01\AppData\Local\Temp\asEHouVxmj C:\Windows\SysWOW64\34gggg C:\Users\Seven01\AppData\Local\Temp\34gggg C:\Windows\System32\34gggg C:\Windows\system\34gggg C:\Windows\34gggg C:\ProgramData\Oracle\Java\javapath\34gggg C:\Windows\System32\wbem\34gggg C:\Windows\System32\WindowsPowerShell\v1.0\34gggg C:\Users\Seven01\AppData\Local\Temp\RwOjJtnFlR C:\Windows\SysWOW64\QfEQqJdxZP C:\Users\Seven01\AppData\Local\Temp\QfEQqJdxZP C:\Windows\System32\QfEQqJdxZP C:\Windows\system\QfEQqJdxZP C:\Windows\QfEQqJdxZP C:\ProgramData\Oracle\Java\javapath\QfEQqJdxZP C:\Windows\System32\wbem\QfEQqJdxZP C:\Windows\System32\WindowsPowerShell\v1.0\QfEQqJdxZP C:\Users\Seven01\AppData\Local\Temp\XCXPKxvgUt C:\Windows\SysWOW64\opengl32.dll C:\Windows\SysWOW64\glu32.dll C:\Windows\SysWOW64\ddraw.dll C:\Windows\SysWOW64\dciman32.dll C:\Windows\SysWOW64\dwmapi.dll C:\Windows\SysWOW64\it-IT\SETUPAPI.dll.mui C:\Users\Seven01\AppData\Local\Temp\mG fXCuLfv
Read Files
C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll.123.Manifest C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll.124.Manifest C:\Users\Seven01\AppData\Local\Temp\jlsb7ez.zip.dll.2.Manifest C:\Windows\SysWOW64\rundll32.exe C:\Users\Seven01\AppData\Local\Temp\fftGVYCAdu C:\Users\Seven01\AppData\Local\Temp\hWylsvFluF C:\Users\Seven01\AppData\Local\Temp\asEHouVxmj C:\Users\Seven01\AppData\Local\Temp\RwOjJtnFlR C:\Users\Seven01\AppData\Local\Temp\XCXPKxvgUt C:\Windows\SysWOW64\opengl32.dll C:\Windows\SysWOW64\glu32.dll C:\Windows\SysWOW64\ddraw.dll C:\Windows\SysWOW64\dciman32.dll C:\Windows\SysWOW64\dwmapi.dll C:\Windows\SysWOW64\it-IT\SETUPAPI.dll.mui C:\Users\Seven01\AppData\Local\Temp\mG fXCuLfv
Write Files
Nothing to display
Delete Files
Nothing to display
Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\jlsb7ez.zip.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_CLASSES_ROOT\iNTerface\{b196b287-bab4-101a-b69c-00aa00341d07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\(Default)
Read Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\jlsb7ez.zip.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\(Default)
Write Keys
Nothing to display
Delete Keys
Nothing to display
Mutexes
Resolved APIs
kernel32.dll.RegQueryValueExW gdi32.dll.GdiAddGlsRecord gdi32.dll.GdiAddGlsBounds gdi32.dll.GdiIsMetaPrintDC opengl32.dll.wglSwapBuffers kernel32.dll.VirtualAllocEx kernelbase.dll.LoadLibraryExA kernel32.dll.GetProcAddress kernel32.dll.VirtualAlloc kernel32.dll.VirtualFree kernel32.dll.UnmapViewOfFile kernel32.dll.VirtualProtect kernel32.dll.LoadLibraryExA kernel32.dll.GetModuleHandleA kernel32.dll.CreateFileA kernel32.dll.SetFilePointer kernel32.dll.WriteFile kernel32.dll.CloseHandle kernel32.dll.GetTempPathA kernel32.dll.lstrlenA kernel32.dll.lstrcatA kernel32.dll.GetModuleFileNameA kernel32.dll.GetModuleFileNameW kernelbase.dll.VirtualAlloc kernel32.dll.OutputDebugStringA kernel32.dll.Sleep ntdll.dll.NtSetInformationProcess
Execute Commands
Nothing to display
Started Services
Nothing to display
Created Services
Nothing to display
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven06_64 | Seven06_64 | VirtualBox | 2022-04-05 08:47:10 | 2022-04-05 08:50:15 | 185 |
1 HTTP Request(s) detected
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
- Hostname: crt.usertrust.com
- IP Address: 91.199.212.52
- Port: 80
- Count: 1
GET /USERTrustRSAAddTrustCA.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: crt.usertrust.com
#infosec #automation
TheSystem Itself @ 2022-04-05 08:57:11