analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dll.dll

Full analysis: https://app.any.run/tasks/64dd0f0b-f341-41a6-ac44-847ffe48abcf
Verdict: Malicious activity
Threats:

Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil.

Analysis date: December 06, 2019, 15:37:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
metamorfo
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

F017E9D6D3D80A2DA7D6D31B39AA3460

SHA1:

20DE8F3F0F4CFACA955D88BF71C0E443D4D4C1D1

SHA256:

676239733A85620038D358F3306EFA484248B5EF67F6134122BBF5974498AFF3

SSDEEP:

196608:FPG82SfkEASt2cye6XQKBENKtHSWYquY08NFyT+rzpAU+sIdF4:FPG2G7BvLkIHq+0SFy0CU+pF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • METAMORFO was detected

      • rundll32.exe (PID: 1772)
    • Connects to CnC server

      • rundll32.exe (PID: 1772)
  • SUSPICIOUS

    • Connects to server without host name

      • rundll32.exe (PID: 1772)
    • Reads Environment values

      • rundll32.exe (PID: 1772)
    • Disables Form Suggestion in IE

      • rundll32.exe (PID: 1772)
  • INFO

    • Loads main object executable

      • rundll32.exe (PID: 1772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:05 00:27:07+01:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 3963392
InitializedDataSize: 765440
UninitializedDataSize: -
EntryPoint: 0xa21414
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Dec-2019 23:27:07
Detected languages:
  • English - United States
FileDescription: NAFPCZ7BPG7F22K
FileVersion: 1.0.0.0
ProductName: NAFPCZ7BPG7F22K
ProductVersion: 1.0.0.0
ProgramID: com.embarcadero.NAFPCZ7BPG7F22K

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 12
Time date stamp: 04-Dec-2019 23:27:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
"IEFKBnB,Q<
0x00001000
0x003C512C
0x003C5200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45618
eUCz//^(\xf4'
0x003C7000
0x000027F4
0x00002800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.36063
tp42)wkh\xf00\x01
0x003CA000
0x000130F0
0x00013200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.50445
_UfHk`cW\x0c\x82\x08
0x003DE000
0x0008820C
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
`1CH,?sy.E
0x00467000
0x0000452E
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.88113
I65!Zc.4\xa6\x0d
0x0046C000
0x00000DA6
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.26622
9G@r5hAe\xe2
0x0046D000
0x000000E2
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.90244
wU@rrT)rE
0x0046E000
0x00000045
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.1712
(y]qFVUF\x08\xe5*
0x0046F000
0x002AE508
0x002AE600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.77649
g`L1B:MFpE=
0x0071E000
0x003D4570
0x003D4600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.87254

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.27093
1803
UNKNOWN
English - United States
RT_MANIFEST

Imports

WTSAPI32.dll
advapi32.dll
comctl32.dll
crypt32.dll
gdi32.dll
kernel32.dll
kernel32.dll (delay-loaded)
msvcrt.dll
netapi32.dll
ole32.dll

Exports

Title
Ordinal
Address
dbkFCallWrapperAddr
1
0x003E1640
__dbk_fcall_wrapper
2
0x00012C40
TMethodImplementationIntercept
3
0x0006C5E8
SHGetFolderPathW
4
0x003B87B0
U3ZQQWIF44OAYUZETYGUNTJXLMG
5
0x003B871C
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #METAMORFO rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
1772"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\dll.dll,U3ZQQWIF44OAYUZETYGUNTJXLMGC:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
19
Read events
14
Write events
5
Delete events
0

Modification events

(PID) Process:(1772) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:Use FormSuggest
Value:
No
(PID) Process:(1772) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:FormSuggest Passwords
Value:
No
(PID) Process:(1772) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:FormSuggest PW Ask
Value:
No
(PID) Process:(1772) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
Operation:writeName:AutoSuggest
Value:
No
(PID) Process:(1772) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:writeName:ShowInfoTip
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1772
rundll32.exe
POST
200
18.209.163.113:80
http://18.209.163.113/cont/KA0F1RKJU2AM0WM.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1772
rundll32.exe
18.209.163.113:80
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1772
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Metamorfo.Banload Checkin
1 ETPRO signatures available at the full report
No debug info