Summary

bf41331980c60c26_otkuihel.dll

File bf41331980c60c26_otkuihel.dll

Summary
Download Resubmit sample

Size 24.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 a282ea13e08b3f2f9a9a68272dc54831
SHA1 279f9ca180b529de0dfe86869c46d1f961f875ed
SHA256 bf41331980c60c2671b1c8882cb1d57da2701ec505f6fbfe98c12898705770e7
SHA512
99637dc27de1ed9b82680522b4c26a96e833b9199927195a338be11df2b4b68cb87385ae311d04aff350f9fb46c48cc5653fc390bec2e7d51ccdca7357d9994d
CRC32 22C5CDC3
ssdeep None
PDB Path c:\Users\Administrator\AppData\Local\Temp\otkuihel.pdb
Yara None matched

Score

This file is very suspicious, with a score of 9.1 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:5653393

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Dec. 14, 2024, 5:04 p.m. Dec. 14, 2024, 5:07 p.m. 208 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2024-12-11 11:28:32,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpblqbwr
2024-12-11 11:28:32,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\VqZRnXYRGGjuFyrnHiWUe
2024-12-11 11:28:32,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\WrgbLvGWDDTwHqkeDOBihbdC
2024-12-11 11:28:32,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2024-12-11 11:28:32,015 [analyzer] INFO: Automatically selected analysis package "exe"
2024-12-11 11:28:32,312 [analyzer] DEBUG: Started auxiliary module Curtain
2024-12-11 11:28:32,312 [analyzer] DEBUG: Started auxiliary module DbgView
2024-12-11 11:28:32,750 [analyzer] DEBUG: Started auxiliary module Disguise
2024-12-11 11:28:32,953 [analyzer] DEBUG: Loaded monitor into process with pid 504
2024-12-11 11:28:32,953 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2024-12-11 11:28:32,953 [analyzer] DEBUG: Started auxiliary module Human
2024-12-11 11:28:32,953 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2024-12-11 11:28:32,953 [analyzer] DEBUG: Started auxiliary module Reboot
2024-12-11 11:28:33,030 [analyzer] DEBUG: Started auxiliary module RecentFiles
2024-12-11 11:28:33,030 [analyzer] DEBUG: Started auxiliary module Screenshots
2024-12-11 11:28:33,030 [analyzer] DEBUG: Started auxiliary module Sysmon
2024-12-11 11:28:33,030 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2024-12-11 11:28:33,155 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\bf41331980c60c26_otkuihel.dll' with arguments '' and pid 1952
2024-12-11 11:28:33,296 [analyzer] DEBUG: Loaded monitor into process with pid 1952
2024-12-11 11:28:34,155 [analyzer] INFO: Process with pid 1952 has terminated
2024-12-11 11:28:34,155 [analyzer] INFO: Process list is empty, terminating analysis.
2024-12-11 11:28:35,342 [analyzer] INFO: Terminating remaining processes before shutdown.
2024-12-11 11:28:35,342 [analyzer] INFO: Analysis completed.

Cuckoo Log

2024-12-14 17:04:11,754 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:12,786 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:13,819 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:14,904 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:15,980 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:17,054 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:18,112 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:19,361 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:20,479 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:21,659 [cuckoo.core.scheduler] DEBUG: Task #5654427: no machine available yet
2024-12-14 17:04:22,859 [cuckoo.core.scheduler] INFO: Task #5654427: acquired machine win7x6418 (label=win7x6418)
2024-12-14 17:04:22,865 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.218 for task #5654427
2024-12-14 17:04:23,244 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 237697 (interface=vboxnet0, host=192.168.168.218)
2024-12-14 17:04:23,325 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6418
2024-12-14 17:04:23,927 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6418 to vmcloak
2024-12-14 17:05:49,309 [cuckoo.core.guest] INFO: Starting analysis #5654427 on guest (id=win7x6418, ip=192.168.168.218)
2024-12-14 17:05:50,314 [cuckoo.core.guest] DEBUG: win7x6418: not ready yet
2024-12-14 17:05:55,335 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6418, ip=192.168.168.218)
2024-12-14 17:05:55,422 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6418, ip=192.168.168.218, monitor=latest, size=6660546)
2024-12-14 17:05:56,668 [cuckoo.core.resultserver] DEBUG: Task #5654427: live log analysis.log initialized.
2024-12-14 17:05:57,650 [cuckoo.core.resultserver] DEBUG: Task #5654427 is sending a BSON stream
2024-12-14 17:05:57,903 [cuckoo.core.resultserver] DEBUG: Task #5654427 is sending a BSON stream
2024-12-14 17:05:58,813 [cuckoo.core.resultserver] DEBUG: Task #5654427: File upload for 'shots/0001.jpg'
2024-12-14 17:05:58,835 [cuckoo.core.resultserver] DEBUG: Task #5654427 uploaded file length: 133542
2024-12-14 17:05:59,907 [cuckoo.core.resultserver] DEBUG: Task #5654427: File upload for 'curtain/1733912915.23.curtain.log'
2024-12-14 17:05:59,914 [cuckoo.core.resultserver] DEBUG: Task #5654427 uploaded file length: 36
2024-12-14 17:06:00,014 [cuckoo.core.resultserver] DEBUG: Task #5654427: File upload for 'sysmon/1733912915.34.sysmon.xml'
2024-12-14 17:06:00,020 [cuckoo.core.resultserver] DEBUG: Task #5654427 uploaded file length: 499370
2024-12-14 17:06:00,884 [cuckoo.core.resultserver] DEBUG: Task #5654427 had connection reset for <Context for LOG>
2024-12-14 17:06:02,318 [cuckoo.core.guest] INFO: win7x6418: analysis completed successfully
2024-12-14 17:06:02,331 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2024-12-14 17:06:03,056 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2024-12-14 17:06:04,048 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6418 to path /srv/cuckoo/cwd/storage/analyses/5654427/memory.dmp
2024-12-14 17:06:04,049 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6418
2024-12-14 17:07:37,604 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.218 for task #5654427
2024-12-14 17:07:39,834 [cuckoo.core.scheduler] DEBUG: Released database task #5654427
2024-12-14 17:07:39,927 [cuckoo.core.scheduler] INFO: Task #5654427: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (13 events)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fa2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fa2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fa2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00aa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00523000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00610000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04400000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04550000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Checks if process is being debugged by a debugger (2 events)
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
This executable has a PDB path (1 event)
pdb_path c:\Users\Administrator\AppData\Local\Temp\otkuihel.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)
G Data Antivirus (Windows) Virus: IL:Trojan.MSILZilla.8805 (Engine A)
Avast Core Security (Linux) Win32:HacktoolX-gen [Trj]
F-Secure Antivirus (Linux) Trojan.TR/Dropper.MSIL.Gen [Aquarius]
Windows Defender (Windows) Trojan:MSIL/AgentTesla.VN!MTB
Sophos Anti-Virus (Linux) Troj/Reflekt-J
eScan Antivirus (Linux) IL:Trojan.MSILZilla.8805(DB)
ESET Security (Windows) a variant of MSIL/Kryptik.NLA trojan
McAfee CLI scanner (Linux) Packed-FIA
DrWeb Antivirus (Linux) Trojan.PackedNET.11
Bitdefender Antivirus (Linux) IL:Trojan.MSILZilla.8805
Kaspersky Standard (Windows) HEUR:Trojan.Win32.Generic
Emsisoft Commandline Scanner (Windows) IL:Trojan.MSILZilla.8805 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.