Overview
overview
7Static
static
6eleonorev1...432.js
windows7-x64
3eleonorev1...432.js
windows10-2004-x64
3eleonorev1...34.jar
windows7-x64
1eleonorev1...34.jar
windows10-2004-x64
7Bol Downloader.dll
windows7-x64
1Bol Downloader.dll
windows10-2004-x64
1eleonorev1...ypt.js
windows7-x64
3eleonorev1...ypt.js
windows10-2004-x64
3eleonorev1...exp.js
windows7-x64
3eleonorev1...exp.js
windows10-2004-x64
3eleonorev1...oip.js
windows7-x64
3eleonorev1...oip.js
windows10-2004-x64
3eleonorev1...l.html
windows7-x64
1eleonorev1...l.html
windows10-2004-x64
1eleonorev1...df.pdf
windows7-x64
1eleonorev1...df.pdf
windows10-2004-x64
1eleonorev1...oc.vbs
windows7-x64
1eleonorev1...oc.vbs
windows10-2004-x64
1eleonorev1...tat.js
windows7-x64
3eleonorev1...tat.js
windows10-2004-x64
3eleonorev1...per.js
windows7-x64
3eleonorev1...per.js
windows10-2004-x64
3eleonorev1...4/x.js
windows7-x64
3eleonorev1...4/x.js
windows10-2004-x64
3eleonorev1...bb.jar
windows7-x64
1eleonorev1...bb.jar
windows10-2004-x64
7eleonorev1...432.js
windows7-x64
3eleonorev1...432.js
windows10-2004-x64
3eleonorev1...9d.jar
windows7-x64
1eleonorev1...9d.jar
windows10-2004-x64
7eleonorev1...ypt.js
windows7-x64
3eleonorev1...ypt.js
windows10-2004-x64
3Analysis
-
max time kernel
136s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 05:20
Behavioral task
behavioral1
Sample
eleonorev1.4.4 mod/el144/432.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
eleonorev1.4.4 mod/el144/432.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
eleonorev1.4.4 mod/el144/5734.jar
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
eleonorev1.4.4 mod/el144/5734.jar
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Bol Downloader.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral6
Sample
Bol Downloader.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
eleonorev1.4.4 mod/el144/crypt.js
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral8
Sample
eleonorev1.4.4 mod/el144/crypt.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
eleonorev1.4.4 mod/el144/exp.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
eleonorev1.4.4 mod/el144/exp.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
eleonorev1.4.4 mod/el144/geoip.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
eleonorev1.4.4 mod/el144/geoip.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
eleonorev1.4.4 mod/el144/install.html
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral14
Sample
eleonorev1.4.4 mod/el144/install.html
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
eleonorev1.4.4 mod/el144/nem2378pdf.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
eleonorev1.4.4 mod/el144/nem2378pdf.pdf
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
eleonorev1.4.4 mod/el144/soc.vbs
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
eleonorev1.4.4 mod/el144/soc.vbs
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
eleonorev1.4.4 mod/el144/stat.js
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral20
Sample
eleonorev1.4.4 mod/el144/stat.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
eleonorev1.4.4 mod/el144/up/src/chrome/content/dlhelper.js
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
eleonorev1.4.4 mod/el144/up/src/chrome/content/dlhelper.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
eleonorev1.4.4 mod/el144/x.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
eleonorev1.4.4 mod/el144/x.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
eleonorev1.4.4 mod/fudfiles/1ebb.jar
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
eleonorev1.4.4 mod/fudfiles/1ebb.jar
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
eleonorev1.4.4 mod/fudfiles/432.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral28
Sample
eleonorev1.4.4 mod/fudfiles/432.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
eleonorev1.4.4 mod/fudfiles/8c9d.jar
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral30
Sample
eleonorev1.4.4 mod/fudfiles/8c9d.jar
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
eleonorev1.4.4 mod/fudfiles/crypt.js
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral32
Sample
eleonorev1.4.4 mod/fudfiles/crypt.js
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
Bol Downloader.dll
-
Size
278KB
-
MD5
77927f4395506eebbf18169671fc4938
-
SHA1
5a3ab2e0721fd8222001acf5fbc82a7ed5cb4052
-
SHA256
e8c698557eb9dd0ba618055f6ba4915627679e8ac5eb4b7eda63f9abbe1f1ff7
-
SHA512
21bc9a8f9951ed4206cbe79ad3567f6c151bc016a23c37e29f9f258e6a2994843330a2195891be03086d5cd6ec73ddeda37b89e1cea35c2d2eb09f1f12658011
-
SSDEEP
3072:mHtqGCbviHRz6Layf5XO9+Snr+FChcAdbms2K6vEroAUN79IZp9TsRJyo1EdK+Nz:IqJbiRz6/hXq3HhcG7tg9IZeeK+N
Malware Config
Signatures
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\Control\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\ = "_DBolDownloader" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BOLDOWNLOADER.BolDownloaderCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\ = "_DBolDownloaderEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E927AAE5-BF32-4E8A-A8A4-9F7BA80B53B4}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BOLDOWNLOADER.BolDownloaderCtrl.1\CLSID\ = "{BADA82CB-BF48-4D76-9611-78E2C6F49F03}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\TypeLib\ = "{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E927AAE5-BF32-4E8A-A8A4-9F7BA80B53B4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E927AAE5-BF32-4E8A-A8A4-9F7BA80B53B4}\ = "BolDownloader Property Page" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bol Downloader.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\TypeLib\ = "{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0\ = "Bol Downloader ActiveX Control module" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\ = "BolDownloader Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOLDOW~1.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BOLDOWNLOADER.BolDownloaderCtrl.1\ = "BolDownloader Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BOLDOWNLOADER.BolDownloaderCtrl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\TypeLib\ = "{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\ = "_DBolDownloaderEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\TypeLib\ = "{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOLDOW~1.DLL, 1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\ = "_DBolDownloader" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03}\ProgID\ = "BOLDOWNLOADER.BolDownloaderCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\TypeLib\ = "{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B943F48-BE8E-41A8-9FC3-CB89A5DDAF64}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FB985-9AFF-461A-A22C-BA38154C4DB9}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60251D1C-0662-4E14-80E6-C5A4BAD780EE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E927AAE5-BF32-4E8A-A8A4-9F7BA80B53B4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOLDOW~1.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BADA82CB-BF48-4D76-9611-78E2C6F49F03} regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4388 wrote to memory of 4976 4388 regsvr32.exe regsvr32.exe PID 4388 wrote to memory of 4976 4388 regsvr32.exe regsvr32.exe PID 4388 wrote to memory of 4976 4388 regsvr32.exe regsvr32.exe