Loading ...

Play interactive tourEdit tour

Analysis Report 0n1ine.exe

Overview

General Information

Sample Name:0n1ine.exe
MD5:465cdd72a0a222bbcb78b8ce2ac40e8c
SHA1:77f5c6c5bb49766e40c4a664ba02f3d53e3d3847
SHA256:8084eba429ab269f4befa8bc9ef42efbd0122b3f10765eb28ef8aaa7c67fb065

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains sections with non-standard names
PE file contains strange resources
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 0n1ine.exe (PID: 4880 cmdline: 'C:\Users\user\Desktop\0n1ine.exe' MD5: 465CDD72A0A222BBCB78B8CE2AC40E8C)
  • iexplore.exe (PID: 620 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1136 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:620 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3568 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3048 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3568 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2292 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2532 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2292 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2412 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3392 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2412 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.839126988.0000000001828000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.838785108.0000000001828000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.838939625.0000000001828000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.839107262.0000000001828000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.838872737.0000000001828000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Machine Learning detection for sampleShow sources
            Source: 0n1ine.exeJoe Sandbox ML: detected
            Source: 0.2.0n1ine.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\0n1ine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\0n1ine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\0n1ine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\0n1ine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\0n1ine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: global trafficHTTP traffic detected: GET /images/_2Fee3DKW/_2BWPx6O_2FW95d2jR_2/BzIR_2FlfQQzn6WOKdV/RzcJINPEpakMGTUoKC3W0X/gcLt_2F1Trqer/CRJdnx2a/R4_2FYP6KMs_2FHDYJxIIbC/E1W0obe2iN/oX5y1CKOfRtMdCqwa/orvnHa56_2Fn/2Gc1SVVFG/K_2Bamf_/2B.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: line.beibiandmom.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/_2Fee3DKW/_2BWPx6O_2FW95d2jR_2/BzIR_2FlfQQzn6WOKdV/RzcJINPEpakMGTUoKC3W0X/gcLt_2F1Trqer/CRJdnx2a/R4_2FYP6KMs_2FHDYJxIIbC/E1W0obe2iN/oX5y1CKOfRtMdCqwa/orvnHa56_2Fn/2Gc1SVVFG/K_2Bamf_/2B.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: line.beibiandmom.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/_2Fee3DKW/_2BWPx6O_2FW95d2jR_2/BzIR_2FlfQQzn6WOKdV/RzcJINPEpakMGTUoKC3W0X/gcLt_2F1Trqer/CRJdnx2a/R4_2FYP6KMs_2FHDYJxIIbC/E1W0obe2iN/oX5y1CKOfRtMdCqwa/orvnHa56_2Fn/2Gc1SVVFG/K_2Bamf_/2B.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: line.beibiandmom.comConnection: Keep-Alive
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3629b367,0x01d63450</date><accdate>0x3629b367,0x01d63450</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3629b367,0x01d63450</date><accdate>0x3629b367,0x01d63450</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x36314dc0,0x01d63450</date><accdate>0x36314dc0,0x01d63450</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x36314dc0,0x01d63450</date><accdate>0x36314dc0,0x01d63450</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x36340ebf,0x01d63450</date><accdate>0x36340ebf,0x01d63450</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x36340ebf,0x01d63450</date><accdate>0x36340ebf,0x01d63450</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: mcc.avast.com
            Source: 0n1ine.exe, 00000000.00000003.1144390533.0000000000BE0000.00000004.00000001.sdmpString found in binary or memory: http://line.beibiandmom.com
            Source: ~DFC0CAC37C73C08CC5.TMP.10.dr, {87BB896C-A043-11EA-AADD-C25F135D3C65}.dat.10.drString found in binary or memory: http://line.beibiandmom.com/images/_2Fee3DKW/_2BWPx6O_2FW95d2jR_2/BzIR_2FlfQQzn6WOKdV/RzcJINPEpakMGT
            Source: 0n1ine.exe, 00000000.00000002.1200744985.0000000000BBD000.00000004.00000001.sdmpString found in binary or memory: http://mcc.avast.com
            Source: ~DF726341471B2EE326.TMP.7.dr, {7A574CFF-A043-11EA-AADD-C25F135D3C65}.dat.7.drString found in binary or memory: http://mcc.avast.com/images/7i6v9q4AVMsW_2Ffu0bWy/giWC_2BC33KChbDj/CT8UEhW_2FKFV63/YlCs1Pb9gu6J8NV_2
            Source: {96760D9A-A043-11EA-AADD-C25F135D3C65}.dat.12.drString found in binary or memory: http://mcc.avast.com/images/PUDIpA1H/Lnaj2mNj4LJzgNvMHZJpU5Y/rWcoSZpw03/9SEMyjk1VELflQ6mT/J4G7dV_2Bg
            Source: ~DF95167FD9C14F5F18.TMP.4.dr, {6006DB92-A043-11EA-AADD-C25F135D3C65}.dat.4.drString found in binary or memory: http://mcc.avast.com/images/pc5QhKlD/l6U_2BSKwZ_2B7zZKVPWVhI/j1IRqUNOKl/0C8c9wwBkX9zSa_2B/aZGGD7hJtU
            Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.839126988.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838785108.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838939625.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839107262.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838872737.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839084118.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838986069.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839052085.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 0n1ine.exe PID: 4880, type: MEMORY
            Source: 0n1ine.exe, 00000000.00000002.1200696433.0000000000BA0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.839126988.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838785108.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838939625.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839107262.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838872737.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839084118.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838986069.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839052085.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 0n1ine.exe PID: 4880, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\0n1ine.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Users\user\Desktop\0n1ine.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\0n1ine.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\0n1ine.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\0n1ine.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\0n1ine.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\0n1ine.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_0040150E GetProcAddress,NtCreateSection,LdrInitializeThunk,memset,0_2_0040150E
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_004020BF LdrInitializeThunk,NtMapViewOfSection,0_2_004020BF
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_0041BCA00_2_0041BCA0
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_00419D120_2_00419D12
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_0041A2630_2_0041A263
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_0041B67A0_2_0041B67A
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_004197C10_2_004197C1
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_004177EE0_2_004177EE
            Source: 0n1ine.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 0n1ine.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 0n1ine.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal80.bank.troj.evad.winEXE@13/49@10/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFA3665E1CF2ACC87.TMPJump to behavior
            Source: 0n1ine.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\0n1ine.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\0n1ine.exe 'C:\Users\user\Desktop\0n1ine.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:620 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3568 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2292 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2412 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:620 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3568 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2292 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2412 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\0n1ine.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\0n1ine.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: 0n1ine.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: oco.pdb source: 0n1ine.exe
            Source: Binary string: C:\bojesowesizesu_dadusunacuge_kafojifozupatavejaka72-g.pdb source: 0n1ine.exe
            Source: Binary string: IC:\bojesowesizesu_dadusunacuge_kafojifozupatavejaka72-g.pdboco.pdb source: 0n1ine.exe

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\0n1ine.exeUnpacked PE file: 0.2.0n1ine.exe.400000.0.unpack .text:ER;.data:W;.dasaro:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\0n1ine.exeUnpacked PE file: 0.2.0n1ine.exe.400000.0.unpack
            Source: 0n1ine.exeStatic PE information: section name: .dasaro
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_004119F5 push ecx; ret 0_2_00411A08
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_0041C270 push eax; retn 0041h0_2_0041C271
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_00BBC466 push C0431117h; ret 0_2_00BBC46B
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_00BB33B1 push es; ret 0_2_00BB33D0
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_00BB138B push eax; iretd 0_2_00BB1391
            Source: initial sampleStatic PE information: section name: .text entropy: 7.41890950295

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.839126988.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838785108.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838939625.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839107262.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838872737.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839084118.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838986069.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839052085.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 0n1ine.exe PID: 4880, type: MEMORY
            Source: C:\Users\user\Desktop\0n1ine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\0n1ine.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Source: C:\Users\user\Desktop\0n1ine.exeAPI call chain: ExitProcess graph end nodegraph_0-6504

            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_00401E55 LoadLibraryA,lstrlenA,memset,LdrInitializeThunk,LdrInitializeThunk,GetProcAddress,lstrlenA,memset,0_2_00401E55
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_00BB1F3B push dword ptr fs:[00000030h]0_2_00BB1F3B
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_004011AA InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,0_2_004011AA
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_0041080B SetUnhandledExceptionFilter,0_2_0041080B

            Source: 0n1ine.exe, 00000000.00000002.1201125600.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 0n1ine.exe, 00000000.00000002.1201125600.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 0n1ine.exe, 00000000.00000002.1201125600.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
            Source: 0n1ine.exe, 00000000.00000002.1201125600.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_004010D8 LdrInitializeThunk,GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004010D8
            Source: C:\Users\user\Desktop\0n1ine.exeCode function: 0_2_00401210 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401210

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.839126988.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838785108.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838939625.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839107262.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838872737.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839084118.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838986069.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839052085.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 0n1ine.exe PID: 4880, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.839126988.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838785108.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838939625.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839107262.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838872737.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839084118.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.838986069.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.839052085.0000000001828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 0n1ine.exe PID: 4880, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Winlogon Helper DLLProcess Injection2Masquerading1Input Capture1System Time Discovery1Remote File Copy1Input Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesSoftware Packing23Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection2Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSystem Information Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 233345 Sample: 0n1ine.exe Startdate: 27/05/2020 Architecture: WINDOWS Score: 80 32 Yara detected  Ursnif 2->32 34 Machine Learning detection for sample 2->34 6 0n1ine.exe 2->6         started        9 iexplore.exe 2 83 2->9         started        11 iexplore.exe 1 50 2->11         started        13 2 other processes 2->13 process3 signatures4 36 Detected unpacking (changes PE section rights) 6->36 38 Detected unpacking (overwrites its own PE header) 6->38 40 Writes or reads registry keys via WMI 6->40 42 2 other signatures 6->42 15 iexplore.exe 36 9->15         started        18 iexplore.exe 31 11->18         started        20 iexplore.exe 31 13->20         started        22 iexplore.exe 31 13->22         started        process5 dnsIp6 24 mcc.avast.com 15->24 26 line.beibiandmom.com 45.143.137.184, 49748, 49749, 49750 unknown Russian Federation