Analysis Report OgQJzDbLce.dll

Overview

General Information

Sample Name: OgQJzDbLce.dll
Analysis ID: 338189
MD5: 5268c190b3a6940bc7c8f0361f3a187f
SHA1: 56b1b5066f88e07f494e5e97f9a8b791cc9d7bd2
SHA256: 8e34c697b603788b9baeecfb375c466cb8468a322d6ae9b81fc41fb61472c3da
Tags: dllGozi

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: OgQJzDbLce.dll Virustotal: Detection: 21% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: OgQJzDbLce.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Networking:

barindex
Creates a COM Internet Explorer object
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Source: global traffic HTTP traffic detected: GET /images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC5mrcZE6ZGUWjS/LKs0W_2FZrtLgELoKDEbZR/8X1_2FxjVbkZk/tVcM_2Bd/jQmX3NhgeWRqCDsfD_2BayQ/lSPwdIYz4P/81sFvcaWcXolUgVkt/y_2B1p3Gvpg_/2F0X2_2F87o/JZseyqJj/p.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: begoventa.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: begoventa.topConnection: Keep-Alive
Source: msapplication.xml0.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a394ee,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x33a394ee,0x01d6e846</date><accdate>0x33a394ee,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x33a85989,0x01d6e846</date><accdate>0x33a85989,0x01d6e846</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: babidone.top
Source: ~DFD4CA446EF33C2D57.TMP.20.dr, {77F8D092-5439-11EB-90EB-ECF4BBEA1588}.dat.20.dr String found in binary or memory: http://babidone.top/images/PPpwiauX_2BIh4oFWqX/Djwkz7R93cFnDrrKCEfupn/1lc9UumTDGjRL/5auxQAs_/2B38Hwp
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/p
Source: loaddll32.exe, 00000000.00000002.1018085048.0000000001697000.00000004.00000020.sdmp, ~DF4EBD4894B35EDD90.TMP.25.dr, {9B722639-5439-11EB-90EB-ECF4BBEA1588}.dat.25.dr String found in binary or memory: http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC
Source: OgQJzDbLce.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: OgQJzDbLce.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: OgQJzDbLce.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.13.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.13.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.13.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.13.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.13.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.13.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.13.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.13.dr String found in binary or memory: http://www.youtube.com/
Source: OgQJzDbLce.dll String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.1018072348.000000000168B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001812 NtMapViewOfSection, 0_2_10001812
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001DD0 GetProcAddress,NtCreateSection,memset, 0_2_10001DD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100022E5 NtQueryVirtualMemory, 0_2_100022E5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100020C4 0_2_100020C4
PE / OLE file has an invalid certificate
Source: OgQJzDbLce.dll Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: OgQJzDbLce.dll Binary or memory string: OriginalFilenamewmprph.exej% vs OgQJzDbLce.dll
Uses 32bit PE files
Source: OgQJzDbLce.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: classification engine Classification label: mal68.bank.troj.winDLL@13/44@3/3
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5E3D54B5-5439-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFF6F6BADDE9A18747.TMP Jump to behavior
Source: OgQJzDbLce.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OgQJzDbLce.dll Virustotal: Detection: 21%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\OgQJzDbLce.dll'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6572 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6392 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6128 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6572 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6392 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6128 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: OgQJzDbLce.dll Static PE information: section name: .data2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100020B3 push ecx; ret 0_2_100020C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002060 push ecx; ret 0_2_10002069

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory protected: page execute read | page guard Jump to behavior
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1018176446.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100019C7 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_100019C7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_10001799

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.777109164.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.776993803.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777131098.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777071428.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777173919.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777044888.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777196001.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.777154030.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6140, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338189 Sample: OgQJzDbLce.dll Startdate: 11/01/2021 Architecture: WINDOWS Score: 68 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected  Ursnif 2->33 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 1 50 2->9         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 35 Writes or reads registry keys via WMI 6->35 37 Writes registry values via WMI 6->37 39 Creates a COM Internet Explorer object 6->39 29 192.168.2.1 unknown unknown 9->29 16 iexplore.exe 31 9->16         started        19 iexplore.exe 28 12->19         started        21 iexplore.exe 35 14->21         started        23 iexplore.exe 32 14->23         started        signatures5 process6 dnsIp7 25 babidone.top 193.56.255.166, 80 INFOCLOUD-SRLMD Romania 16->25 27 begoventa.top 92.38.132.181, 49770, 49771, 80 GCOREAT Austria 19->27
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.56.255.166
unknown Romania
213137 INFOCLOUD-SRLMD false
92.38.132.181
unknown Austria
199524 GCOREAT false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
begoventa.top 92.38.132.181 true
babidone.top 193.56.255.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://begoventa.top/favicon.ico false
  • Avira URL Cloud: safe
unknown
http://begoventa.top/images/HRdOnZXQubvEpiF/dnOBFJ5ijbSGwRmyqM/h51pT26O9/4EIbVpHBFlOcgrt0TShq/pPJJGC5mrcZE6ZGUWjS/LKs0W_2FZrtLgELoKDEbZR/8X1_2FxjVbkZk/tVcM_2Bd/jQmX3NhgeWRqCDsfD_2BayQ/lSPwdIYz4P/81sFvcaWcXolUgVkt/y_2B1p3Gvpg_/2F0X2_2F87o/JZseyqJj/p.avi false
  • Avira URL Cloud: safe
unknown