Play interactive tour
Edit tourAnalysis Report 6007d134e83fctar.dll
Overview
General Information
| Sample Name: | 6007d134e83fctar.dll |
| Analysis ID: | 341938 |
| MD5: | 718cd91e1249f01f6488998c93c79212 |
| SHA1: | c40730026671a6757e42e91961178dbcbb1c2e47 |
| SHA256: | 691fdaeb03dfa2b239d82322a3fd47c3b952ae9d47effa0100153fde537dc4e5 |
| Tags: | dllEnelEnergia |
Most interesting Screenshot:  | |
Detection
Gozi Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected Gozi e-Banking trojan
Found malware configuration
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Ursnif |
|---|
{"server": "12", "whoami": "user@494126hh", "dns": "494126", "version": "251173", "uptime": "170", "crc": "2", "id": "4355", "user": "253fc4ee08f8d2d8cdc8873a98c9d714", "soft": "3"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 9 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Dot net compiler compiles file from suspicious location | Show sources | ||
| Source: | Author: Joe Security: | ||
| Sigma detected: MSHTA Spawning Windows Shell | Show sources | ||
| Source: | Author: Michael Haag: | ||
| Sigma detected: Suspicious Csc.exe Source File Folder | Show sources | ||
| Source: | Author: Florian Roth: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
Compliance: | |
|---|
| Uses 32bit PE files | Show sources | ||
| Source: | Static PE information: | ||
| Uses new MSVCR Dlls | Show sources | ||
| Source: | File opened: | ||
| Uses secure TLS version for HTTPS connections | Show sources | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources | ||
| Source: | Static PE information: | ||
| Binary contains paths to debug symbols | Show sources | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||