Loading ...

Play interactive tourEdit tour

Analysis Report swlsGbeQwT.dll

Overview

General Information

Sample Name:swlsGbeQwT.dll
Analysis ID:381725
MD5:bedfac54b06b97b4de8132d6bfd40de0
SHA1:e238b2b47e1ccb3ebdadb82eff72125f4747a014
SHA256:22682ac6f8c484759f44786cc73109993d858a29b25fa1512196154cf2f0299c
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6104 cmdline: loaddll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4832 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3512 cmdline: rundll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5076 cmdline: rundll32.exe C:\Users\user\Desktop\swlsGbeQwT.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6320 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6392 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5316 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5340 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5316 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5736 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5316 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.332207803.0000000005AE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000002.228615251.0000000001180000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000001.00000003.283968924.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.283941629.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.283743972.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.1180000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              1.2.loaddll32.exe.9c0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                5.2.rundll32.exe.3570000.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  5.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    1.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.2.rundll32.exe.3570000.3.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
                      Machine Learning detection for sampleShow sources
                      Source: swlsGbeQwT.dllJoe Sandbox ML: detected
                      Source: 5.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 1.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: swlsGbeQwT.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A112D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00A112D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: global trafficTCP traffic: 192.168.2.3:49740 -> 185.243.114.196:80
                      Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa00d7464,0x01d729a6</date><accdate>0xa00d7464,0x01d729a6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa00d7464,0x01d729a6</date><accdate>0xa00fd6c9,0x01d729a6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0123909,0x01d729a6</date><accdate>0xa0123909,0x01d729a6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0123909,0x01d729a6</date><accdate>0xa0123909,0x01d729a6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa0149b93,0x01d729a6</date><accdate>0xa0149b93,0x01d729a6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa0149b93,0x01d729a6</date><accdate>0xa0149b93,0x01d729a6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: rundll32.exe, 00000005.00000002.461626922.00000000010CA000.00000004.00000020.sdmpString found in binary or memory: http://under17.com
                      Source: rundll32.exe, 00000005.00000002.461626922.00000000010CA000.00000004.00000020.sdmpString found in binary or memory: http://under17.com/joomla/4GzHZlWwziXisjjV671v1LT/84UlNg6ksC/Tggq4HFqFymyDjTMV/yfv7eGSUkzcX/52ysYFgN
                      Source: {E47F4CBC-9599-11EB-90E4-ECF4BB862DED}.dat.34.drString found in binary or memory: http://under17.com/joomla/bY332Z6nIw/mpCJzusDxBf4026z_/2BrGN0t7fT0r/o1u_2FGT8iB/giLHX9xa5y4nT5/E4muy
                      Source: loaddll32.exe, 00000001.00000003.455028914.0000000000A95000.00000004.00000001.sdmpString found in binary or memory: http://urs-world.com/joomla/LeY03GyFH8M9ux9Q/fhlrqhT7AEWHy5S/Gj6LLiVr5gZ24pcdoa/r9hh9gZTx/jUFCXHTg6g
                      Source: loaddll32.exe, 00000001.00000002.463517172.00000000010B0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.463533375.0000000003960000.00000002.00000001.sdmpString found in binary or memory: http://urs-world.com/joomla/nyEGAUlxBMi/vJvW_2B31g3fIm/PJCeDCcMkYuKm3mBUGX2v/CaL9euzPRyB3Opxa/g
                      Source: loaddll32.exe, 00000001.00000002.462447224.0000000000A2B000.00000004.00000020.sdmpString found in binary or memory: http://urs-world.com/joomla/nyEGAUlxBMi/vJvW_2B31g3fIm/PJCeDCcMkYuKm3mBUGX2v/CaL9euzPRyB3Opxa/gIJ_2B
                      Source: loaddll32.exe, 00000001.00000003.457824149.0000000000A95000.00000004.00000001.sdmpString found in binary or memory: http://urs-world.com/joomlaaL9euzPRyB3Opxa/gIJ_2BkxmWXAk4B/fa_2B_2FtCKRxglTM9/4omZ9P4fz/YwGhMR3ktfTd
                      Source: msapplication.xml.14.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.14.drString found in binary or memory: http://www.google.com/
                      Source: msapplication.xml2.14.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.14.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.14.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.14.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.14.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.14.drString found in binary or memory: http://www.youtube.com/
                      Source: {CA463ED7-9599-11EB-90E4-ECF4BB862DED}.dat.14.dr, ~DF018886609A78E0A2.TMP.14.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.228615251.0000000001180000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.463340848.0000000003570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.462142613.00000000009C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.1180000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.9c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3570000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.332207803.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283968924.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283941629.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283743972.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332108826.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332246641.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332181859.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283981792.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332262549.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332227355.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283911802.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283659543.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332279933.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332152085.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283820403.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.327016038.0000000002FBB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.406489118.0000000002EBD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283873534.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6104, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3512, type: MEMORY
                      Source: loaddll32.exe, 00000001.00000002.462447224.0000000000A2B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.228615251.0000000001180000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.463340848.0000000003570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.462142613.00000000009C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.1180000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.9c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3570000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.332207803.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283968924.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283941629.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283743972.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332108826.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332246641.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332181859.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283981792.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332262549.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332227355.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283911802.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283659543.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332279933.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332152085.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283820403.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.327016038.0000000002FBB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.406489118.0000000002EBD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283873534.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6104, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3512, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001D9F NtMapViewOfSection,1_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001EB5 GetProcAddress,NtCreateSection,memset,1_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002375 NtQueryVirtualMemory,1_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A183B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_00A183B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A1B341 NtQueryVirtualMemory,1_2_00A1B341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C348F1_2_024C348F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C554B1_2_024C554B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C48591_2_024C4859
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C596E1_2_024C596E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C237B1_2_024C237B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C247B1_2_024C247B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C13741_2_024C1374
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C5C761_2_024C5C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C10001_2_024C1000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C19181_2_024C1918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C33141_2_024C3314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C64241_2_024C6424
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C3BDB1_2_024C3BDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C52EC1_2_024C52EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C20EE1_2_024C20EE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C28EB1_2_024C28EB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C5AF61_2_024C5AF6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C3A851_2_024C3A85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C1B951_2_024C1B95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C3FA81_2_024C3FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021541_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A140941_2_00A14094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A197F21_2_00A197F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A1B11C1_2_00A1B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0479348F4_2_0479348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0479237B4_2_0479237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0479247B4_2_0479247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047913744_2_04791374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0479596E4_2_0479596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047948594_2_04794859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0479554B4_2_0479554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047964244_2_04796424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047919184_2_04791918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047933144_2_04793314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047910004_2_04791000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04795AF64_2_04795AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047928EB4_2_047928EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047952EC4_2_047952EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047920EE4_2_047920EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04793BDB4_2_04793BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04793FA84_2_04793FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04795CA54_2_04795CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04791B954_2_04791B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04793A854_2_04793A85
                      Source: swlsGbeQwT.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal76.troj.winDLL@15/50@9/2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A1757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00A1757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFEE814DD0E66FBAC9.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\swlsGbeQwT.dll,StartService
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\swlsGbeQwT.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5316 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5316 CREDAT:17416 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\swlsGbeQwT.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5316 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5316 CREDAT:17416 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                      Source: swlsGbeQwT.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx1_2_024C34A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx1_2_024C3632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C348F push 00000000h; mov dword ptr [esp], edx1_2_024C37FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C348F push edx; mov dword ptr [esp], 00000002h1_2_024C384A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C348F push 00000000h; mov dword ptr [esp], ecx1_2_024C38D7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C6194 push eax; mov dword ptr [esp], 00000004h1_2_024C61AF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C6194 push esi; mov dword ptr [esp], 00001000h1_2_024C61B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C6194 push 00000000h; mov dword ptr [esp], ebp1_2_024C6267
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi1_2_024C48B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push dword ptr [ebp-10h]; mov dword ptr [esp], edx1_2_024C490D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push 00000000h; mov dword ptr [esp], ecx1_2_024C4918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push dword ptr [ebp-10h]; mov dword ptr [esp], edi1_2_024C4990
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx1_2_024C4A23
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push 00000000h; mov dword ptr [esp], ebp1_2_024C4A2E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push ebx; mov dword ptr [esp], 00000001h1_2_024C4AD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_024C4BE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push 00000000h; mov dword ptr [esp], edx1_2_024C4C36
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi1_2_024C4D62
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push 00000000h; mov dword ptr [esp], edx1_2_024C4D67
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C4859 push 00000000h; mov dword ptr [esp], ecx1_2_024C4D74
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C237B push 00000000h; mov dword ptr [esp], edi1_2_024C2502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C237B push 00000000h; mov dword ptr [esp], ecx1_2_024C2524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C237B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx1_2_024C269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C237B push dword ptr [ebp-10h]; mov dword ptr [esp], esi1_2_024C2737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C237B push edi; mov dword ptr [esp], 00000004h1_2_024C2759
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C247B push 00000000h; mov dword ptr [esp], eax1_2_024C2498
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C247B push 00000000h; mov dword ptr [esp], edi1_2_024C2502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C247B push 00000000h; mov dword ptr [esp], ecx1_2_024C2524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C247B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx1_2_024C269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C247B push dword ptr [ebp-10h]; mov dword ptr [esp], esi1_2_024C2737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C247B push edi; mov dword ptr [esp], 00000004h1_2_024C2759

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.228615251.0000000001180000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.463340848.0000000003570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.462142613.00000000009C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.1180000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.9c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.3570000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000005.00000003.332207803.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283968924.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283941629.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283743972.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332108826.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332246641.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332181859.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283981792.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332262549.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332227355.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283911802.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283659543.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332279933.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.332152085.0000000005AE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283820403.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.327016038.0000000002FBB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.406489118.0000000002EBD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283873534.0000000003138000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6104, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3512, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A112D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00A112D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_024C2DF5 or edx, dword ptr fs:[00000030h]1_2_024C2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04792DF5 or edx, dword ptr fs:[00000030h]4_2_04792DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\swlsGbeQwT.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000001.00000002.463517172.00000000010B0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.463533375.0000000003960000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000001.00000002.463517172.00000000010B0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.463533375.0000000003960000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000001.00000002.463517172.00000000010B0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.463533375.0000000003960000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000001.00000002.463517172.00000000010B0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.463533375.0000000003960000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A1269C cpuid 1_2_00A1269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_1000102F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00A1269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_00A1269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_10001850

                      Stealing of Sensitive Information:

                      bar