Analysis Report gg.gif.dll

Overview

General Information

Sample Name: gg.gif.dll
Analysis ID: 382563
MD5: 716649589f77b4c078b4fd89cfab2420
SHA1: 841dde1545bdfee1be219de7d905d3d2db8ca5bb
SHA256: 9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
Tags: dllGGGoziIFSBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.rundll32.exe.32c0000.2.raw.unpack Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Multi AV Scanner detection for submitted file
Source: gg.gif.dll ReversingLabs: Detection: 41%
Machine Learning detection for sample
Source: gg.gif.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: gg.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002375 NtQueryVirtualMemory, 0_2_10002375
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 0_2_03055F16
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0305150C 0_2_0305150C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03053A14 0_2_03053A14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03051B1E 0_2_03051B1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055A25 0_2_03055A25
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03051967 0_2_03051967
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03052566 0_2_03052566
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055262 0_2_03055262
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03052A69 0_2_03052A69
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055378 0_2_03055378
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03052FAF 0_2_03052FAF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03053FAB 0_2_03053FAB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_030531B3 0_2_030531B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_030592B2 0_2_030592B2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_030588BA 0_2_030588BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_030513C5 0_2_030513C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_030527D4 0_2_030527D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03051CD0 0_2_03051CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_030543D8 0_2_030543D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002154 0_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A5F16 2_2_032A5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A5A25 2_2_032A5A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A150C 2_2_032A150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A1B1E 2_2_032A1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A3A14 2_2_032A3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A2A69 2_2_032A2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A5262 2_2_032A5262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A2566 2_2_032A2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A1967 2_2_032A1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A5378 2_2_032A5378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A3FAB 2_2_032A3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A2FAF 2_2_032A2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A88BA 2_2_032A88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A92B2 2_2_032A92B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A31B3 2_2_032A31B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A13C5 2_2_032A13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A43D8 2_2_032A43D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A1CD0 2_2_032A1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A27D4 2_2_032A27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B5F16 3_2_046B5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B2A69 3_2_046B2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B5262 3_2_046B5262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B1967 3_2_046B1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B2566 3_2_046B2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B5378 3_2_046B5378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B5A25 3_2_046B5A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B150C 3_2_046B150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B1B1E 3_2_046B1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B3A14 3_2_046B3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B13C5 3_2_046B13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B43D8 3_2_046B43D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B1CD0 3_2_046B1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B27D4 3_2_046B27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B3FAB 3_2_046B3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B2FAF 3_2_046B2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B88BA 3_2_046B88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B31B3 3_2_046B31B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B92B2 3_2_046B92B2
Uses 32bit PE files
Source: gg.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer
Source: gg.gif.dll ReversingLabs: Detection: 41%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg.gif.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001745 LoadLibraryA,GetProcAddress, 0_2_10001745
PE file contains sections with non-standard names
Source: gg.gif.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 0_2_03055F7B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_03055F94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_03055FDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_0305604B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_03056124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi 0_2_0305614F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx 0_2_0305625E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_030562B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_03056343
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_0305635D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], ebp 0_2_03056368
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_03056385
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx 0_2_030563B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_03056483
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_030564F2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_030564FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_0305650A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi 0_2_03056567
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi 0_2_030565A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], eax 0_2_03056610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_03056685
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 0_2_030566C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_030566E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edi 0_2_03056781
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push 00000000h; mov dword ptr [esp], edx 0_2_030567B6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_0305684C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_03056858
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx 0_2_03056926
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_03056945
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_03056951
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03055F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 0_2_030569D6

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001745 LoadLibraryA,GetProcAddress, 0_2_10001745
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_03052A69 xor edi, dword ptr fs:[00000030h] 0_2_03052A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_032A2A69 xor edi, dword ptr fs:[00000030h] 2_2_032A2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046B2A69 xor edi, dword ptr fs:[00000030h] 3_2_046B2A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.602492347.0000000001C00000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_1000163F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_10001850

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.605125976.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.299614666.00000000046D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.252036130.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.34f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46d0000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382563 Sample: gg.gif.dll Startdate: 06/04/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos