Analysis Report gg_1.gif.dll

Overview

General Information

Sample Name: gg_1.gif.dll
Analysis ID: 382564
MD5: 53f7e96f48283df339164afadd174638
SHA1: bd119af6c52876fb5d23398326850d87fe159735
SHA256: 4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Tags: dllGGGoziIFSBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.4560000.2.raw.unpack Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Multi AV Scanner detection for submitted file
Source: gg_1.gif.dll ReversingLabs: Detection: 41%
Machine Learning detection for sample
Source: gg_1.gif.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: gg_1.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002375 NtQueryVirtualMemory, 1_2_10002375
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002154 1_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 3_2_04D25F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D21CD0 3_2_04D21CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D227D4 3_2_04D227D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D243D8 3_2_04D243D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D213C5 3_2_04D213C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D292B2 3_2_04D292B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D231B3 3_2_04D231B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D288BA 3_2_04D288BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D23FAB 3_2_04D23FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D22FAF 3_2_04D22FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25378 3_2_04D25378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25262 3_2_04D25262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D22566 3_2_04D22566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D21967 3_2_04D21967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D22A69 3_2_04D22A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D23A14 3_2_04D23A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D21B1E 3_2_04D21B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D2150C 3_2_04D2150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25A25 3_2_04D25A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04525F16 4_2_04525F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04525378 4_2_04525378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04525262 4_2_04525262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04522566 4_2_04522566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04521967 4_2_04521967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04522A69 4_2_04522A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04523A14 4_2_04523A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04521B1E 4_2_04521B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0452150C 4_2_0452150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04525A25 4_2_04525A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04521CD0 4_2_04521CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045227D4 4_2_045227D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045243D8 4_2_045243D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045213C5 4_2_045213C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045292B2 4_2_045292B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045231B3 4_2_045231B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_045288BA 4_2_045288BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04523FAB 4_2_04523FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04522FAF 4_2_04522FAF
Uses 32bit PE files
Source: gg_1.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
Source: gg_1.gif.dll ReversingLabs: Detection: 41%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, 1_2_10001745
PE file contains sections with non-standard names
Source: gg_1.gif.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002143 push ecx; ret 1_2_10002153
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100050D9 push esp; iretd 1_2_100050DA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100020F0 push ecx; ret 1_2_100020F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D2709D push edi; mov dword ptr [esp], FFFF0000h 3_2_04D2709E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D2709D push 00000000h; mov dword ptr [esp], ebp 3_2_04D270F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D2709D push esp; mov dword ptr [esp], 00000040h 3_2_04D2711D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D2709D push 00000000h; mov dword ptr [esp], ecx 3_2_04D2716C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 3_2_04D25F7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_04D25F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_04D25FDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_04D2604B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_04D26124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi 3_2_04D2614F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edx 3_2_04D2625E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_04D262B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_04D26343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_04D2635D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], ebp 3_2_04D26368
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_04D26385
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edx 3_2_04D263B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_04D26483
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_04D264F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_04D264FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_04D2650A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi 3_2_04D26567
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi 3_2_04D265A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], eax 3_2_04D26610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_04D26685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 3_2_04D266C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_04D266E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D25F16 push 00000000h; mov dword ptr [esp], edi 3_2_04D26781

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, 1_2_10001745
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04D22A69 xor edi, dword ptr fs:[00000030h] 3_2_04D22A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04522A69 xor edi, dword ptr fs:[00000030h] 4_2_04522A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.919563518.0000000001AB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_1000163F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_10001850

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.703411364.0000000004D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.699967936.0000000004560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.919628932.0000000003020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.4d40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.3020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4560000.2.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382564 Sample: gg_1.gif.dll Startdate: 06/04/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos