Analysis Report gg_1.gif.dll

Overview

General Information

Sample Name:	gg_1.gif.dll
Analysis ID:	382564
MD5:	53f7e96f48283df339164afadd174638
SHA1:	bd119af6c52876fb5d23398326850d87fe159735
SHA256:	4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Tags:	dllGGGoziIFSBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 4.2.rundll32.exe.4ba0000.2.raw.unpack

Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Multi AV Scanner detection for submitted file

Source: gg_1.gif.dll

ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: gg_1.gif.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: gg_1.gif.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16	1_2_00EA5F16
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA13C5	1_2_00EA13C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA43D8	1_2_00EA43D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA1CD0	1_2_00EA1CD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA27D4	1_2_00EA27D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA3FAB	1_2_00EA3FAB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA2FAF	1_2_00EA2FAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA88BA	1_2_00EA88BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA92B2	1_2_00EA92B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA31B3	1_2_00EA31B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA2A69	1_2_00EA2A69
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA2566	1_2_00EA2566
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA1967	1_2_00EA1967
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA150C	1_2_00EA150C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA510C	1_2_00EA510C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA1B1E	1_2_00EA1B1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA3A14	1_2_00EA3A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03465F16	4_2_03465F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03462566	4_2_03462566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03461967	4_2_03461967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03465262	4_2_03465262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03462A69	4_2_03462A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03465378	4_2_03465378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0346150C	4_2_0346150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03463A14	4_2_03463A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03461B1E	4_2_03461B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03465A25	4_2_03465A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034613C5	4_2_034613C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034627D4	4_2_034627D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03461CD0	4_2_03461CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034643D8	4_2_034643D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03462FAF	4_2_03462FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03463FAB	4_2_03463FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034692B2	4_2_034692B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034631B3	4_2_034631B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034688BA	4_2_034688BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03305F16	5_2_03305F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03305A25	5_2_03305A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03303A14	5_2_03303A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03301B1E	5_2_03301B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0330150C	5_2_0330150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03305378	5_2_03305378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03305262	5_2_03305262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03302566	5_2_03302566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03301967	5_2_03301967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03302A69	5_2_03302A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033092B2	5_2_033092B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033031B3	5_2_033031B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033088BA	5_2_033088BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03303FAB	5_2_03303FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03302FAF	5_2_03302FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03301CD0	5_2_03301CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033027D4	5_2_033027D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033043D8	5_2_033043D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_033013C5	5_2_033013C5

Uses 32bit PE files

Source: gg_1.gif.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal68.troj.winDLL@7/0@0/0

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer

Source: gg_1.gif.dll

ReversingLabs: Detection: 41%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Data Obfuscation:

PE file contains sections with non-standard names

Source: gg_1.gif.dll

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA709D push edi; mov dword ptr [esp], FFFF0000h	1_2_00EA709E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ebp	1_2_00EA70F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA709D push esp; mov dword ptr [esp], 00000040h	1_2_00EA711D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ecx	1_2_00EA716C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx	1_2_00EA5F7B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	1_2_00EA5F94
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_00EA5FDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	1_2_00EA604B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_00EA6124
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi	1_2_00EA614F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx	1_2_00EA625E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	1_2_00EA62B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	1_2_00EA6343
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	1_2_00EA635D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], ebp	1_2_00EA6368
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	1_2_00EA6385
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx	1_2_00EA63B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_00EA6483
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_00EA64F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	1_2_00EA64FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_00EA650A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi	1_2_00EA6567
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi	1_2_00EA65A9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], eax	1_2_00EA6610
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	1_2_00EA6685
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_00EA66C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	1_2_00EA66E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi	1_2_00EA6781
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx	1_2_00EA67B6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	1_2_00EA684C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	1_2_00EA6858

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00EA2A69 xor edi, dword ptr fs:[00000030h]	1_2_00EA2A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03462A69 xor edi, dword ptr fs:[00000030h]	4_2_03462A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03302A69 xor edi, dword ptr fs:[00000030h]	5_2_03302A69

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	382564
Product:	CloudBasic
Start time:	10:05:22
Start date:	06.04.2021
Sample:	gg_1.gif.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	53f7e96f48283df339164afadd174638
SHA1:	bd119af6c52876fb5d23398326850d87fe159735
SHA256:	4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Analysis Report gg_1.gif.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map