Analysis Report 0204.gif.dll

Overview

General Information

Sample Name:	0204.gif.dll
Analysis ID:	382565
MD5:	ad4076a9b4f10e046059151b9e1c030a
SHA1:	edfacd4d94a56d5011445cd103c6b45ae9585adf
SHA256:	01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
Tags:	dllGGGoziIFSBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.3.loaddll32.exe.30b94a0.0.raw.unpack

Malware Configuration Extractor: Ursnif [{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Multi AV Scanner detection for submitted file

Source: 0204.gif.dll

ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: 0204.gif.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 0204.gif.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000002.275314133.0000000004B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.286549571.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263503134.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.47d0000.2.raw.unpack, type: UNPACKEDPE

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.263622715.0000000000D7B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000002.275314133.0000000004B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.286549571.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263503134.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.47d0000.2.raw.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16	2_2_03335F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335A25	2_2_03335A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03333A14	2_2_03333A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03331B1E	2_2_03331B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0333150C	2_2_0333150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335378	2_2_03335378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335262	2_2_03335262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03331967	2_2_03331967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03332566	2_2_03332566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03332A69	2_2_03332A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_033331B3	2_2_033331B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_033392B2	2_2_033392B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_033388BA	2_2_033388BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03333FAB	2_2_03333FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03332FAF	2_2_03332FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03331CD0	2_2_03331CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_033327D4	2_2_033327D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_033343D8	2_2_033343D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_033313C5	2_2_033313C5

Uses 32bit PE files

Source: 0204.gif.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal68.troj.winDLL@7/0@0/0

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204.gif.dll,DllServer

Source: 0204.gif.dll

ReversingLabs: Detection: 41%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0204.gif.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204.gif.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204.gif.dll,DllServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1	Jump to behavior

Data Obfuscation:

PE file contains sections with non-standard names

Source: 0204.gif.dll

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx	2_2_03335F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	2_2_03335F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	2_2_03335FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	2_2_0333604B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	2_2_03336124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], edi	2_2_0333614F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], edx	2_2_0333625E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	2_2_033362B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	2_2_03336343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	2_2_0333635D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], ebp	2_2_03336368
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	2_2_03336385
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], edx	2_2_033363B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	2_2_03336483
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	2_2_033364F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	2_2_033364FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	2_2_0333650A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], edi	2_2_03336567
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], edi	2_2_033365A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], eax	2_2_03336610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	2_2_03336685
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	2_2_033366C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	2_2_033366E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], edi	2_2_03336781
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push 00000000h; mov dword ptr [esp], edx	2_2_033367B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	2_2_0333684C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	2_2_03336858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx	2_2_03336926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	2_2_03336945
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	2_2_03336951
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03335F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx	2_2_033369D6

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000002.275314133.0000000004B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.286549571.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263503134.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.47d0000.2.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03332A69 xor edi, dword ptr fs:[00000030h]

2_2_03332A69

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204.gif.dll',#1

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000002.275314133.0000000004B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.286549571.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263503134.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.47d0000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000002.275314133.0000000004B10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.286549571.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263503134.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.47d0000.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	382565
Product:	CloudBasic
Start time:	09:59:30
Start date:	06.04.2021
Sample:	0204.gif.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ad4076a9b4f10e046059151b9e1c030a
SHA1:	edfacd4d94a56d5011445cd103c6b45ae9585adf
SHA256:	01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Analysis Report 0204.gif.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map