Analysis Report 606e7fb752fbd.rar.dll

Overview

General Information

Sample Name: 606e7fb752fbd.rar.dll
Analysis ID: 383661
MD5: 8bf44d2b3b9b7c0fa2754fbe6ad14a63
SHA1: 76d4ed4512d34edd5a34b917957654fedbfae23f
SHA256: cb7c95db9ce05d2304a4a98687a4b92f85081e1b7397820a52487b277ee1f2e1
Tags: BRTdllgeogoziisfbITAursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.4cc94a0.2.raw.unpack Malware Configuration Extractor: Ursnif [{"RSA Public Key": "YKwVOU5rJLi0k2wc/Sa//orn/I3K6zI6HgJKpraE6XyxxZAjZUdVyZ9IFso22JAAB2G4qzzp3TU2DJqhIyPO7xVeI9l7K9H9VlKfzYozAbxBQCrtZPEdPyCguw2FwPnt3aL3viJmXn26e8PXSevTHzQdNxMCe42eyfgYxlDVzbkJTLhI91j/G+/dxO1/TdYY"}, {"c2_domain": ["ocsp2.digicert.com", "aus6.mozilla.org", "durenoluneer.xyz", "surenoluneer.xyz"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Compliance:

barindex
Uses 32bit PE files
Source: 606e7fb752fbd.rar.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 606e7fb752fbd.rar.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\hot\905_grow\310_Together\Brought.pdb source: loaddll32.exe, 00000000.00000002.901043048.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.908140362.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.901888879.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.908539337.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.910191671.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.901492823.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.901601437.000000006D500000.00000002.00020000.sdmp, 606e7fb752fbd.rar.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D452375 NtQueryVirtualMemory, 2_2_6D452375
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D452375 NtQueryVirtualMemory, 3_2_6D452375
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D494D40 0_2_6D494D40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D492FAD 0_2_6D492FAD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C6EC9 0_2_6D4C6EC9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A6B40 0_2_6D4A6B40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D456B50 0_2_6D456B50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C3507 0_2_6D4C3507
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4695D0 0_2_6D4695D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D465590 0_2_6D465590
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B05A8 0_2_6D4B05A8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4641B0 0_2_6D4641B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4BA02F 0_2_6D4BA02F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4D00FC 0_2_6D4D00FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D452154 2_2_6D452154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D494D40 2_2_6D494D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4C3507 2_2_6D4C3507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D492FAD 2_2_6D492FAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4641B0 2_2_6D4641B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4BA02F 2_2_6D4BA02F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4A6B40 2_2_6D4A6B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D452154 3_2_6D452154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D494D40 3_2_6D494D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C3507 3_2_6D4C3507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D492FAD 3_2_6D492FAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4641B0 3_2_6D4641B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BA02F 3_2_6D4BA02F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A6B40 3_2_6D4A6B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D494D40 4_2_6D494D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C3507 4_2_6D4C3507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D492FAD 4_2_6D492FAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4641B0 4_2_6D4641B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4BA02F 4_2_6D4BA02F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4A6B40 4_2_6D4A6B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D494D40 5_2_6D494D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4C3507 5_2_6D4C3507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4A4C5F 5_2_6D4A4C5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D492FAD 5_2_6D492FAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4641B0 5_2_6D4641B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4BA02F 5_2_6D4BA02F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4A6B40 5_2_6D4A6B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D494D40 6_2_6D494D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D492FAD 6_2_6D492FAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4C6EC9 6_2_6D4C6EC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4A6B40 6_2_6D4A6B40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D456B50 6_2_6D456B50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4C3507 6_2_6D4C3507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4695D0 6_2_6D4695D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D465590 6_2_6D465590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4B05A8 6_2_6D4B05A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4641B0 6_2_6D4641B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4BA02F 6_2_6D4BA02F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4D00FC 6_2_6D4D00FC
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6D490E9E appears 83 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D490ED2 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D491790 appears 123 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D490E9E appears 407 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D4B491D appears 55 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D4B4776 appears 74 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D490F09 appears 35 times
Sample file is different than original file name gathered from version info
Source: 606e7fb752fbd.rar.dll Binary or memory string: OriginalFilenameBrought.dll. vs 606e7fb752fbd.rar.dll
Uses 32bit PE files
Source: 606e7fb752fbd.rar.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal56.troj.winDLL@15/0@0/0
Source: 606e7fb752fbd.rar.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Choosethan
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Choosethan
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Especiallyyes
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Guesscover
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Learncut
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,OnceOut
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Choosethan Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Especiallyyes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Guesscover Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Learncut Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,OnceOut Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 606e7fb752fbd.rar.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 606e7fb752fbd.rar.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 606e7fb752fbd.rar.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 606e7fb752fbd.rar.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 606e7fb752fbd.rar.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 606e7fb752fbd.rar.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 606e7fb752fbd.rar.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 606e7fb752fbd.rar.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\hot\905_grow\310_Together\Brought.pdb source: loaddll32.exe, 00000000.00000002.901043048.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.908140362.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.901888879.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.908539337.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.910191671.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.901492823.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.901601437.000000006D500000.00000002.00020000.sdmp, 606e7fb752fbd.rar.dll
Source: 606e7fb752fbd.rar.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 606e7fb752fbd.rar.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 606e7fb752fbd.rar.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 606e7fb752fbd.rar.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 606e7fb752fbd.rar.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D451745 LoadLibraryA,GetProcAddress, 2_2_6D451745
PE file contains an invalid checksum
Source: 606e7fb752fbd.rar.dll Static PE information: real checksum: 0xfd487 should be: 0xff097
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D490E67 push ecx; ret 0_2_6D490E7A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4917D6 push ecx; ret 0_2_6D4917E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D452143 push ecx; ret 2_2_6D452153
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4520F0 push ecx; ret 2_2_6D4520F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4917D6 push ecx; ret 2_2_6D4917E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D490E67 push ecx; ret 2_2_6D490E7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D452143 push ecx; ret 3_2_6D452153
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4520F0 push ecx; ret 3_2_6D4520F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4917D6 push ecx; ret 3_2_6D4917E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D490E67 push ecx; ret 3_2_6D490E7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4917D6 push ecx; ret 4_2_6D4917E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D490E67 push ecx; ret 4_2_6D490E7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4917D6 push ecx; ret 5_2_6D4917E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D490E67 push ecx; ret 5_2_6D490E7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D490E67 push ecx; ret 6_2_6D490E7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4917D6 push ecx; ret 6_2_6D4917E9

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4B3EDA
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D451745 LoadLibraryA,GetProcAddress, 2_2_6D451745
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4BAD71 mov eax, dword ptr fs:[00000030h] 0_2_6D4BAD71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4BAD71 mov eax, dword ptr fs:[00000030h] 2_2_6D4BAD71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D541746 mov eax, dword ptr fs:[00000030h] 2_2_6D541746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D54167C mov eax, dword ptr fs:[00000030h] 2_2_6D54167C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D541283 push dword ptr fs:[00000030h] 2_2_6D541283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4BAD71 mov eax, dword ptr fs:[00000030h] 3_2_6D4BAD71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D541746 mov eax, dword ptr fs:[00000030h] 3_2_6D541746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D54167C mov eax, dword ptr fs:[00000030h] 3_2_6D54167C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D541283 push dword ptr fs:[00000030h] 3_2_6D541283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4BAD71 mov eax, dword ptr fs:[00000030h] 4_2_6D4BAD71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D541746 mov eax, dword ptr fs:[00000030h] 4_2_6D541746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D54167C mov eax, dword ptr fs:[00000030h] 4_2_6D54167C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D541283 push dword ptr fs:[00000030h] 4_2_6D541283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4BAD71 mov eax, dword ptr fs:[00000030h] 5_2_6D4BAD71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4BAD71 mov eax, dword ptr fs:[00000030h] 6_2_6D4BAD71
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4B3EDA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D491078
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D49138C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D49138C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6D4B3EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6D491078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D4B3EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6D491078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6D4B3EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6D491078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6D4B3EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6D491078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6D4B3EDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6D491078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6D49138C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6D49138C

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4906EF cpuid 0_2_6D4906EF
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6D4C4A8A
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoEx, 0_2_6D4901B9
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6D4C40B9
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6D47F379
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6D4CD50B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6D4CDC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6D4CD7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6D4CD783
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6D4CDE61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 2_2_6D4901B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6D4CD887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6D4C40B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6D47F379
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6D4C4A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6D4CD50B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6D4CDC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D4CD7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D4CD783
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6D4CDE61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 3_2_6D4901B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D4CD887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6D4C40B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6D47F379
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6D4C4A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6D4CD50B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6D4CDC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6D4CD7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6D4CD783
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6D4CDE61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 4_2_6D4901B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6D4CD887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6D4C40B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6D47F379
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6D4C4A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 5_2_6D4CD50B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_6D4CDC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 5_2_6D4CD7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 5_2_6D4CD783
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_6D4CDE61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 5_2_6D4901B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 5_2_6D4CD887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 5_2_6D4C40B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 5_2_6D47F379
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 5_2_6D4C4A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_6D4C4A8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 6_2_6D4901B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 6_2_6D4C40B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 6_2_6D47F379
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D47B218 GetSystemTimeAsFileTime, 0_2_6D47B218
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C8870 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_6D4C8870
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6D451850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 2_2_6D451850

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383661 Sample: 606e7fb752fbd.rar.dll Startdate: 08/04/2021 Architecture: WINDOWS Score: 56 19 Found malware configuration 2->19 21 Yara detected  Ursnif 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos