Loading ...

Play interactive tourEdit tour

Analysis Report 6ba90000.da.dll

Overview

General Information

Sample Name:6ba90000.da.dll
Analysis ID:403002
MD5:9a16338e6a4de4f3dd58a1e9610217b8
SHA1:e53070c3d8cc56e80bbd01da7081d079ad602ca3
SHA256:2da8961e57698bcd2dbe9c4311181352ccb1047dbbca9814bf2183a6fe0dd904
Tags:gozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Registers a DLL
Tries to load missing DLLs
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3900 cmdline: loaddll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2268 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4636 cmdline: rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5748 cmdline: regsvr32.exe /s C:\Users\user\Desktop\6ba90000.da.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 5912 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 2264 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5912 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 6028 cmdline: rundll32.exe C:\Users\user\Desktop\6ba90000.da.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
6ba90000.da.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Machine Learning detection for sampleShow sources
    Source: 6ba90000.da.dllJoe Sandbox ML: detected
    Source: 6ba90000.da.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49743 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49744 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
    Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: de-ch[1].htm.8.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xd3f2c6ed,0x01d7407a</date><accdate>0xd3f2c6ed,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xd3f2c6ed,0x01d7407a</date><accdate>0xd3f2c6ed,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xd3f5292d,0x01d7407a</date><accdate>0xd3f5292d,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml5.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xd3f5292d,0x01d7407a</date><accdate>0xd3f5292d,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xd3f78b92,0x01d7407a</date><accdate>0xd3f78b92,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml7.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xd3f78b92,0x01d7407a</date><accdate>0xd3f78b92,0x01d7407a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: de-ch[1].htm.8.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
    Source: de-ch[1].htm.8.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: www.msn.com
    Source: de-ch[1].htm.8.drString found in binary or memory: http://ogp.me/ns#
    Source: de-ch[1].htm.8.drString found in binary or memory: http://ogp.me/ns/fb#
    Source: auction[1].htm.8.drString found in binary or memory: http://popup.taboola.com/german
    Source: {FD6993A3-AC6D-11EB-90E5-ECF4BB570DC9}.dat.6.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
    Source: msapplication.xml.6.drString found in binary or memory: http://www.amazon.com/
    Source: msapplication.xml1.6.drString found in binary or memory: http://www.google.com/
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
    Source: msapplication.xml2.6.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml3.6.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml4.6.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml5.6.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml6.6.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml7.6.drString found in binary or memory: http://www.youtube.com/
    Source: de-ch[1].htm.8.drString found in binary or memory: https://amzn.to/2TTxhNg
    Source: auction[1].htm.8.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
    Source: de-ch[1].htm.8.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
    Source: de-ch[1].htm.8.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
    Source: de-ch[1].htm.8.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://client-s.gateway.messenger.live.com
    Source: de-ch[1].htm.8.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
    Source: de-ch[1].htm.8.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
    Source: de-ch[1].htm.8.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24952290&amp;epi=dech
    Source: {FD6993A3-AC6D-11EB-90E5-ECF4BB570DC9}.dat.6.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
    Source: de-ch[1].htm.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
    Source: de-ch[1].htm.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
    Source: de-ch[1].htm.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
    Source: {FD6993A3-AC6D-11EB-90E5-ECF4BB570DC9}.dat.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
    Source: {FD6993A3-AC6D-11EB-90E5-ECF4BB570DC9}.dat.6.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.8.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
    Source: auction[1].htm.8.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
    Source: de-ch[1].htm.8.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1620055000&amp;rver
    Source: de-ch[1].htm.8.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1620055000&amp;rver=7.0.6730.0&am
    Source: de-ch[1].htm.8.drString found in binary or memory: https://login.live.com/logout.srf?ct=1620055001&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
    Source: de-ch[1].htm.8.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1620055000&amp;rver=7.0.6730.0&amp;w
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
    Source: de-ch[1].htm.8.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/#qt=mru
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
    Source: de-ch[1].htm.8.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com/about/en/download/
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com;Fotos
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
    Source: de-ch[1].htm.8.drString found in binary or memory: https://outlook.com/
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://outlook.live.com/calendar
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
    Source: de-ch[1].htm.8.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
    Source: {FD6993A3-AC6D-11EB-90E5-ECF4BB570DC9}.dat.6.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
    Source: de-ch[1].htm.8.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
    Source: de-ch[1].htm.8.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
    Source: de-ch[1].htm.8.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
    Source: imagestore.dat.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gjd5W.img?h=368&amp
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
    Source: de-ch[1].htm.8.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://support.skype.com
    Source: de-ch[1].htm.8.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?&quot;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://twitter.com/
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://twitter.com/i/notifications;Ich
    Source: de-ch[1].htm.8.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1
    Source: de-ch[1].htm.8.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
    Source: iab2Data[1].json.8.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/
    Source: {FD6993A3-AC6D-11EB-90E5-ECF4BB570DC9}.dat.6.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
    Source: {FD6993A3-AC6D-11EB-90E5-ECF4BB570DC9}.dat.6.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpz
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/bezirksgericht-meilen-verurteilt-it-manager-wegen-
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/der-z%c3%bcrcher-sp-nationalrat-angelo-barrile-nim
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/die-b%c3%a4der-%c3%b6ffnen-in-z%c3%bcrich-ihre-tor
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/hacker-kapern-urs-neuhausers-firma-mitten-in-der-n
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/live-1-mai-im-zeichen-von-corona-vereinzelt-aufgeh
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/arbeiter-und-polizei-%c3%bcberw%c3%a4ltigen-mutmasslichen-t%c3%
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/ein-fcz-befreiungsschlag-mit-einem-hauch-von-tr%c3%a4nengas/ar-
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/gericht-sagt-es-war-mord-ehemann-im-meilemer-prozess-verurteilt
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/hammer-und-kesseln-der-z%c3%bcrcher-1-mai-in-bilder/ar-BB1gg2h7
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-polizei-setzt-gummischrot-gegen-fcz-fans-ein/ar-BB
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.skype.com/
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.skype.com/de
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.skype.com/de/download-skype
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
    Source: de-ch[1].htm.8.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
    Source: iab2Data[1].json.8.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
    Source: iab2Data[1].json.8.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
    Source: 52-478955-68ddb2ab[1].js.8.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49743 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49744 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6ba90000.da.dll, type: SAMPLE
    Source: loaddll32.exe, 00000001.00000002.238261132.000000000079B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6ba90000.da.dll, type: SAMPLE
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: 6ba90000.da.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: 6ba90000.da.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal52.troj.winDLL@13/123@9/2
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FD6993A1-AC6D-11EB-90E5-ECF4BB570DC9}.datJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6244492228E56207.TMPJump to behavior
    Source: 6ba90000.da.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll'
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6ba90000.da.dll
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6ba90000.da.dll,DllRegisterServer
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5912 CREDAT:17410 /prefetch:2
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6ba90000.da.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6ba90000.da.dll,DllRegisterServerJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1Jump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5912 CREDAT:17410 /prefetch:2Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 6ba90000.da.dllStatic PE information: Image base 0x6ba90000 > 0x60000000
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6ba90000.da.dll

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6ba90000.da.dll, type: SAMPLE
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ba90000.da.dll',#1Jump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6ba90000.da.dll, type: SAMPLE

    Remote Access Functionality:

    bar