Loading ...

Play interactive tourEdit tour

Analysis Report 6ccd0000.bilper.dll

Overview

General Information

Sample Name:6ccd0000.bilper.dll
Analysis ID:403751
MD5:434b3d419af30403f6679f0578e9ed44
SHA1:089b875bca3e06156cdf0166896b2f1a9f64de58
SHA256:35bef39478577d735b1c8104f5800e95d73487284c89b281283e4c117688bd92
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Registers a DLL
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 7136 cmdline: loaddll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 7148 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1904 cmdline: rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 7160 cmdline: regsvr32.exe /s C:\Users\user\Desktop\6ccd0000.bilper.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 5684 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 3000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5684 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 5036 cmdline: rundll32.exe C:\Users\user\Desktop\6ccd0000.bilper.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
6ccd0000.bilper.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 6ccd0000.bilper.dllReversingLabs: Detection: 55%
    Machine Learning detection for sampleShow sources
    Source: 6ccd0000.bilper.dllJoe Sandbox ML: detected
    Source: 6ccd0000.bilper.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49752 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49751 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49769 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49770 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49767 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49766 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49771 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49773 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49772 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
    Source: Joe Sandbox ViewIP Address: 87.248.118.23 87.248.118.23
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: de-ch[1].htm.7.drString found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2808b386,0x01d740c9</date><accdate>0x2808b386,0x01d740c9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2808b386,0x01d740c9</date><accdate>0x2808b386,0x01d740c9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x280d7891,0x01d740c9</date><accdate>0x280d7891,0x01d740c9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x280d7891,0x01d740c9</date><accdate>0x280fdbf6,0x01d740c9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x280fdbf6,0x01d740c9</date><accdate>0x280fdbf6,0x01d740c9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x280fdbf6,0x01d740c9</date><accdate>0x280fdbf6,0x01d740c9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: de-ch[1].htm.7.drString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
    Source: de-ch[1].htm.7.drString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: www.msn.com
    Source: de-ch[1].htm.7.drString found in binary or memory: http://ogp.me/ns#
    Source: de-ch[1].htm.7.drString found in binary or memory: http://ogp.me/ns/fb#
    Source: auction[1].htm.7.drString found in binary or memory: http://popup.taboola.com/german
    Source: ~DF89FF7A3EA7A6DAC1.TMP.5.drString found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
    Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
    Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
    Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
    Source: de-ch[1].htm.7.drString found in binary or memory: https://amzn.to/2TTxhNg
    Source: auction[1].htm.7.drString found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&amp;ap
    Source: de-ch[1].htm.7.drString found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&amp;ct=prime_footer&amp;mt=8
    Source: auction[1].htm.7.drString found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=MbNFDAAGIS8ybfi5QcIZys3hqmOjoHRPHMH9lPtWuMt6I6Qd
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
    Source: auction[1].htm.7.drString found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html&quot;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
    Source: de-ch[1].htm.7.drString found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_promotionalstripe_na
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://client-s.gateway.messenger.live.com
    Source: de-ch[1].htm.7.drString found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
    Source: de-ch[1].htm.7.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
    Source: de-ch[1].htm.7.drString found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&amp;a=3064090&amp;g=24886692
    Source: ~DF89FF7A3EA7A6DAC1.TMP.5.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
    Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
    Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=722878611&amp;size=306x271&amp;http
    Source: de-ch[1].htm.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&amp;crid=858412214&amp;size=306x271&amp;http
    Source: ~DF89FF7A3EA7A6DAC1.TMP.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
    Source: ~DF89FF7A3EA7A6DAC1.TMP.5.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
    Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.7.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
    Source: auction[1].htm.7.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
    Source: auction[1].htm.7.drString found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&amp;es=fQ7kdc4GIS.xVAQOzJHbN9AmCA4x1v5rjinx8DJo92hQ
    Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1620121041&amp;rver
    Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1620121041&amp;rver=7.0.6730.0&am
    Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/logout.srf?ct=1620121042&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
    Source: de-ch[1].htm.7.drString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1620121041&amp;rver=7.0.6730.0&amp;w
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
    Source: de-ch[1].htm.7.drString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/#qt=mru
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
    Source: de-ch[1].htm.7.drString found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com/about/en/download/
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com;Fotos
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com;OneDrive-App
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
    Source: de-ch[1].htm.7.drString found in binary or memory: https://outlook.com/
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://outlook.live.com/calendar
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
    Source: de-ch[1].htm.7.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png&quot;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&amp;hl=de-ch&amp;refer
    Source: auction[1].htm.7.drString found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
    Source: ~DF89FF7A3EA7A6DAC1.TMP.5.drString found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
    Source: auction[1].htm.7.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
    Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
    Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-shoppingstripe-nav
    Source: de-ch[1].htm.7.drString found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
    Source: auction[1].htm.7.drString found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=c1e9117e385f48b69e2586dc53f89581&amp;r=infopane&amp;i=2&
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
    Source: imagestore.dat.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gl8q9.img?h=368&amp
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
    Source: de-ch[1].htm.7.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://support.skype.com
    Source: de-ch[1].htm.7.drString found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/en-us?&quot;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://twitter.com/
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://twitter.com/i/notifications;Ich
    Source: de-ch[1].htm.7.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1
    Source: de-ch[1].htm.7.drString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-ss&amp;ued=htt
    Source: iab2Data[1].json.7.drString found in binary or memory: https://www.bidstack.com/privacy-policy/
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ebay.ch/?mkcid=1&amp;mkrid=5222-53480-19255-0&amp;siteid=193&amp;campid=5338626668&amp;t
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/
    Source: ~DF89FF7A3EA7A6DAC1.TMP.5.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&amp;item=deferred_page%3a1&amp;ignorejs=webcore%2fmodules%2fjsb
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_shop_de&amp;utm
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skype.com/
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/de
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/de/download-skype
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
    Source: de-ch[1].htm.7.drString found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
    Source: iab2Data[1].json.7.drString found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
    Source: iab2Data[1].json.7.drString found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
    Source: 52-478955-68ddb2ab[1].js.7.drString found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49752 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49751 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49769 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49770 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49767 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49766 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49771 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49773 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49772 version: TLS 1.2

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6ccd0000.bilper.dll, type: SAMPLE
    Source: Yara matchFile source: 3.2.regsvr32.exe.6ccd0000.1.unpack, type: UNPACKEDPE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6ccd0000.bilper.dll, type: SAMPLE
    Source: Yara matchFile source: 3.2.regsvr32.exe.6ccd0000.1.unpack, type: UNPACKEDPE
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CCD2385 NtQueryVirtualMemory,3_2_6CCD2385
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CCD21643_2_6CCD2164
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: 6ccd0000.bilper.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: 6ccd0000.bilper.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal60.troj.winDLL@13/121@10/4
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{51398716-ACBC-11EB-90EB-ECF4BBEA1588}.datJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF541F43C609FFB7E2.TMPJump to behavior
    Source: 6ccd0000.bilper.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1
    Source: 6ccd0000.bilper.dllReversingLabs: Detection: 55%
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll'
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6ccd0000.bilper.dll
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6ccd0000.bilper.dll,DllRegisterServer
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5684 CREDAT:17410 /prefetch:2
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6ccd0000.bilper.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6ccd0000.bilper.dll,DllRegisterServerJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1Jump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5684 CREDAT:17410 /prefetch:2Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 6ccd0000.bilper.dllStatic PE information: Image base 0x6ccd0000 > 0x60000000
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CCD1D0F LoadLibraryA,GetProcAddress,3_2_6CCD1D0F
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6ccd0000.bilper.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CCD2153 push ecx; ret 3_2_6CCD2163
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CCD2100 push ecx; ret 3_2_6CCD2109

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6ccd0000.bilper.dll, type: SAMPLE
    Source: Yara matchFile source: 3.2.regsvr32.exe.6ccd0000.1.unpack, type: UNPACKEDPE
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CCD1D0F LoadLibraryA,GetProcAddress,3_2_6CCD1D0F
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6ccd0000.bilper.dll',#1Jump to behavior
    Source: regsvr32.exe, 00000003.00000002.918491208.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: regsvr32.exe, 00000003.00000002.918491208.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: regsvr32.exe, 00000003.00000002.918491208.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: regsvr32.exe, 00000003.00000002.918491208.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock