Analysis Report O2U2nEYAZO.dll

Overview

General Information

Sample Name: O2U2nEYAZO.dll
Analysis ID: 404117
MD5: d0444db75cfd8076e5ee3fa9586e00cb
SHA1: 0c2f1c2a5e60393b2aa598f02e0693c6ab91af13
SHA256: bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.3.loaddll32.exe.2f594a0.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: O2U2nEYAZO.dll Virustotal: Detection: 64% Perma Link
Machine Learning detection for sample
Source: O2U2nEYAZO.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: O2U2nEYAZO.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 0_2_00E95F16
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E913C5 0_2_00E913C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E943D8 0_2_00E943D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E91CD0 0_2_00E91CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E927D4 0_2_00E927D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E93FAB 0_2_00E93FAB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E92FAF 0_2_00E92FAF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E988BA 0_2_00E988BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E931B3 0_2_00E931B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E992B2 0_2_00E992B2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E92A69 0_2_00E92A69
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E91967 0_2_00E91967
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E92566 0_2_00E92566
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E9150C 0_2_00E9150C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E9510C 0_2_00E9510C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E91B1E 0_2_00E91B1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E93A14 0_2_00E93A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE66BA 4_2_02FE66BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE27D4 4_2_02FE27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE13C5 4_2_02FE13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE88BA 4_2_02FE88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE92B2 4_2_02FE92B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE45B2 4_2_02FE45B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE2FAF 4_2_02FE2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE2A69 4_2_02FE2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE2566 4_2_02FE2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE1967 4_2_02FE1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE1B1E 4_2_02FE1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE5F16 4_2_02FE5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE3A14 4_2_02FE3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE150C 4_2_02FE150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE510C 4_2_02FE510C
Uses 32bit PE files
Source: O2U2nEYAZO.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer
Source: O2U2nEYAZO.dll Virustotal: Detection: 64%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: O2U2nEYAZO.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E9709D push edi; mov dword ptr [esp], FFFF0000h 0_2_00E9709E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E9709D push 00000000h; mov dword ptr [esp], ebp 0_2_00E970F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E9709D push esp; mov dword ptr [esp], 00000040h 0_2_00E9711D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E9709D push 00000000h; mov dword ptr [esp], ecx 0_2_00E9716C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 0_2_00E95F7B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_00E95F94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_00E95FDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_00E9604B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_00E96124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi 0_2_00E9614F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edx 0_2_00E9625E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_00E962B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_00E96343
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_00E9635D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], ebp 0_2_00E96368
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_00E96385
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edx 0_2_00E963B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_00E96483
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_00E964F2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_00E964FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_00E9650A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi 0_2_00E96567
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi 0_2_00E965A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], eax 0_2_00E96610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_00E96685
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 0_2_00E966C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_00E966E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi 0_2_00E96781
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edx 0_2_00E967B6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_00E9684C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_00E96858

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00E92A69 xor edi, dword ptr fs:[00000030h] 0_2_00E92A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02FE2A69 xor edi, dword ptr fs:[00000030h] 4_2_02FE2A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404117 Sample: O2U2nEYAZO.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos