Loading ...

Play interactive tourEdit tour

Analysis Report O2U2nEYAZO.dll

Overview

General Information

Sample Name:O2U2nEYAZO.dll
Analysis ID:404117
MD5:d0444db75cfd8076e5ee3fa9586e00cb
SHA1:0c2f1c2a5e60393b2aa598f02e0693c6ab91af13
SHA256:bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6004 cmdline: loaddll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4952 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3336 cmdline: rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5492 cmdline: rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.rundll32.exe.3000000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          3.2.rundll32.exe.750000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            0.2.loaddll32.exe.eb0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0.3.loaddll32.exe.2f594a0.0.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: O2U2nEYAZO.dllVirustotal: Detection: 64%Perma Link
              Machine Learning detection for sampleShow sources
              Source: O2U2nEYAZO.dllJoe Sandbox ML: detected
              Source: O2U2nEYAZO.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F160_2_00E95F16
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E913C50_2_00E913C5
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E943D80_2_00E943D8
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E91CD00_2_00E91CD0
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E927D40_2_00E927D4
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E93FAB0_2_00E93FAB
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E92FAF0_2_00E92FAF
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E988BA0_2_00E988BA
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E931B30_2_00E931B3
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E992B20_2_00E992B2
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E92A690_2_00E92A69
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E919670_2_00E91967
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E925660_2_00E92566
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E9150C0_2_00E9150C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E9510C0_2_00E9510C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E91B1E0_2_00E91B1E
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E93A140_2_00E93A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE66BA4_2_02FE66BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE27D44_2_02FE27D4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE13C54_2_02FE13C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE88BA4_2_02FE88BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE92B24_2_02FE92B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE45B24_2_02FE45B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE2FAF4_2_02FE2FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE2A694_2_02FE2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE25664_2_02FE2566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE19674_2_02FE1967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE1B1E4_2_02FE1B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE5F164_2_02FE5F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE3A144_2_02FE3A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE150C4_2_02FE150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE510C4_2_02FE510C
              Source: O2U2nEYAZO.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal68.troj.winDLL@7/0@0/0
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer
              Source: O2U2nEYAZO.dllVirustotal: Detection: 64%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServerJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1Jump to behavior
              Source: O2U2nEYAZO.dllStatic PE information: section name: .code
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E9709D push edi; mov dword ptr [esp], FFFF0000h0_2_00E9709E
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E9709D push 00000000h; mov dword ptr [esp], ebp0_2_00E970F5
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E9709D push esp; mov dword ptr [esp], 00000040h0_2_00E9711D
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E9709D push 00000000h; mov dword ptr [esp], ecx0_2_00E9716C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx0_2_00E95F7B
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_00E95F94
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_00E95FDD
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_00E9604B
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_00E96124
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi0_2_00E9614F
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edx0_2_00E9625E
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_00E962B5
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_00E96343
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_00E9635D
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], ebp0_2_00E96368
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_00E96385
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edx0_2_00E963B4
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_00E96483
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_00E964F2
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax0_2_00E964FE
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax0_2_00E9650A
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi0_2_00E96567
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi0_2_00E965A9
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], eax0_2_00E96610
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_00E96685
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx0_2_00E966C2
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_00E966E8
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edi0_2_00E96781
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push 00000000h; mov dword ptr [esp], edx0_2_00E967B6
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_00E9684C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E95F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_00E96858

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E92A69 xor edi, dword ptr fs:[00000030h]0_2_00E92A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02FE2A69 xor edi, dword ptr fs:[00000030h]4_2_02FE2A69
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1Jump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000004.00000002.305804273.0000000003000000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.364375859.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.267745617.0000000000750000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.3000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.750000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.eb0000.1.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 404117 Sample: O2U2nEYAZO.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.