Analysis Report O2U2nEYAZO.dll

Overview

General Information

Sample Name: O2U2nEYAZO.dll
Analysis ID: 404117
MD5: d0444db75cfd8076e5ee3fa9586e00cb
SHA1: 0c2f1c2a5e60393b2aa598f02e0693c6ab91af13
SHA256: bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.3.rundll32.exe.51194a0.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: O2U2nEYAZO.dll Virustotal: Detection: 64% Perma Link
Source: O2U2nEYAZO.dll ReversingLabs: Detection: 78%
Machine Learning detection for sample
Source: O2U2nEYAZO.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: O2U2nEYAZO.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 1_2_00815F16
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00813FAB 1_2_00813FAB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812FAF 1_2_00812FAF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008131B3 1_2_008131B3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008192B2 1_2_008192B2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008188BA 1_2_008188BA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008113C5 1_2_008113C5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00811CD0 1_2_00811CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008127D4 1_2_008127D4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_008143D8 1_2_008143D8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081150C 1_2_0081150C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00813A14 1_2_00813A14
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00811B1E 1_2_00811B1E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815A25 1_2_00815A25
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815262 1_2_00815262
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00811967 1_2_00811967
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812566 1_2_00812566
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812A69 1_2_00812A69
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815378 1_2_00815378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC5F16 5_2_02AC5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC2FAF 5_2_02AC2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC3FAB 5_2_02AC3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC88BA 5_2_02AC88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC92B2 5_2_02AC92B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC31B3 5_2_02AC31B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC13C5 5_2_02AC13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC43D8 5_2_02AC43D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC27D4 5_2_02AC27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC1CD0 5_2_02AC1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC5A25 5_2_02AC5A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC150C 5_2_02AC150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC1B1E 5_2_02AC1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC3A14 5_2_02AC3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC2A69 5_2_02AC2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC2566 5_2_02AC2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC1967 5_2_02AC1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC5262 5_2_02AC5262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC5378 5_2_02AC5378
Uses 32bit PE files
Source: O2U2nEYAZO.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer
Source: O2U2nEYAZO.dll Virustotal: Detection: 64%
Source: O2U2nEYAZO.dll ReversingLabs: Detection: 78%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\O2U2nEYAZO.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: O2U2nEYAZO.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081709D push edi; mov dword ptr [esp], FFFF0000h 1_2_0081709E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081709D push 00000000h; mov dword ptr [esp], ebp 1_2_008170F5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081709D push esp; mov dword ptr [esp], 00000040h 1_2_0081711D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_0081709D push 00000000h; mov dword ptr [esp], ecx 1_2_0081716C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 1_2_00815F7B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00815F94
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00815FDD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_0081604B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00816124
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi 1_2_0081614F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edx 1_2_0081625E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_008162B5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_00816343
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_0081635D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], ebp 1_2_00816368
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00816385
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edx 1_2_008163B4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_00816483
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_008164F2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 1_2_008164FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 1_2_0081650A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi 1_2_00816567
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi 1_2_008165A9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], eax 1_2_00816610
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00816685
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 1_2_008166C2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_008166E8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edi 1_2_00816781
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push 00000000h; mov dword ptr [esp], edx 1_2_008167B6
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_0081684C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00815F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 1_2_00816858

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00812A69 xor edi, dword ptr fs:[00000030h] 1_2_00812A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02AC2A69 xor edi, dword ptr fs:[00000030h] 5_2_02AC2A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\O2U2nEYAZO.dll',#1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.380711956.0000000004D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.692229212.0000000000850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.491923897.0000000002BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.rundll32.exe.2bd0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4d10000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404117 Sample: O2U2nEYAZO.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos