Analysis Report H78gXhk1NY.dll

Overview

General Information

Sample Name: H78gXhk1NY.dll
Analysis ID: 404151
MD5: 759e055bf47a9ce1a7fce3e3276120f3
SHA1: d6de742f6caf13d4a9aa75287d041596fbcea73a
SHA256: d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
Tags: dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.loaddll32.exe.8a0000.1.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: H78gXhk1NY.dll ReversingLabs: Detection: 74%
Machine Learning detection for sample
Source: H78gXhk1NY.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: H78gXhk1NY.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.276071001.0000000000A9B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 2_2_00EE5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE13C5 2_2_00EE13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE43D8 2_2_00EE43D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE27D4 2_2_00EE27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE1CD0 2_2_00EE1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE2FAF 2_2_00EE2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE3FAB 2_2_00EE3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE88BA 2_2_00EE88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE92B2 2_2_00EE92B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE31B3 2_2_00EE31B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE2A69 2_2_00EE2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE2566 2_2_00EE2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE1967 2_2_00EE1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5262 2_2_00EE5262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5378 2_2_00EE5378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5A25 2_2_00EE5A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE150C 2_2_00EE150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE1B1E 2_2_00EE1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE3A14 2_2_00EE3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03095F16 3_2_03095F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0309150C 3_2_0309150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03091B1E 3_2_03091B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03093A14 3_2_03093A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03095A25 3_2_03095A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03092A69 3_2_03092A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03095262 3_2_03095262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03091967 3_2_03091967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03092566 3_2_03092566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03095378 3_2_03095378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03093FAB 3_2_03093FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03092FAF 3_2_03092FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_030988BA 3_2_030988BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_030931B3 3_2_030931B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_030992B2 3_2_030992B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_030913C5 3_2_030913C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_030943D8 3_2_030943D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03091CD0 3_2_03091CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_030927D4 3_2_030927D4
Uses 32bit PE files
Source: H78gXhk1NY.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
Source: H78gXhk1NY.dll ReversingLabs: Detection: 74%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: H78gXhk1NY.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE709D push edi; mov dword ptr [esp], FFFF0000h 2_2_00EE709E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ebp 2_2_00EE70F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE709D push esp; mov dword ptr [esp], 00000040h 2_2_00EE711D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ecx 2_2_00EE716C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 2_2_00EE5F7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00EE5F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00EE5FDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_00EE604B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00EE6124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi 2_2_00EE614F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx 2_2_00EE625E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_00EE62B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_00EE6343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_00EE635D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], ebp 2_2_00EE6368
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00EE6385
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx 2_2_00EE63B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00EE6483
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00EE64F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_00EE64FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_00EE650A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi 2_2_00EE6567
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi 2_2_00EE65A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], eax 2_2_00EE6610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00EE6685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 2_2_00EE66C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00EE66E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi 2_2_00EE6781
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx 2_2_00EE67B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00EE684C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_00EE6858

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_00EE2A69 xor edi, dword ptr fs:[00000030h] 2_2_00EE2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03092A69 xor edi, dword ptr fs:[00000030h] 3_2_03092A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404151 Sample: H78gXhk1NY.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos