Loading ...

Play interactive tourEdit tour

Analysis Report H78gXhk1NY.dll

Overview

General Information

Sample Name:H78gXhk1NY.dll
Analysis ID:404151
MD5:759e055bf47a9ce1a7fce3e3276120f3
SHA1:d6de742f6caf13d4a9aa75287d041596fbcea73a
SHA256:d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6272 cmdline: loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6284 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6304 cmdline: rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6292 cmdline: rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.loaddll32.exe.8a0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          3.2.rundll32.exe.3100000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            2.2.rundll32.exe.f00000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0.2.loaddll32.exe.8a0000.1.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: H78gXhk1NY.dllReversingLabs: Detection: 74%
              Machine Learning detection for sampleShow sources
              Source: H78gXhk1NY.dllJoe Sandbox ML: detected
              Source: H78gXhk1NY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
              Source: loaddll32.exe, 00000000.00000002.276071001.0000000000A9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE13C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE43D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE27D4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE1CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE2FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE3FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE88BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE92B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE31B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE2566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE1967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE1B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE3A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03095F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0309150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03091B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03093A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03095A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03092A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03095262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03091967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03092566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03095378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03093FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03092FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030988BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030931B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030992B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030913C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030943D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03091CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_030927D4
              Source: H78gXhk1NY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal68.troj.winDLL@7/0@0/0
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
              Source: H78gXhk1NY.dllReversingLabs: Detection: 74%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Source: H78gXhk1NY.dllStatic PE information: section name: .code
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push edi; mov dword ptr [esp], FFFF0000h
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ebp
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push esp; mov dword ptr [esp], 00000040h
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ecx
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], ebp
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00EE2A69 xor edi, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03092A69 xor edi, dword ptr fs:[00000030h]
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321Input Capture1Virtualization/Sandbox Evasion1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 404151 Sample: H78gXhk1NY.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              H78gXhk1NY.dll74%ReversingLabsWin32.Trojan.Phonzy
              H78gXhk1NY.dll100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:404151
              Start date:04.05.2021
              Start time:18:53:35
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 40s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:H78gXhk1NY.dll
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:26
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal68.troj.winDLL@7/0@0/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 98.4% (good quality ratio 85.8%)
              • Quality average: 64.1%
              • Quality standard deviation: 33.3%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .dll
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/404151/sample/H78gXhk1NY.dll

              Simulations

              Behavior and APIs

              TimeTypeDescription
              18:54:48API Interceptor2x Sleep call for process: loaddll32.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Entropy (8bit):5.631417538663652
              TrID:
              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
              • Generic Win/DOS Executable (2004/3) 0.20%
              • DOS Executable Generic (2002/1) 0.20%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:H78gXhk1NY.dll
              File size:133529
              MD5:759e055bf47a9ce1a7fce3e3276120f3
              SHA1:d6de742f6caf13d4a9aa75287d041596fbcea73a
              SHA256:d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
              SHA512:7bba491da19915bc7719063206b8718d061641d12d833979cc27136811b40ec1fa1ab913d3847c7068f90b2a90706bd288cb62342f62c294fc2d140f88fa1b7b
              SSDEEP:1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._W...6e..6e..6e..)v..6e...w..6e.Rich.6e.................PE..L.....f`...........!................ko.............................

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x10006f6b
              Entrypoint Section:.code
              Digitally signed:false
              Imagebase:0x10000000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              DLL Characteristics:
              Time Stamp:0x6066E9D0 [Fri Apr 2 09:54:24 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:3f728412058b62c418b1091768b74d7b

              Entrypoint Preview

              Instruction
              push ebx
              push esi
              and dword ptr [esp], 00000000h
              or dword ptr [esp], ebp
              mov ebp, esp
              add esp, FFFFFFF8h
              push esp
              mov dword ptr [esp], FFFF0000h
              call 00007FCF9C8D5211h
              push eax
              add dword ptr [esp], 00000247h
              sub dword ptr [esp], eax
              push esi
              mov dword ptr [esp], 00001567h
              call 00007FCF9C8D4187h
              push eax
              or dword ptr [esp], eax
              pop eax
              jne 00007FCF9C8D948Bh
              pushad
              push 00000000h
              mov dword ptr [esp], esi
              xor esi, esi
              xor esi, dword ptr [ebx+0041C627h]
              mov eax, esi
              pop esi
              push ebx
              add dword ptr [esp], 40h
              sub dword ptr [esp], ebx
              push ebp
              add dword ptr [esp], 00001000h
              sub dword ptr [esp], ebp
              mov dword ptr [ebp-04h], 00000000h
              push dword ptr [ebp-04h]
              xor dword ptr [esp], eax
              push 00000000h
              call dword ptr [ebx+0041F05Ch]
              mov dword ptr [ebp-04h], ecx
              xor ecx, dword ptr [ebp-04h]
              or ecx, eax
              and edi, 00000000h
              xor edi, ecx
              mov ecx, dword ptr [ebp-04h]
              push edi
              pop dword ptr [ebp-04h]
              push dword ptr [ebp-04h]
              pop dword ptr [ebx+0041CAEDh]
              cmp ebx, 00000000h
              jbe 00007FCF9C8D947Ch
              push 00000000h
              add dword ptr [esp], edx
              push dword ptr [ebx+0041C166h]
              pop edx
              add edx, ebx
              mov dword ptr [ebx+0041C166h], edx
              pop edx
              push 00000000h
              add dword ptr [esp], edx
              push dword ptr [ebx+0041CECAh]
              pop edx
              add edx, ebx
              mov dword ptr [ebx+0041CECAh], edx
              pop edx
              push ebp
              and ebp, 00000000h
              or ebp, dword ptr [ebx+0041C166h]

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x1a0000x64.data
              IMAGE_DIRECTORY_ENTRY_IMPORT0x1f0fc0x118.data
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x1f0000xfc.data
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .code0x10000x185f20x18600False0.670042067308data6.53345039933IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x1a0000x640x200False0.16796875data1.0662581269IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x1b0000x10000x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rdata0x1c0000x20b30x2200False0.359834558824data2.96025706595IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .data0x1f0000x7b20x800False0.45703125data4.70767794561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

              Imports

              DLLImport
              user32.dllGetActiveWindow, SetWindowsHookExA, GetLayeredWindowAttributes
              kernel32.dllGetProcAddress, LoadLibraryA, VirtualProtect, VirtualAlloc, lstrlenA, lstrcatA, lstrcmpA, GetEnvironmentVariableW
              ole32.dllOleInitialize, OleQueryCreateFromData, IIDFromString, CLIPFORMAT_UserUnmarshal, OleCreateEmbeddingHelper, HDC_UserSize
              msimg32.dllAlphaBlend, TransparentBlt
              comdlg32.dllPageSetupDlgA, PrintDlgA
              oledlg.dllOleUICanConvertOrActivateAs, OleUIChangeSourceW, OleUIConvertA
              comctl32.dllCreateStatusWindow, LBItemFromPt, DPA_Create, FlatSB_ShowScrollBar, ImageList_GetFlags
              oleacc.dllIID_IAccessible, LresultFromObject
              version.dllVerFindFileW, VerInstallFileA, VerQueryValueA, VerQueryValueW
              gdiplus.dllGdipEnumerateMetafileDestPointI, GdipCreateBitmapFromHBITMAP, GdipSetPenUnit, GdipGetImageEncoders, GdipGetPathPointsI
              winspool.drvFindNextPrinterChangeNotification, ConnectToPrinterDlg, SetPrinterDataW, GetPrinterW, DeletePrinterDataExW
              shell32.dllSHGetSpecialFolderPathA
              advapi32.dllGetKernelObjectSecurity, CryptEnumProviderTypesA, RegQueryValueExW, RegisterIdleTask

              Exports

              NameOrdinalAddress
              DllServer10x1000447b

              Network Behavior

              No network behavior found

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:18:54:27
              Start date:04/05/2021
              Path:C:\Windows\System32\loaddll32.exe
              Wow64 process (32bit):true
              Commandline:loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll'
              Imagebase:0x290000
              File size:116736 bytes
              MD5 hash:542795ADF7CC08EFCF675D65310596E8
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:high

              General

              Start time:18:54:27
              Start date:04/05/2021
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Imagebase:0x150000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:18:54:28
              Start date:04/05/2021
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
              Imagebase:0xf40000
              File size:61952 bytes
              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:high

              General

              Start time:18:54:28
              Start date:04/05/2021
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
              Imagebase:0xf40000
              File size:61952 bytes
              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:high

              Disassembly

              Code Analysis

              Reset < >