{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Source: 0.2.loaddll32.exe.8a0000.1.raw.unpack | Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: H78gXhk1NY.dll | ReversingLabs: Detection: 74% |
Source: H78gXhk1NY.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match | File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: loaddll32.exe, 00000000.00000002.276071001.0000000000A9B000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: Yara match | File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE88BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE1967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03095F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_0309150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03091B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03093A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03095A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03092A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03095262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03091967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03092566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03095378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03093FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03092FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_030988BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_030931B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_030992B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_030913C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_030943D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03091CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_030927D4 |
Source: H78gXhk1NY.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine | Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Source: H78gXhk1NY.dll | ReversingLabs: Detection: 74% |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: H78gXhk1NY.dll | Static PE information: section name: .code |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE709D push edi; mov dword ptr [esp], FFFF0000h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE709D push esp; mov dword ptr [esp], 00000040h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE709D push 00000000h; mov dword ptr [esp], ecx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: Yara match | File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe | Thread delayed: delay time: 120000 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2A69 xor edi, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_03092A69 xor edi, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: Yara match | File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.279071628.0000000000F00000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.254943759.0000000003100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.276028882.00000000008A0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.8a0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.3100000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.f00000.2.raw.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.