Analysis Report H78gXhk1NY.dll

Overview

General Information

Sample Name: H78gXhk1NY.dll
Analysis ID: 404151
MD5: 759e055bf47a9ce1a7fce3e3276120f3
SHA1: d6de742f6caf13d4a9aa75287d041596fbcea73a
SHA256: d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
Tags: dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.3.loaddll32.exe.35c94a0.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: H78gXhk1NY.dll Virustotal: Detection: 63% Perma Link
Source: H78gXhk1NY.dll ReversingLabs: Detection: 74%
Machine Learning detection for sample
Source: H78gXhk1NY.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: H78gXhk1NY.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 2_2_04E15F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E113C5 2_2_04E113C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E11CD0 2_2_04E11CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E127D4 2_2_04E127D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E143D8 2_2_04E143D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E13FAB 2_2_04E13FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E12FAF 2_2_04E12FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E131B3 2_2_04E131B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E192B2 2_2_04E192B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E188BA 2_2_04E188BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15262 2_2_04E15262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E11967 2_2_04E11967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E12566 2_2_04E12566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E12A69 2_2_04E12A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15378 2_2_04E15378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15A25 2_2_04E15A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E1150C 2_2_04E1150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E13A14 2_2_04E13A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E11B1E 2_2_04E11B1E
Uses 32bit PE files
Source: H78gXhk1NY.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
Source: H78gXhk1NY.dll Virustotal: Detection: 63%
Source: H78gXhk1NY.dll ReversingLabs: Detection: 74%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: H78gXhk1NY.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E1709D push edi; mov dword ptr [esp], FFFF0000h 2_2_04E1709E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E1709D push 00000000h; mov dword ptr [esp], ebp 2_2_04E170F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E1709D push esp; mov dword ptr [esp], 00000040h 2_2_04E1711D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E1709D push 00000000h; mov dword ptr [esp], ecx 2_2_04E1716C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 2_2_04E15F7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_04E15F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_04E15FDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_04E1604B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_04E16124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi 2_2_04E1614F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edx 2_2_04E1625E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_04E162B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_04E16343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_04E1635D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], ebp 2_2_04E16368
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_04E16385
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edx 2_2_04E163B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_04E16483
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_04E164F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 2_2_04E164FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 2_2_04E1650A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi 2_2_04E16567
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi 2_2_04E165A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], eax 2_2_04E16610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_04E16685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 2_2_04E166C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_04E166E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi 2_2_04E16781
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edx 2_2_04E167B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_04E1684C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 2_2_04E16858

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 527 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_04E12A69 xor edi, dword ptr fs:[00000030h] 2_2_04E12A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404151 Sample: H78gXhk1NY.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos