{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Source: 0.3.loaddll32.exe.35c94a0.0.raw.unpack | Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: H78gXhk1NY.dll | Virustotal: Detection: 63% | Perma Link |
Source: H78gXhk1NY.dll | ReversingLabs: Detection: 74% |
Source: H78gXhk1NY.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match | File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E113C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E11CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E127D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E143D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E13FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E12FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E131B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E192B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E188BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E11967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E12566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E12A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E1150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E13A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E11B1E |
Source: H78gXhk1NY.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine | Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Source: H78gXhk1NY.dll | Virustotal: Detection: 63% |
Source: H78gXhk1NY.dll | ReversingLabs: Detection: 74% |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\H78gXhk1NY.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: H78gXhk1NY.dll | Static PE information: section name: .code |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E1709D push edi; mov dword ptr [esp], FFFF0000h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E1709D push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E1709D push esp; mov dword ptr [esp], 00000040h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E1709D push 00000000h; mov dword ptr [esp], ecx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E15F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: Yara match | File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Window / User API: threadDelayed 527 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Thread delayed: delay time: 120000 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_04E12A69 xor edi, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\H78gXhk1NY.dll',#1 |
Source: Yara match | File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.248009414.0000000004E30000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.4e30000.2.raw.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.