Analysis Report 6a76e615_by_Libranalysis

Overview

General Information

Sample Name:	6a76e615_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:	406107
MD5:	6a76e615a7997fc04e3003ce16c9bc3d
SHA1:	90d82c7e8a3f2d3c4ec8e4542605eafbcb07bf95
SHA256:	f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab
Tags:	Gozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 3.3.rundll32.exe.3fe8d29.0.raw.unpack

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "0dnHb74sj6Vx8GWJZBcafw3TO76HRXTw2xAvtE4gwa2PPH4GC1bS9ornclyyR+kRMdKgigemv76+jMpuzK3GsVW4bUgIZu1wJsCbeT1jaF5kC+5Z1C6WwhCeQEfIn0dyGjO5mUnASq25O8pDwp1usOwI+ce4E6YjxyGNet+kZTTTWPAfmqhY/oVc/59pNJ4uEqRk+ADd1TNfgLrsg26xKI43EH4hpRNWFYgPpsuKC3cgm4UuNnw6ui0jM0gK2wq0zUZ26PkDxSML25mcd8d1kiSEwdUG+0E4a6rwpbhziJ3p5LrDu62+TdIp8Qd07baMfJt0/+VaossEzWbTvcs7R5oksEG/YD69/WtOVAIlyO4=", "c2_domain": ["green.salurober.com", "frm.mironeramp.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "5500", "server": "580", "serpent_key": "vTK10R2O25XUrTRW", "sleep_time": "10", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Source: green.salurober.com

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Source: 6a76e615_by_Libranalysis.dll	Virustotal: Detection: 28%			Perma Link
Source: 6a76e615_by_Libranalysis.dll	ReversingLabs: Detection: 29%

Compliance:

Uses 32bit PE files

Source: 6a76e615_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: msapplication.xml0.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7156829e,0x01d742e1</date><accdate>0x7156829e,0x01d742e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7156829e,0x01d742e1</date><accdate>0x7158e55c,0x01d742e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x715da995,0x01d742e1</date><accdate>0x715da995,0x01d742e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x715da995,0x01d742e1</date><accdate>0x715da995,0x01d742e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x715da995,0x01d742e1</date><accdate>0x715da995,0x01d742e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.17.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x715da995,0x01d742e1</date><accdate>0x71600bb4,0x01d742e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: loaddll32.exe, 00000000.00000002.465196621.000000006E2B1000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.463603336.000000006E2B1000.00000002.00020000.sdmp, 6a76e615_by_Libranalysis.dll	String found in binary or memory: http://deeplow.ruB
Source: {9B20D491-AED4-11EB-90E4-ECF4BB862DED}.dat.17.dr	String found in binary or memory: http://green.salurober.com/egg0bSJn4ObK/ch_2F9lMPXs/fO3mZ53deXfDrA/fFpIrCwIBcA2fafEjJROE/_2FRp0luL60
Source: msapplication.xml.17.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.17.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.17.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.17.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.17.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.17.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.17.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.17.dr	String found in binary or memory: http://www.youtube.com/

Source: Yara match	File source: 00000000.00000003.333514865.0000000000520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.329638923.0000000003FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.329940794.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.6e1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.528d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.3fe8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.7c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e1d0000.2.unpack, type: UNPACKEDPE

Source: Yara match	File source: 00000000.00000003.389725229.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389658064.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389739083.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464518953.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389632359.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389705894.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389749777.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389559499.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389608210.0000000003358000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5568, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D1B89 NtMapViewOfSection,	0_2_6E1D1B89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D18D1 GetProcAddress,NtCreateSection,memset,	0_2_6E1D18D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D2485 NtQueryVirtualMemory,	0_2_6E1D2485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2485 NtQueryVirtualMemory,	3_2_6E1D2485

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D2264	0_2_6E1D2264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E219FB0	0_2_6E219FB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E204C10	0_2_6E204C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2384F0	0_2_6E2384F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21AD90	0_2_6E21AD90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2264	3_2_6E1D2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E219FB0	3_2_6E219FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204C10	3_2_6E204C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2384F0	3_2_6E2384F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E21AD90	3_2_6E21AD90

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6a76e615_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6a76e615_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6a76e615_by_Libranalysis.dll,Surprisefun
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6a76e615_by_Libranalysis.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5088 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6a76e615_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6a76e615_by_Libranalysis.dll,Surprisefun	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6a76e615_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5088 CREDAT:17410 /prefetch:2	Jump to behavior

Source: 6a76e615_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6a76e615_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6a76e615_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6a76e615_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6a76e615_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6a76e615_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6a76e615_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6a76e615_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6a76e615_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6a76e615_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6a76e615_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D2200 push ecx; ret	0_2_6E1D2209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D2253 push ecx; ret	0_2_6E1D2263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2A36DD pushad ; ret	0_2_6E2A36DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2200 push ecx; ret	3_2_6E1D2209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2253 push ecx; ret	3_2_6E1D2263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2A36DD pushad ; ret	3_2_6E2A36DE

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2A1A61 mov eax, dword ptr fs:[00000030h]	0_2_6E2A1A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2A159E push dword ptr fs:[00000030h]	0_2_6E2A159E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2A1997 mov eax, dword ptr fs:[00000030h]	0_2_6E2A1997
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2A1A61 mov eax, dword ptr fs:[00000030h]	3_2_6E2A1A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2A159E push dword ptr fs:[00000030h]	3_2_6E2A159E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2A1997 mov eax, dword ptr fs:[00000030h]	3_2_6E2A1997

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E203B20 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E203B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FB460 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E1FB460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E203B20 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E203B20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FB460 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E1FB460

Source: loaddll32.exe, 00000000.00000002.461736596.0000000001100000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.462047615.0000000002BD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.461736596.0000000001100000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.462047615.0000000002BD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.461736596.0000000001100000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.462047615.0000000002BD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.461736596.0000000001100000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.462047615.0000000002BD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	0_2_6E1D1566
Source: C:\Windows\System32\loaddll32.exe	Code function: ____lc_handle_func,GetLocaleInfoA,	0_2_6E1FB300
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,	0_2_6E225D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	3_2_6E1D1566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_6E220AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ____lc_handle_func,GetLocaleInfoA,	3_2_6E1FB300
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetACP,GetLocaleInfoA,	3_2_6E221380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,__invoke_watson_if_error,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_6E220790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_6E220FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_6E225D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,EnumSystemLocalesA,	3_2_6E2211F0

ID:	406107
Product:	CloudBasic
Start time:	18:34:02
Start date:	06.05.2021
Sample:	6a76e615_by_Libranalysis
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6a76e615a7997fc04e3003ce16c9bc3d
SHA1:	90d82c7e8a3f2d3c4ec8e4542605eafbcb07bf95
SHA256:	f9f77f992f0c7bf8ec0a39acdac1a343f6418e50510db1f92347d5270d0ab9ab
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B20D48F-AED4-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	329C5791845991B14F943D8704DAA0B1	A5036FCA30ED9F659CEE09B08AB123268F806DE3	A0D15FDADBB9DDE434EAC1B63B7CDE1DC482974FB00D2641A76A3F74A1418BFE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B20D491-AED4-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	EDF80852605AACD09AE783EC216CF711	C0446AE0C40114BC8D0D13C9AB142F9D808D2829	335681B5E564427F76562A6D6D7AD6D7348355151401E8C0FEB355CD26B9A95D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C2AF277C2F544EF628C6F67A4B869C83	2060CCA43174810BDA3D00D9AA1E63CE2F58CD56	F7F158C84B509E091B138DC60B568D42F5B04FD77778B0BD738847797AF14F46
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	717191D4BDF943CFCD5536E48BB5D16E	A839440C2B850E181D3FB8BB17109FE52019029B	B561A23907D0F5E5BE5FF28A2E3ABCA0477CBD90DFB6065D3302F233C323A4CE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	1E89FB064F884C39AAD7F1B098D7DA03	16349438B04D04F924804DECDBDD0D89845F9326	8726F81D8F0417EEB7563403AC31193E335634F5DA20AE162AFA36910778B604
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	176B2977A5B85BCBF5B08EC3C07C49F8	FFA2FF0642C78A083049365601AF970E66B5667D	68D9B0A83E140BE782919E6085AFC57165108F68A7CC3DA1EA0F874ECFC2D00A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	5C298F81FCAA04216F2530A930C37C4C	EFB52CE883A164586E257FAAF3A856BA5DDED7E9	D6328A3A011DC121B2DDEE6990E09E61AA0FB2843B49B434E7F98888FA446ECA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	EDAB3B2A7ECCB41CCE5AAD1579CBF606	061A0A2FF59DDE6EA3BC1580B0C3FA75A280C5AC	DB7D20BFC9C332DA8CE7A739B9F7D1493653B79E58E9EA7FD175C0B3F435BFAF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	85B9BA302AE9A93C54D180E68D8A552A	7025EB7E210B19C2E43923A36946A4848CEF1D00	1B9C786934EE484BB1507D312E47F432C14214BDDFDE8FDC71E97CF04DF06023
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	32E994F553E905D3DB22776733CD0503	48A028162646914C352E3F3128C1E7F6A817759A	A2CB11D8383E13C6A48AEBE325305DA8AF12AD2FEE3E53AAD88E987B34D91C3C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	39781118704E21F48B01A11FAF1889BD	B82B63515994B9D8937D11C08305DF7B82F75991	319D945105F64E310DC748941AEB5353E5E03CE9B23874FA2183385FBD85BA97
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	BCD1C7004F306795816D1E05C4A0BCED	1876D5B051CB27B8F21A670CACA23F435E4D3233	A8AA6263291901BA6AA6AC989E76B1459E3E45F77BB92AEF4A67E340CF5E2851
C:\Users\user\AppData\Local\Temp\~DF71AFC16E996A3DCA.TMP	data	1361DBCE93EE04C042C4C4CCD1A532C4	7307943A6F9A92F97A11C8F2D1DAD9C776C2B80D	4EA598F7369159271B7CE55DBF1D9F7A1DE10AA99507A63376EB8C56C7BA50A8
C:\Users\user\AppData\Local\Temp\~DF8CF38F8205796A33.TMP	data	1BA428B1FFA2F54EA7D2A3395C21C13B	B8863FB1D9D8CC29226F4101FE8E12BCC41C9D33	694ECED7FACACEE4BD8D561B86275DA9D2BDCD97EF97E71E6C779ADE017C068F

Analysis Report 6a76e615_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs