Analysis Report t6ygT2aU8p.dll

Overview

General Information

Sample Name: t6ygT2aU8p.dll
Analysis ID: 407674
MD5: beed23c8b32850c8f45228c22c8b036d
SHA1: 1b002110ca216433834fac4ddcbf5ec32e86f59c
SHA256: 9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
Tags: dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.3.loaddll32.exe.2c694a0.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: t6ygT2aU8p.dll Virustotal: Detection: 63% Perma Link
Source: t6ygT2aU8p.dll Metadefender: Detection: 61% Perma Link
Source: t6ygT2aU8p.dll ReversingLabs: Detection: 82%
Machine Learning detection for sample
Source: t6ygT2aU8p.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.rundll32.exe.10000000.4.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: t6ygT2aU8p.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002375 NtQueryVirtualMemory, 3_2_10002375
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 0_2_007D5F16
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5378 0_2_007D5378
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D2A69 0_2_007D2A69
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D1967 0_2_007D1967
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D2566 0_2_007D2566
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5262 0_2_007D5262
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5A25 0_2_007D5A25
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D1B1E 0_2_007D1B1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D3A14 0_2_007D3A14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D150C 0_2_007D150C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D43D8 0_2_007D43D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D27D4 0_2_007D27D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D1CD0 0_2_007D1CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D13C5 0_2_007D13C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D88BA 0_2_007D88BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D31B3 0_2_007D31B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D92B2 0_2_007D92B2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D2FAF 0_2_007D2FAF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D3FAB 0_2_007D3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F5F16 2_2_006F5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F2A69 2_2_006F2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F1967 2_2_006F1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F2566 2_2_006F2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F5262 2_2_006F5262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F5378 2_2_006F5378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F5A25 2_2_006F5A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F150C 2_2_006F150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F1B1E 2_2_006F1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F3A14 2_2_006F3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F13C5 2_2_006F13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F43D8 2_2_006F43D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F27D4 2_2_006F27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F1CD0 2_2_006F1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F2FAF 2_2_006F2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F3FAB 2_2_006F3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F88BA 2_2_006F88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F31B3 2_2_006F31B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F92B2 2_2_006F92B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A35F16 3_2_00A35F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A33FAB 3_2_00A33FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A32FAF 3_2_00A32FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A331B3 3_2_00A331B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A392B2 3_2_00A392B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A388BA 3_2_00A388BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A313C5 3_2_00A313C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A31CD0 3_2_00A31CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A327D4 3_2_00A327D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A343D8 3_2_00A343D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A35A25 3_2_00A35A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A3150C 3_2_00A3150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A33A14 3_2_00A33A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A31B1E 3_2_00A31B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A35262 3_2_00A35262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A31967 3_2_00A31967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A32566 3_2_00A32566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A32A69 3_2_00A32A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A35378 3_2_00A35378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10002154 3_2_10002154
Uses 32bit PE files
Source: t6ygT2aU8p.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer
Source: t6ygT2aU8p.dll Virustotal: Detection: 63%
Source: t6ygT2aU8p.dll Metadefender: Detection: 61%
Source: t6ygT2aU8p.dll ReversingLabs: Detection: 82%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001745 LoadLibraryA,GetProcAddress, 3_2_10001745
PE file contains sections with non-standard names
Source: t6ygT2aU8p.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 0_2_007D5F7B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_007D5F94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_007D5FDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_007D604B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_007D6124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi 0_2_007D614F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edx 0_2_007D625E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_007D62B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_007D6343
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_007D635D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], ebp 0_2_007D6368
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_007D6385
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edx 0_2_007D63B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_007D6483
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_007D64F2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_007D64FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_007D650A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi 0_2_007D6567
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi 0_2_007D65A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], eax 0_2_007D6610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_007D6685
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 0_2_007D66C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_007D66E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edi 0_2_007D6781
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push 00000000h; mov dword ptr [esp], edx 0_2_007D67B6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_007D684C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_007D6858
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx 0_2_007D6926
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_007D6945
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_007D6951
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 0_2_007D69D6

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 700 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001745 LoadLibraryA,GetProcAddress, 3_2_10001745
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007D2A69 xor edi, dword ptr fs:[00000030h] 0_2_007D2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_006F2A69 xor edi, dword ptr fs:[00000030h] 2_2_006F2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00A32A69 xor edi, dword ptr fs:[00000030h] 3_2_00A32A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1 Jump to behavior
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.475289401.00000000030B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 3_2_1000163F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 3_2_10001850

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.253564107.0000000000710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.472819252.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454251759.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.a50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.710000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 407674 Sample: t6ygT2aU8p.dll Startdate: 08/05/2021 Architecture: WINDOWS Score: 68 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 21 Machine Learning detection for sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
No contacted IP infos