Analysis Report t6ygT2aU8p.dll

Overview

General Information

Sample Name:	t6ygT2aU8p.dll
Analysis ID:	407674
MD5:	beed23c8b32850c8f45228c22c8b036d
SHA1:	1b002110ca216433834fac4ddcbf5ec32e86f59c
SHA256:	9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
Tags:	dllGozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.loaddll32.exe.2210000.1.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA", "c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: t6ygT2aU8p.dll	Virustotal: Detection: 63%	Perma Link
Source: t6ygT2aU8p.dll	Metadefender: Detection: 61%	Perma Link
Source: t6ygT2aU8p.dll	ReversingLabs: Detection: 82%

Machine Learning detection for sample

Source: t6ygT2aU8p.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: t6ygT2aU8p.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000002.530449797.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272048426.0000000003370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.264250429.0000000002A40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.2a40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.3370000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000002.530449797.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272048426.0000000003370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.264250429.0000000002A40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.2a40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.3370000.2.raw.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16	3_2_02A25F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A23FAB	3_2_02A23FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A22FAF	3_2_02A22FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A292B2	3_2_02A292B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A231B3	3_2_02A231B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A288BA	3_2_02A288BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A213C5	3_2_02A213C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A21CD0	3_2_02A21CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A227D4	3_2_02A227D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A243D8	3_2_02A243D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25A25	3_2_02A25A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A2150C	3_2_02A2150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A23A14	3_2_02A23A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A21B1E	3_2_02A21B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25262	3_2_02A25262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A22566	3_2_02A22566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A21967	3_2_02A21967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A22A69	3_2_02A22A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25378	3_2_02A25378

Uses 32bit PE files

Source: t6ygT2aU8p.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal68.troj.winDLL@7/0@0/0

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer

Source: t6ygT2aU8p.dll	Virustotal: Detection: 63%
Source: t6ygT2aU8p.dll	Metadefender: Detection: 61%
Source: t6ygT2aU8p.dll	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\t6ygT2aU8p.dll,DllServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1	Jump to behavior

Data Obfuscation:

PE file contains sections with non-standard names

Source: t6ygT2aU8p.dll

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A2709D push edi; mov dword ptr [esp], FFFF0000h	3_2_02A2709E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A2709D push 00000000h; mov dword ptr [esp], ebp	3_2_02A270F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A2709D push esp; mov dword ptr [esp], 00000040h	3_2_02A2711D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A2709D push 00000000h; mov dword ptr [esp], ecx	3_2_02A2716C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx	3_2_02A25F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_02A25F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_02A25FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_02A2604B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_02A26124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], edi	3_2_02A2614F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], edx	3_2_02A2625E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_02A262B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_02A26343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_02A2635D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], ebp	3_2_02A26368
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_02A26385
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], edx	3_2_02A263B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_02A26483
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_02A264F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax	3_2_02A264FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	3_2_02A2650A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], edi	3_2_02A26567
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], edi	3_2_02A265A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], eax	3_2_02A26610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_02A26685
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	3_2_02A266C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_02A266E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], edi	3_2_02A26781
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push 00000000h; mov dword ptr [esp], edx	3_2_02A267B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_02A2684C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02A25F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	3_2_02A26858

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000002.530449797.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272048426.0000000003370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.264250429.0000000002A40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.2a40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.3370000.2.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_02A22A69 xor edi, dword ptr fs:[00000030h]

3_2_02A22A69

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\t6ygT2aU8p.dll',#1

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000002.530449797.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272048426.0000000003370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.264250429.0000000002A40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.2a40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.3370000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000002.530449797.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.272048426.0000000003370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.264250429.0000000002A40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.2a40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.3370000.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	407674
Product:	CloudBasic
Start time:	04:02:11
Start date:	08.05.2021
Sample:	t6ygT2aU8p.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	beed23c8b32850c8f45228c22c8b036d
SHA1:	1b002110ca216433834fac4ddcbf5ec32e86f59c
SHA256:	9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Analysis Report t6ygT2aU8p.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map