Windows Analysis Report c36.dll

Overview

General Information

Sample Name: c36.dll
Analysis ID: 446420
MD5: c36ab737db2b6d11fb1f443f8117a7fa
SHA1: e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
SHA256: 181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Tags: dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Performs DNS queries to domains with low reputation
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000003.741101990.0000000002F40000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: c36.dll Virustotal: Detection: 7% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: c36.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000000.00000002.1018511227.000000006D4DB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.1019307465.000000006D4DB000.00000002.00020000.sdmp, c36.dll

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49729 -> 40.97.128.194:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49729 -> 40.97.128.194:80
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: thyihjtkylhmhnypp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: thyihjtkylhmhnypp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: thyihjtkylhmhnypp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: taybhctdyehfhgthp2.xyz
Source: DNS query: taybhctdyehfhgthp2.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.128.194 40.97.128.194
Source: Joe Sandbox View IP Address: 52.97.186.114 52.97.186.114
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: global traffic HTTP traffic detected: GET /jdraw/OvXGpKzLxUlvc/5YmODYZ1/gEki0c5_2Bcj_2BJgBmclYf/4zl_2FiIGx/zg7_2FVzTFFpxQ0Zg/IVmTcFICtOu9/15kAqnW78YI/MXCY1lZONnEzVM/eyszldhHfL9FhdO1fFyz9/RRaqeJksBpKD0xlU/B2SSOZmmpvCp3sI/4IJYpEC_2BP8ptXo3E/E9fvTGTLb/WJ6m1MuHv/Uxoe1d.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFdYu/NG5HWnb0/vfvVzx4Doj88hqHzLS5VCB0/IRrw6ObYiX/1_2Fr33YbqAT9Ry0m/a_2FLfkuNA_2/F_2Fy3jjalf/Eg8brnQokZm55h/jGcurV8IMufIt7jFcTF99/whDSjKuT/g9l8UU7_2/B.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
Source: msapplication.xml0.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4f581423,0x01d774c7</date><accdate>0x4f581423,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4f581423,0x01d774c7</date><accdate>0x4f581423,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.15.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: outlook.com
Source: head.min[1].js.32.dr String found in binary or memory: http://modernizr.com/download/?-csstransforms-csstransforms3d-csstransitions-flexbox-flexboxlegacy-f
Source: picturefill.min[1].js.32.dr String found in binary or memory: http://scottjehl.github.io/picturefill
Source: loaddll32.exe, 00000000.00000003.885385904.0000000001014000.00000004.00000001.sdmp, ~DF5F3CA953B42C7490.TMP.24.dr, {93B4E602-E0BA-11EB-90EB-ECF4BBEA1588}.dat.24.dr String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/vPapbiz2Eh/ZPYySNPAkvOvIyVz2/tWl_2FHqiE2d/6ywtXMerrZg/ABJ_2FJE5Z
Source: {A226C240-E0BA-11EB-90EB-ECF4BBEA1588}.dat.29.dr String found in binary or memory: http://thyihjtkylhmhnypp2.xyz/jdraw/5aLAbJwTVae/qoEFd9apr89OcM/6ayYRQOOdtFpSwTDl2aq9/CqCbos6Cqnizb6H
Source: msapplication.xml.15.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.15.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.15.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.15.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.15.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.15.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.15.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.15.dr String found in binary or memory: http://www.youtube.com/
Source: lt[1].htm.32.dr String found in binary or memory: https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/11da4229-abbc-4e04-a16b-72fa8f1
Source: lt[1].htm.32.dr String found in binary or memory: https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/662e5c67-1d13-450e-90e2-8ba98fb
Source: lt[1].htm.32.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.1und1.de/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.gmx.at/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.gmx.ch/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.gmx.co.uk/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.gmx.com/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.gmx.es/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.gmx.fr/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.gmx.net/permission/oneTrust/
Source: consentpage[1].htm.32.dr String found in binary or memory: https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.mail.com/permission/oneTrust/
Source: consentpage[1].htm.32.dr String found in binary or memory: https://dl.mail.com/tcf/live/v1/js/tcf-api.js
Source: lt[1].htm.32.dr String found in binary or memory: https://dl.web.de/permission/oneTrust/
Source: lt[1].htm.32.dr String found in binary or memory: https://fonts.googleapis.com/css2?family=Roboto:ital
Source: lt[1].htm.32.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Droid
Source: css[1].css.32.dr String found in binary or memory: https://fonts.gstatic.com/s/droidsans/v12/SlGVmQWMvZQIdix7AFxXkHNSaw.woff)
Source: css[1].css.32.dr String found in binary or memory: https://fonts.gstatic.com/s/droidsans/v12/SlGWmQWMvZQIdix7AFxXmMh3eDs1YQ.woff)
Source: css[1].css.32.dr String found in binary or memory: https://fonts.gstatic.com/s/droidserif/v13/tDbK2oqRg1oM3QBjjcaDkOr4nAfcGA.woff)
Source: css[1].css.32.dr String found in binary or memory: https://fonts.gstatic.com/s/droidserif/v13/tDbX2oqRg1oM3QBjjcaDkOr4lLz5CwOnTg.woff)
Source: css[1].css.32.dr String found in binary or memory: https://fonts.gstatic.com/s/monda/v11/TK3gWkYFABsmjsLaGw8Enew.woff)
Source: css[1].css.32.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UN_r8OUuhv.woff)
Source: css[1].css.32.dr String found in binary or memory: https://fonts.gstatic.com/s/shadowsintolight/v10/UqyNK9UOIntux_czAvDQx_ZcHqZXBNQzdcD_.woff)
Source: url-polyfill[1].js.32.dr String found in binary or memory: https://github.com/WebReflection/url-search-params/blob/master/src/url-search-params.js
Source: url-polyfill[1].js.32.dr String found in binary or memory: https://github.com/arv/DOM-URL-Polyfill/blob/master/src/url.js
Source: bundle.min[1].js.32.dr String found in binary or memory: https://github.com/getsentry/sentry-javascript
Source: permission-client[1].js.32.dr String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: picturefill.min[1].js.32.dr String found in binary or memory: https://github.com/scottjehl/picturefill/blob/master/Authors.txt;
Source: core[1].htm.32.dr String found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js
Source: core[1].htm.32.dr String found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/tracklib.min.js
Source: B[1].htm.32.dr String found in binary or memory: https://mail.com/jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFdYu
Source: lt[1].htm.32.dr String found in binary or memory: https://mam-confluence.1and1.com/display/TDII/BRAIN-Tracking
Source: lt[1].htm.32.dr String found in binary or memory: https://my.onetrust.com/s/article/UUID-185d63b9-1094-a9d3-e684-bb1f155ae6ad
Source: lt[1].htm.32.dr String found in binary or memory: https://nct.ui-portal.de/mailcom/mailcom/s?
Source: {B0214097-E0BA-11EB-90EB-ECF4BBEA1588}.dat.34.dr String found in binary or memory: https://outlook.office365.com/jdraw/0SBJEaWj8uzaYO9/X2ZLyhcXhOBs13vUhk/uA0Mj7KPw/1hd_2FrDfFtdqWCbDdz
Source: ~DF8670946C9A228354.TMP.15.dr, {79338731-E0BA-11EB-90EB-ECF4BBEA1588}.dat.15.dr String found in binary or memory: https://outlook.office365.com/jdraw/OvXGpKzLxUlvc/5YmODYZ1/gEki0c5_2Bcj_2BJgBmclYf/4zl_2FiIGx/zg7_2F
Source: {9AD72DED-E0BA-11EB-90EB-ECF4BBEA1588}.dat.27.dr String found in binary or memory: https://outlook.office365.com/jdraw/xGbcxYlao6QybS/5qDDj85QhfUdCqg61IRxY/a3KKCFnPRTca1yiq/_2Fc_2FODy
Source: consentpage[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/consent-management.js
Source: consentpage[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/mailcom/spinner.gif
Source: consentpage[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/mailcom/styles.css
Source: consentpage[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/main.js
Source: consentpage[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/favicon.ico
Source: imagestore.dat.31.dr String found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/favicon.ico~
Source: lt[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/permission/live/
Source: core[1].htm.32.dr, lt[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/shared/sentry/5.5.0/bundle.min.js
Source: lt[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/tcf/live/
Source: core[1].htm.32.dr String found in binary or memory: https://s.uicdn.com/tcf/live/v1/js/tcf-api.js
Source: url-polyfill[1].js.32.dr String found in binary or memory: https://url.spec.whatwg.org/#urlencoded-serializing
Source: main[1].js.32.dr String found in binary or memory: https://wa.mail.com/1and1/mailcom/s?_c=0&name=
Source: consentpage[1].htm.32.dr String found in binary or memory: https://www.mail.com/
Source: {A90D6F79-E0BA-11EB-90EB-ECF4BBEA1588}.dat.31.dr String found in binary or memory: https://www.mail.com/cdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4B
Source: ~DF3B2B4B210D4677DA.TMP.31.dr String found in binary or memory: https://www.mail.com/consentpage
Source: consentpage[1].htm.32.dr String found in binary or memory: https://www.mail.com/consentpage/event/error
Source: consentpage[1].htm.32.dr String found in binary or memory: https://www.mail.com/consentpage/event/visit
Source: ~DF3B2B4B210D4677DA.TMP.31.dr, {A90D6F79-E0BA-11EB-90EB-ECF4BBEA1588}.dat.31.dr String found in binary or memory: https://www.mail.com/consentpageVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFd
Source: ~DF3B2B4B210D4677DA.TMP.31.dr, {A90D6F79-E0BA-11EB-90EB-ECF4BBEA1588}.dat.31.dr, B[1].htm0.32.dr String found in binary or memory: https://www.mail.com/jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4B
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49806 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.1017606685.0000000000F9B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D491A44 NtMapViewOfSection, 0_2_6D491A44
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D491996 GetProcAddress,NtCreateSection,memset, 0_2_6D491996
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4923A5 NtQueryVirtualMemory, 0_2_6D4923A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00815A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_00815A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0081B1A5 NtQueryVirtualMemory, 4_2_0081B1A5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D492184 0_2_6D492184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4BD1F0 0_2_6D4BD1F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4BA260 0_2_6D4BA260
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4D8559 0_2_6D4D8559
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4CEDC4 0_2_6D4CEDC4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4CC5EB 0_2_6D4CC5EB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B99A0 0_2_6D4B99A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4DA1BF 0_2_6D4DA1BF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4D8015 0_2_6D4D8015
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C68E0 0_2_6D4C68E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4BDA30 0_2_6D4BDA30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4D7AD1 0_2_6D4D7AD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0081888E 4_2_0081888E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00813EE1 4_2_00813EE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0081AF80 4_2_0081AF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4BD1F0 4_2_6D4BD1F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4BA260 4_2_6D4BA260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4D8559 4_2_6D4D8559
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4CEDC4 4_2_6D4CEDC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4CC5EB 4_2_6D4CC5EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4B99A0 4_2_6D4B99A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4DA1BF 4_2_6D4DA1BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4D8015 4_2_6D4D8015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C68E0 4_2_6D4C68E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4BDA30 4_2_6D4BDA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4D7AD1 4_2_6D4D7AD1
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6D4C9D10 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6D4C9D10 appears 49 times
Uses 32bit PE files
Source: c36.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal84.troj.winDLL@34/91@25/13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0081A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 4_2_0081A65C
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7933872F-E0BA-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFA4B211933831C46D.TMP Jump to behavior
Source: c36.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
Source: c36.dll Virustotal: Detection: 7%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c36.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7064 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:244 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4780 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5592 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2016 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4624 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5432 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7064 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:244 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4780 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5592 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2016 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4624 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5432 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000000.00000002.1018511227.000000006D4DB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.1019307465.000000006D4DB000.00000002.00020000.sdmp, c36.dll
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D491BAC LoadLibraryA,GetProcAddress, 0_2_6D491BAC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D492173 push ecx; ret 0_2_6D492183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D492120 push ecx; ret 0_2_6D492129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C9D55 push ecx; ret 0_2_6D4C9D68
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A1511 push es; ret 0_2_6D4A156F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A1F3E push ds; ret 0_2_6D4A1F42
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A27B2 push edi; retf 0_2_6D4A27B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C7255 push ecx; ret 0_2_6D4C7268
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F3501 push eax; ret 0_2_6D4F3531
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd 0_2_6D4F67A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F3580 push eax; ret 0_2_6D4F3531
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F5803 push dword ptr [edi]; ret 0_2_6D4F5810
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F58DE push ebx; retf 0_2_6D4F58E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F60AF push 5DC4E471h; iretd 0_2_6D4F60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0081ABC0 push ecx; ret 4_2_0081ABC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0081AF6F push ecx; ret 4_2_0081AF7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C9D55 push ecx; ret 4_2_6D4C9D68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4A1511 push es; ret 4_2_6D4A156F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4A5779 push esp; iretd 4_2_6D4A577D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4A670E pushad ; retf 4_2_6D4A6715
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4A1F3E push ds; ret 4_2_6D4A1F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4A27B2 push edi; retf 4_2_6D4A27B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4A59A9 push esp; ret 4_2_6D4A59B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C7255 push ecx; ret 4_2_6D4C7268
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F3501 push eax; ret 4_2_6D4F3531
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd 4_2_6D4F67A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F3580 push eax; ret 4_2_6D4F3531
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F5803 push dword ptr [edi]; ret 4_2_6D4F5810
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F58DE push ebx; retf 4_2_6D4F58E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F60AF push 5DC4E471h; iretd 4_2_6D4F60B9

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D4C4FB4
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D491BAC LoadLibraryA,GetProcAddress, 0_2_6D491BAC
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F434D mov eax, dword ptr fs:[00000030h] 0_2_6D4F434D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F427C mov eax, dword ptr fs:[00000030h] 0_2_6D4F427C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F3E83 push dword ptr fs:[00000030h] 0_2_6D4F3E83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F434D mov eax, dword ptr fs:[00000030h] 4_2_6D4F434D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F427C mov eax, dword ptr fs:[00000030h] 4_2_6D4F427C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4F3E83 push dword ptr fs:[00000030h] 4_2_6D4F3E83
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4C27C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D4C4FB4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4C6ED0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D4C6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6D4C27C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6D4C4FB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6D4C6ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6D4C6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6D4C6A1F

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.1017746291.0000000001420000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.1018045127.0000000002E10000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1017746291.0000000001420000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.1018045127.0000000002E10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1017746291.0000000001420000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.1018045127.0000000002E10000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1017746291.0000000001420000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.1018045127.0000000002E10000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00819135 cpuid 4_2_00819135
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_6D4D3C75
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 0_2_6D4C8C74
Source: C:\Windows\System32\loaddll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 0_2_6D4CD7F4
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_6D4CD186
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6D4D74C2
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_6D4CE791
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_6D4CE67A
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_6D4D3E03
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 0_2_6D4CE829
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 0_2_6D4D734F
Source: C:\Windows\System32\loaddll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_6D4CEB30
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s, 0_2_6D4CEBD3
Source: C:\Windows\System32\loaddll32.exe Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA, 0_2_6D4D7383
Source: C:\Windows\System32\loaddll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_6D4CEB97
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_6D4CEA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 4_2_6D4D3C75
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 4_2_6D4C8C74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 4_2_6D4CD7F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_6D4CD186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_6D4D74C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 4_2_6D4CE791
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 4_2_6D4CE67A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_6D4D3E03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 4_2_6D4CE829
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 4_2_6D4D734F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_6D4CEB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s, 4_2_6D4CEBD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA, 4_2_6D4D7383
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_6D4CEB97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 4_2_6D4CEA6F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D491ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6D491ADA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00819135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 4_2_00819135
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4CB23D __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,__invoke_watson,__invoke_watson, 0_2_6D4CB23D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D491F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6D491F0E

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs