Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6d60000.dll

Overview

General Information

Sample Name:6d60000.dll
Analysis ID:482228
MD5:0c1e422f4711eb432c947fd069bf342f
SHA1:323cb3a64cc15a294fd4960474b50dd8e1aacaa6
SHA256:a60364f1d501bc92914c23b3d5dff0251741ef8816fdd55151decc2234b932de
Tags:exeGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4896 cmdline: loaddll64.exe 'C:\Users\user\Desktop\6d60000.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 5768 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6d60000.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5852 cmdline: rundll32.exe 'C:\Users\user\Desktop\6d60000.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2988 cmdline: rundll32.exe C:\Users\user\Desktop\6d60000.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "u9HXwops1KELSmyI9sVCp0RUDHHIjNP4aHGxjzGFry6/imJ45GT8y0VXlGFRc9zyXRVxEXnkK1Sx9S4ULBgKJJV4JjLFFv36DzeAlKEfZ03m1CZU43a/yrQhoFsVYZaqv6diOGxlvmOO3XjBkVrYs6wDfM2BINw64g9oUILCNBiqNe4/ERHY1XF5A1zPxADFkrQNqYSK/9DBLbHAEeI+op4pIv5Nbgcrd9pFPuimjdkwKDHdtdXGfZgsyeNwUzAgLINLN/AE0qhFNbUuqwS1gIyOLDj5QhU6LQJa91ylwbxVtNKXJoOMS3y4dl28It/qrBuUy0ockllB1P88Onqys/92faYbUYzik2bIla+bg2o=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "fog.taginoka.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "mas.nagonoman.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "kTOVYpceZWWByuJ0", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3500", "SetWaitableTimer_value": "60"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
6d60000.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: 6d60000.dllAvira: detected
    Found malware configurationShow sources
    Source: 6d60000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "u9HXwops1KELSmyI9sVCp0RUDHHIjNP4aHGxjzGFry6/imJ45GT8y0VXlGFRc9zyXRVxEXnkK1Sx9S4ULBgKJJV4JjLFFv36DzeAlKEfZ03m1CZU43a/yrQhoFsVYZaqv6diOGxlvmOO3XjBkVrYs6wDfM2BINw64g9oUILCNBiqNe4/ERHY1XF5A1zPxADFkrQNqYSK/9DBLbHAEeI+op4pIv5Nbgcrd9pFPuimjdkwKDHdtdXGfZgsyeNwUzAgLINLN/AE0qhFNbUuqwS1gIyOLDj5QhU6LQJa91ylwbxVtNKXJoOMS3y4dl28It/qrBuUy0ockllB1P88Onqys/92faYbUYzik2bIla+bg2o=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "fog.taginoka.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "mas.nagonoman.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "kTOVYpceZWWByuJ0", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3500", "SetWaitableTimer_value": "60"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: 6d60000.dllReversingLabs: Detection: 46%

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6d60000.dll, type: SAMPLE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6d60000.dll, type: SAMPLE
    Source: 6d60000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dll
    Source: 6d60000.dllReversingLabs: Detection: 46%
    Source: 6d60000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: classification engineClassification label: mal72.troj.winDLL@7/0@0/0
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6d60000.dll,#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\6d60000.dll'
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6d60000.dll',#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6d60000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6d60000.dll',#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\6d60000.dll',#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6d60000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6d60000.dll',#1
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: 6d60000.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6d60000.dll, type: SAMPLE
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPort
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\6d60000.dll',#1

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6d60000.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 6d60000.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 482228 Sample: 6d60000.dll Startdate: 13/09/2021 Architecture: WINDOWS Score: 72 15 Found malware configuration 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected  Ursnif 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.