Windows Analysis Report 50b0000.dll
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Source: | Process information set: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | DLL Side-Loading1 | Process Injection11 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Rundll321 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | DLL Side-Loading1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 498827 |
Start date: | 07.10.2021 |
Start time: | 15:13:11 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 50b0000.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.troj.winDLL@5/0@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.562968589997569 |
TrID: |
|
File name: | 50b0000.dll |
File size: | 54784 |
MD5: | 58f21c7dda3babf8bb6eeabb0949c496 |
SHA1: | e967834ee1b6ae315d43ca8f640db4dba76e5a0f |
SHA256: | c88152c5a3a00f6bc9dbc4958659f7fb80b90c39a256fbc2e774a8c70affae1a |
SHA512: | c7f00cb7e7aa74f45bb94e6ac821422c98d1dbccb13a0bfda63971d4db86133ed2abccff490c9096b2b34f312b10cfab3b0b3645fb56c562a2a74cead1ed4a35 |
SSDEEP: | 1536:WY/xJLCObwAbdZWdbkHbReQc1gMQBbyqlalXFPhLKW:WY/xHDbdWG8nX0byqlalVZL |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i.@...@...@...g^z.A...I...F...g^i.C...@.........Z.C.....X.A.......C...g^v.l...g^}.A...g^..A...Rich@...................PE..L.. |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1000423d |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x5F6B29CC [Wed Sep 23 10:56:12 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: |
Entrypoint Preview |
---|
Instruction |
---|
mov eax, dword ptr [esp+08h] |
push esi |
xor esi, esi |
inc esi |
sub eax, 00000000h |
je 00007F3FA4A2F035h |
dec eax |
jne 00007F3FA4A2F046h |
push 1000D1F4h |
call dword ptr [1000C00Ch] |
cmp eax, esi |
jne 00007F3FA4A2F037h |
push dword ptr [esp+08h] |
call 00007F3FA4A2D4CAh |
test eax, eax |
je 00007F3FA4A2F02Ah |
xor esi, esi |
jmp 00007F3FA4A2F026h |
push 1000D1F4h |
call dword ptr [1000C010h] |
test eax, eax |
jne 00007F3FA4A2F017h |
call 00007F3FA4A2CF41h |
mov eax, esi |
pop esi |
retn 000Ch |
push ebp |
mov ebp, esp |
push ecx |
push ebx |
push esi |
push edi |
mov edi, dword ptr [ebp+08h] |
push 00000020h |
mov esi, ecx |
xor ecx, ecx |
pop ebx |
sub ebx, dword ptr [ebp+0Ch] |
mov dword ptr [ebp-04h], ecx |
mov dword ptr [ebp+08h], eax |
jne 00007F3FA4A2F016h |
xor eax, eax |
jmp 00007F3FA4A2F062h |
cmp dword ptr [ebp+0Ch], ecx |
je 00007F3FA4A2F044h |
cmp eax, ecx |
lea esi, dword ptr [esi+eax*4-04h] |
lea edi, dword ptr [edi+eax*4-04h] |
je 00007F3FA4A2F04Eh |
mov edx, dword ptr [esi] |
mov ecx, dword ptr [ebp+0Ch] |
dec dword ptr [ebp+08h] |
mov eax, edx |
shr eax, cl |
mov ecx, ebx |
shl edx, cl |
sub esi, 04h |
or eax, dword ptr [ebp-04h] |
mov dword ptr [edi], eax |
sub edi, 04h |
cmp dword ptr [ebp+08h], 00000000h |
mov dword ptr [ebp-04h], edx |
jne 00007F3FA4A2EFEEh |
jmp 00007F3FA4A2F028h |
cmp eax, ecx |
je 00007F3FA4A2F024h |
mov eax, dword ptr [esi] |
dec dword ptr [ebp+08h] |
mov dword ptr [edi], eax |
add edi, 04h |
add esi, 04h |
cmp dword ptr [ebp+08h], ecx |
jne 00007F3FA4A2F000h |
mov eax, dword ptr [ebp-04h] |
pop edi |
pop esi |
pop ebx |
leave |
retn 0008h |
push ebp |
mov ebp, esp |
sub esp, 10h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xcec0 | 0x34 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc6e4 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x710 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x170 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xc2cc | 0xc0 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa327 | 0xa400 | False | 0.581602515244 | data | 6.54856176409 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xef4 | 0x1000 | False | 0.379150390625 | data | 3.60302468591 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x2f4 | 0x200 | False | 0.453125 | ARJ archive data, v13, original name: , os: MS-DOS | 2.82911163227 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.bss | 0xe000 | 0xdf2 | 0xe00 | False | 0.977678571429 | data | 7.79892621903 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x1000 | 0xe00 | False | 0.553850446429 | data | 5.00821944937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:14:08 |
Start date: | 07/10/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x200000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 15:14:09 |
Start date: | 07/10/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x150000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:14:09 |
Start date: | 07/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9f0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|