Loading... Additional Content is being loaded
Windows Analysis Report 0f.dll
Overview
General Information
| Sample Name: | 0f.dll |
| Analysis ID: | 498857 |
| MD5: | 0f90b21a2cdc35511626509c67c8cbf5 |
| SHA1: | 1293aa454365b3679afd77b34749ce8e175c997a |
| SHA256: | 95dbbfc33223e8e670b4f25d086d65a41d67f0434d3fe37469a7bd23e134f1f6 |
| Tags: | dll |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Ursnif
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
AV Detection: |
  |
|---|
| Antivirus / Scanner detection for submitted sample |
| Source: |
Avira: |
||
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Multi AV Scanner detection for submitted file |
| Source: |
Metadefender: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Machine Learning detection for sample |
| Source: |
Joe Sandbox ML: |
||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
1_2_00F935A1 | |
Compliance: |
|
|---|
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Code function: |
1_2_00F94E9C | |
| Source: |
Code function: |
4_2_01374E9C | |
Networking: |
|
|---|
| Performs DNS queries to domains with low reputation |
| Source: |
DNS query: |
||
| Source: |
DNS query: |
||
| Source: |
DNS query: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
DNS traffic detected: |
||
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Creates a DirectInput object (often for capturing keystrokes) |
| Source: |
Binary or memory string: |
||
E-Banking Fraud: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
Code function: |
1_2_00F935A1 | |
System Summary: |
|
|---|
| Writes or reads registry keys via WMI |
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Writes registry values via WMI |
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Detected potential crypto function |
| Source: |
Code function: |
1_2_02E9810A | |
| Source: |
Code function: |
1_2_10002264 | |
| Source: |
Code function: |
1_2_00F96609 | |
| Source: |
Code function: |
1_2_00F97FA8 | |
| Source: |
Code function: |
4_2_0515810A | |
| Source: |
Code function: |
4_2_01377FA8 | |
| Source: |
Code function: |
4_2_01376609 | |
| Source: |
Code function: |
5_2_04AF9305 | |
| Source: |
Code function: |
5_2_04AF1000 | |
| Source: |
Code function: |
5_2_04AF3F1C | |
| Source: |
Code function: |
5_2_04AF3AAF | |
| Source: |
Code function: |
5_2_04AF33AA | |
| Source: |
Code function: |
5_2_04AFBDAA | |
| Source: |
Code function: |
5_2_04AFB4AA | |
| Source: |
Code function: |
5_2_04AFA6BB | |
| Source: |
Code function: |
5_2_04AF59E4 | |
| Source: |
Code function: |
5_2_04AFA4FC | |
| Source: |
Code function: |
5_2_04AF1BF7 | |
| Source: |
Code function: |
5_2_04AF7FF1 | |
| Source: |
Code function: |
5_2_04AF21C0 | |
| Source: |
Code function: |
5_2_04AFA3DD | |
| Source: |
Code function: |
5_2_04AF75DC | |
| Source: |
Code function: |
5_2_04AF2E21 | |
| Source: |
Code function: |
5_2_04AF810A | |
| Source: |
Code function: |
5_2_04AF2D03 | |
| Source: |
Code function: |
5_2_04AFC217 | |
| Source: |
Code function: |
5_2_04AF204B | |
| Source: |
Code function: |
5_2_04AF2F59 | |
| Source: |
Code function: |
5_2_04AF1458 | |
| Source: |
Code function: |
5_2_04AFA257 | |
| Source: |
Code function: |
5_2_04AF1556 | |
| Source: |
Code function: |
5_2_10002264 | |
| Contains functionality to call native functions |
| Source: |
Code function: |
1_2_10001B89 | |
| Source: |
Code function: |
1_2_100018D1 | |
| Source: |
Code function: |
1_2_10002485 | |
| Source: |
Code function: |
1_2_00F93CA1 | |
| Source: |
Code function: |
1_2_00F981CD | |
| Source: |
Code function: |
4_2_01373CA1 | |
| Source: |
Code function: |
4_2_013781CD | |
| Source: |
Code function: |
5_2_10002485 | |
| Source: |
Metadefender: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Code function: |
1_2_00F919E7 | |
| Source: |
Process created: |
||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Classification label: |
||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Window detected: |
||
| Source: |
File opened: |
Jump to behavior | ||
Data Obfuscation: |
|
|---|
| Uses code obfuscation techniques (call, push, ret) |
| Source: |
Code function: |
1_2_02E98113 | |
| Source: |
Code function: |
1_2_02E99137 | |
| Source: |
Code function: |
1_2_02E991AC | |
| Source: |
Code function: |
1_2_02E991E2 | |
| Source: |
Code function: |
1_2_02E99204 | |
| Source: |
Code function: |
1_2_02E99293 | |
| Source: |
Code function: |
1_2_02E95B45 | |
| Source: |
Code function: |
1_2_02E95B69 | |
| Source: |
Code function: |
1_2_02E95B72 | |
| Source: |
Code function: |
1_2_10002209 | |
| Source: |
Code function: |
1_2_10002263 | |
| Source: |
Code function: |
1_2_00F9A2D9 | |
| Source: |
Code function: |
1_2_00F9A2D9 | |
| Source: |
Code function: |
1_2_00F9A2D9 | |
| Source: |
Code function: |
1_2_00F9B690 | |
| Source: |
Code function: |
1_2_00F97C29 | |
| Source: |
Code function: |
1_2_00F97FA7 | |
| Source: |
Code function: |
1_2_00F9A2D9 | |
| Source: |
Code function: |
1_2_00F9B164 | |
| Source: |
Code function: |
4_2_05155B45 | |
| Source: |
Code function: |
4_2_05155B69 | |
| Source: |
Code function: |
4_2_05155B72 | |
| Source: |
Code function: |
4_2_05158113 | |
| Source: |
Code function: |
4_2_05159137 | |
| Source: |
Code function: |
4_2_051591AC | |
| Source: |
Code function: |
4_2_051591E2 | |
| Source: |
Code function: |
4_2_05159204 | |
| Source: |
Code function: |
4_2_05159293 | |
| Source: |
Code function: |
4_2_0137B164 | |
| Source: |
Code function: |
4_2_01377FA7 | |
| Source: |
Code function: |
4_2_01377C29 | |
| PE file contains sections with non-standard names |
| Source: |
Static PE information: |
||
| Contains functionality to dynamically determine API calls |
| Source: |
Code function: |
1_2_10001F31 | |
Hooking and other Techniques for Hiding and Protection: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
Malware Analysis System Evasion: |
|
|---|
| Sample execution stops while process was sleeping (likely an evasion) |
| Source: |
Last function: |
||
| Source: |
Code function: |
1_2_00F94E9C | |
| Source: |
Code function: |
4_2_01374E9C | |
Anti Debugging: |
|
|---|
| Contains functionality to read the PEB |
| Source: |
Code function: |
5_2_04AF2D03 | |
| Contains functionality to dynamically determine API calls |
| Source: |
Code function: |
1_2_10001F31 | |
HIPS / PFW / Operating System Protection Evasion: |
|
|---|
| Creates a process in suspended mode (likely to inject code) |
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
Language, Device and Operating System Detection: |
|
|---|
| Contains functionality to query locales information (e.g. system language) |
| Source: |
Code function: |
1_2_10001566 | |
| Source: |
Code function: |
5_2_10001566 | |
| Queries the installation date of Windows |
| Source: |
Key value queried: |
Jump to behavior | ||
| Contains functionality to query CPU information (cpuid) |
| Source: |
Code function: |
1_2_00F93946 | |
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
Code function: |
1_2_1000146C | |
| Source: |
Code function: |
1_2_100017A7 | |
| Source: |
Code function: |
1_2_00F93946 | |
Stealing of Sensitive Information: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
Remote Access Functionality: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
| No contacted IP infos |
|---|
Contacted Domains
| Name | IP | Active |
|---|---|---|
| windowsupdate.s.llnwi.net | 178.79.242.128 | true |
| app5.folion.xyz | unknown | unknown |