Windows Analysis Report c3.dll

Overview

General Information

Sample Name:	c3.dll
Analysis ID:	498859
MD5:	c309ec3264c7bf7c771cca5703e841fe
SHA1:	2af04c50d324bc6f42fe9714ea89cf300471c169
SHA256:	616255c7f0697542e2a3e5e6b4834fffa5e56e7ede26612454674a9937d32a19
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Uses 32bit PE files

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: c3.dll

Avira: detected

Found malware configuration

Source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "iZ+yu73sQgHWIoKVZvTBVFftBRzgg84Wo8cRK1WKzlYIyRSwRES+5puIFDGj4t/PJdO/J+rFd8Puk9xQXkAk5gtRJ+EiBjQZEhIJII9S4j9MojvldfnQXG4MCZq2vijykYOVQ/oipgSqNw946zszs4wFVrWAoZclk2bk1tyqtgqxkkj0TTwIXY2VfInsWFxD/3rDCluhcm6BGxwpQenf9WcO9HcjXScxWCVoj1xEKoz2EWs5Yz+47bMOX0XSfQdNTrhQDAWX7nAEEA6/oHUm46QdJTg5UtCf5yxbjwIgAf3SZboeJUyNSK7Q1WQQUlETGFBqUZa4n/YRWCQVzi42QoGrPxpP3LrDhlEYnFm7fQM=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "3500", "server": "580", "serpent_key": "GfG96RIHgUj8PvPF", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for submitted file

Source: c3.dll	Virustotal: Detection: 58%			Perma Link
Source: c3.dll	ReversingLabs: Detection: 65%

Compliance:

Uses 32bit PE files

Source: c3.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: c3.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\surface\829\began-Glad\Law.pdb source: loaddll32.exe, 00000000.00000002.878842314.000000006F26E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.880085108.000000006F26E000.00000002.00020000.sdmp, c3.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: c3.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252264		0_2_6F252264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252264		3_2_6F252264

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252485 NtQueryVirtualMemory,		0_2_6F252485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252485 NtQueryVirtualMemory,		3_2_6F252485

Source: c3.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: c3.dll	Virustotal: Detection: 58%
Source: c3.dll	ReversingLabs: Detection: 65%

Source: c3.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c3.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Againkind@0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Consonanttime@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c3.dll,@Nooncry@4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1	Jump to behavior

Source: classification engine

Classification label: mal72.troj.winDLL@11/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c3.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: c3.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: c3.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c3.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252200 push ecx; ret	0_2_6F252209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F252253 push ecx; ret	0_2_6F252263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F2635F6 push ebx; retf	0_2_6F263609
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F2639C2 push edi; retf	0_2_6F2639D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F26482E push ebp; retf	0_2_6F264842
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F26046F push edx; retf	0_2_6F260470
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F262885 push ss; retf 001Eh	0_2_6F26297E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F261C9C push ebp; iretd	0_2_6F261D20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F260CF4 pushfd ; retf 005Dh	0_2_6F260D0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F28092C push ebp; retf	0_2_6F28092D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F28013B push EC30617Dh; retn 0000h	0_2_6F28014E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252200 push ecx; ret	3_2_6F252209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F252253 push ecx; ret	3_2_6F252263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F2635F6 push ebx; retf	3_2_6F263609
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F2639C2 push edi; retf	3_2_6F2639D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F26482E push ebp; retf	3_2_6F264842
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F26046F push edx; retf	3_2_6F260470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F262885 push ss; retf 001Eh	3_2_6F26297E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F261C9C push ebp; iretd	3_2_6F261D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F260CF4 pushfd ; retf 005Dh	3_2_6F260D0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F28092C push ebp; retf	3_2_6F28092D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F28013B push EC30617Dh; retn 0000h	3_2_6F28014E

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F251F31 LoadLibraryA,GetProcAddress,

0_2_6F251F31

Source: initial sample

Static PE information: section name: .text entropy: 6.80010328322

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F27E20C mov eax, dword ptr fs:[00000030h]	0_2_6F27E20C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F27E142 mov eax, dword ptr fs:[00000030h]	0_2_6F27E142
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6F27DD49 push dword ptr fs:[00000030h]	0_2_6F27DD49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F27E20C mov eax, dword ptr fs:[00000030h]	3_2_6F27E20C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F27E142 mov eax, dword ptr fs:[00000030h]	3_2_6F27E142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F27DD49 push dword ptr fs:[00000030h]	3_2_6F27DD49

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F251F31 LoadLibraryA,GetProcAddress,

0_2_6F251F31

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c3.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.878132985.00000000016E0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.879301407.0000000003140000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		0_2_6F251566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		3_2_6F251566

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F25146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6F25146C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6F2517A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_6F2517A7

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6f250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4238d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2968d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.2dc8d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6f250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.2c08d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.1088d07.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.31194a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.527385053.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.556982674.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.545943062.0000000004230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.528290372.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878420774.0000000003119000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.560938842.0000000001080000.00000040.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	498859
Product:	CloudBasic
Start time:	15:53:27
Start date:	07.10.2021
Sample:	c3.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c309ec3264c7bf7c771cca5703e841fe
SHA1:	2af04c50d324bc6f42fe9714ea89cf300471c169
SHA256:	616255c7f0697542e2a3e5e6b4834fffa5e56e7ede26612454674a9937d32a19
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report c3.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map