Loading ...

Play interactive tourEdit tour

Windows Analysis Report 870000.dll

Overview

General Information

Sample Name:870000.dll
Analysis ID:500332
MD5:8575bba1d976096af4d2ff153075eeeb
SHA1:0457b5be90bc81afa6fdf69dafc1914ece904e6f
SHA256:b4e9cf6ef8e62e042d2c7b090d987ae16017c927766e7f1de7b936e0eded1652
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Uses 32bit PE files
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5032 cmdline: loaddll32.exe 'C:\Users\user\Desktop\870000.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 3492 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4664 cmdline: rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "cgKNT5f98bcVt4Ua6/spDh3agMYKS9U5XCEAUwqrd6WorohXmUWLK3DTr9KcxGc7XzO+BJHSpcUazVaBbWXWQQrq1DRAPoIVLucrptquDhSQNq7SpoJGVw8bSgl3X1tYlNhzq/3sAsc0T/eM1uD7kTJ+/VUmeTv84go7QrHmegQE7NNfyRvMbqeUIBu7C6gy", "c2_domain": ["1.microsoft.com", "horulenuke.us", "vorulenuke.us"], "botnet": "4460", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
870000.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: 870000.dllAvira: detected
    Found malware configurationShow sources
    Source: 870000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "cgKNT5f98bcVt4Ua6/spDh3agMYKS9U5XCEAUwqrd6WorohXmUWLK3DTr9KcxGc7XzO+BJHSpcUazVaBbWXWQQrq1DRAPoIVLucrptquDhSQNq7SpoJGVw8bSgl3X1tYlNhzq/3sAsc0T/eM1uD7kTJ+/VUmeTv84go7QrHmegQE7NNfyRvMbqeUIBu7C6gy", "c2_domain": ["1.microsoft.com", "horulenuke.us", "vorulenuke.us"], "botnet": "4460", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: 870000.dllReversingLabs: Detection: 53%
    Source: 870000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 870000.dll, type: SAMPLE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 870000.dll, type: SAMPLE
    Source: 870000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: 870000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll32.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll32.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll32.exeSection loaded: .dll
    Source: 870000.dllReversingLabs: Detection: 53%
    Source: 870000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: classification engineClassification label: mal72.troj.winDLL@5/0@0/0
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\870000.dll'
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 870000.dll, type: SAMPLE
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 870000.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 870000.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 500332 Sample: 870000.dll Startdate: 11/10/2021 Architecture: WINDOWS Score: 72 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    870000.dll54%ReversingLabsWin32.Trojan.AgentAGen
    870000.dll100%AviraHEUR/AGEN.1108168

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:500332
    Start date:11.10.2021
    Start time:22:58:51
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 47s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:870000.dll
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:32
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal72.troj.winDLL@5/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .dll
    • Override analysis time to 240s for rundll32
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.50.102.62, 95.100.218.79, 95.100.216.89, 20.199.120.151, 52.139.176.199, 20.199.120.85, 40.112.88.60, 2.20.178.24, 2.20.178.18, 20.54.110.249
    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, iris-de-prod-azsc-eas.eastasia.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/500332/sample/870000.dll

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.652177025625302
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:870000.dll
    File size:55808
    MD5:8575bba1d976096af4d2ff153075eeeb
    SHA1:0457b5be90bc81afa6fdf69dafc1914ece904e6f
    SHA256:b4e9cf6ef8e62e042d2c7b090d987ae16017c927766e7f1de7b936e0eded1652
    SHA512:0c944b257abf07871088b65055e498149f36856028dbee5eddd19218bdfe6000b0706c36d49970fb88bf5c901c93d6c3ad1758741b25a6805961d7c7f2ee08be
    SSDEEP:1536:KAg+HMQc1WyE5q2qlalXSyW/vqTpfRMB8W:99HMnWyE5q2qlaliqdfRM
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a..a...a...a.......a.......a....a..a...a..ra...nR..a...nP..a...n...a.......a.......a.......a..Rich.a.........................

    File Icon

    Icon Hash:74f0e4ecccdce0e4

    Static PE Info

    General

    Entrypoint:0x1000a75c
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x10000000
    Subsystem:windows gui
    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    DLL Characteristics:
    Time Stamp:0x6075EF24 [Tue Apr 13 19:21:08 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:

    Entrypoint Preview

    Instruction
    mov eax, dword ptr [esp+08h]
    push esi
    xor esi, esi
    inc esi
    sub eax, 00000000h
    je 00007F9DD4D58FD5h
    dec eax
    jne 00007F9DD4D58FE6h
    push 1000D23Ch
    call dword ptr [1000C00Ch]
    cmp eax, esi
    jne 00007F9DD4D58FD7h
    push dword ptr [esp+08h]
    call 00007F9DD4D5264Ch
    test eax, eax
    je 00007F9DD4D58FCAh
    xor esi, esi
    jmp 00007F9DD4D58FC6h
    push 1000D23Ch
    call dword ptr [1000C010h]
    test eax, eax
    jne 00007F9DD4D58FB7h
    call 00007F9DD4D58E0Ch
    mov eax, esi
    pop esi
    retn 000Ch
    mov dword ptr [eax], F1671C89h
    ret
    int3
    jmp dword ptr [1000C13Ch]
    push ebx
    push esi
    mov esi, eax
    mov al, byte ptr [esi]
    xor ebx, ebx
    cmp al, byte ptr [edi+04h]
    jc 00007F9DD4D58FB8h
    push edi
    call 00007F9DD4D521B0h
    mov eax, dword ptr [1000D32Ch]
    add eax, 40h
    push eax
    call dword ptr [1000C084h]
    mov eax, dword ptr [1000D32Ch]
    xor ecx, ecx
    add eax, 58h
    inc ecx
    lock xadd dword ptr [eax], ecx
    mov eax, dword ptr [1000D32Ch]
    add eax, 40h
    push eax
    call dword ptr [1000C088h]
    mov al, byte ptr [esi]
    cmp al, byte ptr [edi+04h]
    jnc 00007F9DD4D58FC3h
    mov ecx, dword ptr [edi]
    movzx eax, al
    push dword ptr [ecx+eax*4]
    xor eax, eax
    call 00007F9DD4D577E4h
    mov ebx, eax
    mov eax, dword ptr [1000D32Ch]
    add eax, 58h
    or ecx, FFFFFFFFh
    lock xadd dword ptr [eax], ecx
    pop esi
    mov eax, ebx
    pop ebx
    ret
    push ebp
    mov ebp, esp

    Rich Headers

    Programming Language:
    • [ASM] VS2008 SP1 build 30729
    • [LNK] VS2008 SP1 build 30729
    • [C++] VS2005 build 50727
    • [IMP] VS2008 SP1 build 30729
    • [EXP] VS2008 SP1 build 30729

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0xcf000x32.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0xc84c0x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x750.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xc0000x144.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc2c40xe0.rdata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xa5130xa600False0.581160579819data6.55174307964IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0xc0000xf320x1000False0.457763671875data4.68281145507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0xd0000x3480x200False0.53515625ARJ archive data, v17, original name: , os: MS-DOS3.39122202758IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .bss0xe0000xe5a0x1000False0.88427734375data7.45515503893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .reloc0xf0000x10000xe00False0.585379464286data5.24391900313IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:22:59:49
    Start date:11/10/2021
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe 'C:\Users\user\Desktop\870000.dll'
    Imagebase:0x3e0000
    File size:893440 bytes
    MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate

    General

    Start time:22:59:50
    Start date:11/10/2021
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1
    Imagebase:0x150000
    File size:232960 bytes
    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:22:59:50
    Start date:11/10/2021
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe 'C:\Users\user\Desktop\870000.dll',#1
    Imagebase:0xf90000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >