Windows Analysis Report 870000.dll
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "cgKNT5f98bcVt4Ua6/spDh3agMYKS9U5XCEAUwqrd6WorohXmUWLK3DTr9KcxGc7XzO+BJHSpcUazVaBbWXWQQrq1DRAPoIVLucrptquDhSQNq7SpoJGVw8bSgl3X1tYlNhzq/3sAsc0T/eM1uD7kTJ+/VUmeTv84go7QrHmegQE7NNfyRvMbqeUIBu7C6gy", "c2_domain": ["1.microsoft.com", "horulenuke.us", "vorulenuke.us"], "botnet": "4460", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | Static PE information: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Source: | Process information set: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process queried: |
Source: | Process created: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | DLL Side-Loading1 | Process Injection11 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Rundll321 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | DLL Side-Loading1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
54% | ReversingLabs | Win32.Trojan.AgentAGen | ||
100% | Avira | HEUR/AGEN.1108168 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 500332 |
Start date: | 11.10.2021 |
Start time: | 22:58:51 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 870000.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.troj.winDLL@5/0@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.652177025625302 |
TrID: |
|
File name: | 870000.dll |
File size: | 55808 |
MD5: | 8575bba1d976096af4d2ff153075eeeb |
SHA1: | 0457b5be90bc81afa6fdf69dafc1914ece904e6f |
SHA256: | b4e9cf6ef8e62e042d2c7b090d987ae16017c927766e7f1de7b936e0eded1652 |
SHA512: | 0c944b257abf07871088b65055e498149f36856028dbee5eddd19218bdfe6000b0706c36d49970fb88bf5c901c93d6c3ad1758741b25a6805961d7c7f2ee08be |
SSDEEP: | 1536:KAg+HMQc1WyE5q2qlalXSyW/vqTpfRMB8W:99HMnWyE5q2qlaliqdfRM |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a..a...a...a.......a.......a....a..a...a..ra...nR..a...nP..a...n...a.......a.......a.......a..Rich.a......................... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1000a75c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x6075EF24 [Tue Apr 13 19:21:08 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: |
Entrypoint Preview |
---|
Instruction |
---|
mov eax, dword ptr [esp+08h] |
push esi |
xor esi, esi |
inc esi |
sub eax, 00000000h |
je 00007F9DD4D58FD5h |
dec eax |
jne 00007F9DD4D58FE6h |
push 1000D23Ch |
call dword ptr [1000C00Ch] |
cmp eax, esi |
jne 00007F9DD4D58FD7h |
push dword ptr [esp+08h] |
call 00007F9DD4D5264Ch |
test eax, eax |
je 00007F9DD4D58FCAh |
xor esi, esi |
jmp 00007F9DD4D58FC6h |
push 1000D23Ch |
call dword ptr [1000C010h] |
test eax, eax |
jne 00007F9DD4D58FB7h |
call 00007F9DD4D58E0Ch |
mov eax, esi |
pop esi |
retn 000Ch |
mov dword ptr [eax], F1671C89h |
ret |
int3 |
jmp dword ptr [1000C13Ch] |
push ebx |
push esi |
mov esi, eax |
mov al, byte ptr [esi] |
xor ebx, ebx |
cmp al, byte ptr [edi+04h] |
jc 00007F9DD4D58FB8h |
push edi |
call 00007F9DD4D521B0h |
mov eax, dword ptr [1000D32Ch] |
add eax, 40h |
push eax |
call dword ptr [1000C084h] |
mov eax, dword ptr [1000D32Ch] |
xor ecx, ecx |
add eax, 58h |
inc ecx |
lock xadd dword ptr [eax], ecx |
mov eax, dword ptr [1000D32Ch] |
add eax, 40h |
push eax |
call dword ptr [1000C088h] |
mov al, byte ptr [esi] |
cmp al, byte ptr [edi+04h] |
jnc 00007F9DD4D58FC3h |
mov ecx, dword ptr [edi] |
movzx eax, al |
push dword ptr [ecx+eax*4] |
xor eax, eax |
call 00007F9DD4D577E4h |
mov ebx, eax |
mov eax, dword ptr [1000D32Ch] |
add eax, 58h |
or ecx, FFFFFFFFh |
lock xadd dword ptr [eax], ecx |
pop esi |
mov eax, ebx |
pop ebx |
ret |
push ebp |
mov ebp, esp |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xcf00 | 0x32 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc84c | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf000 | 0x750 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x144 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xc2c4 | 0xe0 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa513 | 0xa600 | False | 0.581160579819 | data | 6.55174307964 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xf32 | 0x1000 | False | 0.457763671875 | data | 4.68281145507 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x348 | 0x200 | False | 0.53515625 | ARJ archive data, v17, original name: , os: MS-DOS | 3.39122202758 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.bss | 0xe000 | 0xe5a | 0x1000 | False | 0.88427734375 | data | 7.45515503893 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.reloc | 0xf000 | 0x1000 | 0xe00 | False | 0.585379464286 | data | 5.24391900313 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 22:59:49 |
Start date: | 11/10/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3e0000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 22:59:50 |
Start date: | 11/10/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x150000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 22:59:50 |
Start date: | 11/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|