Windows Analysis Report d350000.dll

ID:	500562
Product:	CloudBasic
Start time:	03:49:02
Start date:	12.10.2021
Sample:	d350000.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	92559c7d8999effd8059ce38691a5b08
SHA1:	18fd3c1517996d89d66032d41ac1130eefc396d4
SHA256:	18398ea1aceb888c7cf564088ece01ddf814fff8cdca421312328ef98d3388aa
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 84.88%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Found malware configuration

Source: d350000.dll

Malware Configuration Extractor: Ursnif {"RSA Public Key": "zwBhS9EXG4wSzAPHZIrWB6YHrz9PLQzX8GBJoOHTrNVk5RNm35NJGHZOtL3P+FOPmytupVYlNLxqIsCPxVGg0S7BHBxVPc+c9XCYMN0GU4mStoXt11C2neZnN/s4N9D0KHruBdqEWlUxoG1xZu3/l3GA6g+z6sOyfECBKCmsR7vBQJoXYxCKYgil/TDhyyBMlmgdL+x5SnxnQC9fvRzaaqMl9gg0WC3n7bBorLCbZnrez2Ru1vgSTuycXovATnjqwPRfzz5ZhOhgTK35VFb6fXEvfMqtJdb27F2Zjdu3Us+MOfpJZa4I8yaUTnwgXADo1ukJmJpQ5nvljHcvz3E+qUS2SBIAqLUyME73bXxMiww=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "kTOVYpceZWWByuJ0", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3500", "SetWaitableTimer_value": "60"}

Multi AV Scanner detection for submitted file

Source: d350000.dll

ReversingLabs: Detection: 44%

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match

File source: d350000.dll, type: SAMPLE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match

File source: d350000.dll, type: SAMPLE

System Summary:

PE file does not import any functions

Source: d350000.dll

Static PE information: No import functions for PE file found

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll64.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: .dll			Jump to behavior

Sample is known by Antivirus

Source: d350000.dll

ReversingLabs: Detection: 44%

PE file has an executable .text section and no other executable section

Source: d350000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Classification label

Source: classification engine

Classification label: mal64.troj.winDLL@7/0@0/0

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d350000.dll,#1

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\d350000.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\d350000.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d350000.dll,#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d350000.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\d350000.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d350000.dll,#1			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d350000.dll',#1			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

PE file has a high image base, often used for DLLs

Source: d350000.dll

Static PE information: Image base 0x180000000 > 0x60000000

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match

File source: d350000.dll, type: SAMPLE

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d350000.dll',#1

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match

File source: d350000.dll, type: SAMPLE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match

File source: d350000.dll, type: SAMPLE