Windows Analysis Report 61766fc85163a.dll

Overview

General Information

Sample Name: 61766fc85163a.dll
Analysis ID: 508544
MD5: 5ba43bc79bff74cc56919f7fd053a284
SHA1: 49256e2887cab7474a3231b289bd86773f971c16
SHA256: 876666a6f9230b86577eedc94fa30f808e8e4aecce1d054131b757cfd8270989
Tags: DHLdllGoziISFBITAursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Rundll32 performs DNS lookup (likely malicious behavior)
Writes registry values via WMI
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.loaddll32.exe.2c80000.0.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "YO6EupUXQQEIZWr1HZwHqwbuf45UKlaaNAB4ZLiKsu7B39r6dBjtPHb2dqe22JgQrIOaO/7CSCpZ9VuPYSl5H6wuGZ1xyRSe7C3c6RxGbqnFBTgAkKFju2eS+hGTIKJvxmLB1vRcOADEbzlrK+7ALUr55Rs0VTXRrvCyjb4vTim8iSk+dIgIyxzBoPD6SBA5ACtVvAO15Nqcsl+9e+CRdtm0+oPrkvDGL2Dav9cErXo5SzqquGstuCbvnyTSPGNMjbKlPBN7/S4LoVfjxTeSJhWPjf1raeOb8pc9CSsiDTedsvpOOgXVq2c/tQr253W0mKWN0cwiXlVSxmTL1XYeHxONoXKrjIaIwjuFk+VK+lg=", "c2_domain": ["fx.rhinobuff.com", "fio.linosheart.com"], "botnet": "2500", "server": "580", "serpent_key": "GgxKJL0zm4HBTHpK", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C83FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_02C83FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02683FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_02683FAB

Compliance:

barindex
Uses 32bit PE files
Source: 61766fc85163a.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 61766fc85163a.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\939\Charge\Sense\Young\Self.pdb source: loaddll32.exe, 00000000.00000002.826085612.000000006EA6C000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.827483917.000000006EA6C000.00000002.00020000.sdmp, 61766fc85163a.dll

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: fio.linosheart.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: fx.rhinobuff.com
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: fx.rhinobuff.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: fio.linosheart.com replaycode: Name error (3)
Source: loaddll32.exe, 00000000.00000003.803353466.00000000013F5000.00000004.00000001.sdmp String found in binary or memory: http://fx.rhinobuff.com/_2B_2FM0h60XP/tUM8FmL2/KIja2Ms5a3v6Lq_2Fudl59W/vfBorXE8AA/UUluHYFitiWcdJQtC/
Source: loaddll32.exe, 00000000.00000003.631196087.00000000013F5000.00000004.00000001.sdmp String found in binary or memory: http://fx.rhinobuff.com/x0ylueFuXgrpB3WJj/TF7mv4QreQVW/NyZwfSNmEuc/QVDm3PVK85XSch/TwihngzLYMfTath4pJ
Source: unknown DNS traffic detected: queries for: fx.rhinobuff.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C83FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_02C83FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02683FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_02683FAB

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Rundll32 performs DNS lookup (likely malicious behavior)
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fx.rhinobuff.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fio.linosheart.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fx.rhinobuff.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fio.linosheart.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fx.rhinobuff.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fio.linosheart.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fx.rhinobuff.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fio.linosheart.com
Source: C:\Windows\SysWOW64\rundll32.exe DNS query: name: fx.rhinobuff.com
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 61766fc85163a.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F2274 0_2_6E9F2274
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C82654 0_2_02C82654
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C87E30 0_2_02C87E30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C84FA7 0_2_02C84FA7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA41EE0 0_2_6EA41EE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA48E07 0_2_6EA48E07
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA56E61 0_2_6EA56E61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA34DC0 0_2_6EA34DC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA31D72 0_2_6EA31D72
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA4E8BB 0_2_6EA4E8BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02682654 3_2_02682654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02687E30 3_2_02687E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02684FA7 3_2_02684FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA41EE0 3_2_6EA41EE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA56E61 3_2_6EA56E61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA34DC0 3_2_6EA34DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA31D72 3_2_6EA31D72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA4E8BB 3_2_6EA4E8BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_05284FA7 6_2_05284FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_05287E30 6_2_05287E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_05282654 6_2_05282654
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6EA31211 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA31211 appears 86 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F121F NtMapViewOfSection, 0_2_6E9F121F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F1A1C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E9F1A1C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F2013 GetProcAddress,NtCreateSection,memset, 0_2_6E9F2013
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F2495 NtQueryVirtualMemory, 0_2_6E9F2495
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C822EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_02C822EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C88055 NtQueryVirtualMemory, 0_2_02C88055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_026822EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_026822EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02688055 NtQueryVirtualMemory, 3_2_02688055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_052822EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_052822EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_05288055 NtQueryVirtualMemory, 6_2_05288055
Sample file is different than original file name gathered from version info
Source: 61766fc85163a.dll Binary or memory string: OriginalFilenameSelf.dllD vs 61766fc85163a.dll
Source: 61766fc85163a.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Cow
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Fishdark
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Multiplyboat
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Cow Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Fishdark Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Multiplyboat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@11/0@19/1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C811B8 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_02C811B8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61766fc85163a.dll,Cow
Source: 61766fc85163a.dll Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: loaddll32.exe String found in binary or memory: tHomePremium~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Package.ClientHomePremium-Update"/> <Stage pac
Source: loaddll32.exe String found in binary or memory: 6~~6.1.7601.17514" update="CoreClientHomePremium"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31b
Source: loaddll32.exe String found in binary or memory: osoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientBusiness"/> <Stage
Source: loaddll32.exe String found in binary or memory: <Stage package="Server-Help-Package.ClientProfessional~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Pac
Source: loaddll32.exe String found in binary or memory: 601.17514" update="BHPC Namespace"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31bf3856ad364e35~x
Source: loaddll32.exe String found in binary or memory: 3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionHomePremium"/> <Stage package="Server-Help-Package.Clie
Source: loaddll32.exe String found in binary or memory: ackage="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionBusiness"/
Source: rundll32.exe String found in binary or memory: tHomePremium~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Package.ClientHomePremium-Update"/> <Stage pac
Source: rundll32.exe String found in binary or memory: 6~~6.1.7601.17514" update="CoreClientHomePremium"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31b
Source: rundll32.exe String found in binary or memory: osoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientBusiness"/> <Stage
Source: rundll32.exe String found in binary or memory: <Stage package="Server-Help-Package.ClientProfessional~31bf3856ad364e35~x86~~6.1.7601.17514" update="Server-Help-Pac
Source: rundll32.exe String found in binary or memory: 601.17514" update="BHPC Namespace"/> <Stage package="Microsoft-Windows-Help-CoreClientUAHP-Package~31bf3856ad364e35~x
Source: rundll32.exe String found in binary or memory: 3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionHomePremium"/> <Stage package="Server-Help-Package.Clie
Source: rundll32.exe String found in binary or memory: ackage="Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~x86~~6.1.7601.17514" update="CoreClientCollectionBusiness"/
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 61766fc85163a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 61766fc85163a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 61766fc85163a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 61766fc85163a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 61766fc85163a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 61766fc85163a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 61766fc85163a.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 61766fc85163a.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\939\Charge\Sense\Young\Self.pdb source: loaddll32.exe, 00000000.00000002.826085612.000000006EA6C000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.827483917.000000006EA6C000.00000002.00020000.sdmp, 61766fc85163a.dll
Source: 61766fc85163a.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 61766fc85163a.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 61766fc85163a.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 61766fc85163a.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 61766fc85163a.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F2210 push ecx; ret 0_2_6E9F2219
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F2263 push ecx; ret 0_2_6E9F2273
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C87AB0 push ecx; ret 0_2_02C87AB9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C87E1F push ecx; ret 0_2_02C87E2F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA317F6 push ecx; ret 0_2_6EA31809
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA311DA push ecx; ret 0_2_6EA311ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02687E1F push ecx; ret 3_2_02687E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02687AB0 push ecx; ret 3_2_02687AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA317F6 push ecx; ret 3_2_6EA31809
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA311DA push ecx; ret 3_2_6EA311ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_05287E1F push ecx; ret 6_2_05287E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_05287AB0 push ecx; ret 6_2_05287AB9
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F1552 LoadLibraryA,GetProcAddress, 0_2_6E9F1552

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3C7F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA3C7F4
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F1552 LoadLibraryA,GetProcAddress, 0_2_6E9F1552
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA50329 mov eax, dword ptr fs:[00000030h] 0_2_6EA50329
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA950A2 mov eax, dword ptr fs:[00000030h] 0_2_6EA950A2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA94F72 mov eax, dword ptr fs:[00000030h] 0_2_6EA94F72
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA94C7D push dword ptr fs:[00000030h] 0_2_6EA94C7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA50329 mov eax, dword ptr fs:[00000030h] 3_2_6EA50329
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA950A2 mov eax, dword ptr fs:[00000030h] 3_2_6EA950A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA94C7D push dword ptr fs:[00000030h] 3_2_6EA94C7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA94F72 mov eax, dword ptr fs:[00000030h] 3_2_6EA94F72
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3C7F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6EA3C7F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA3180B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6EA3180B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA3C7F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA3C7F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA3180B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6EA3180B

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: fio.linosheart.com
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: fx.rhinobuff.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\61766fc85163a.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.825439439.0000000001820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.826048701.0000000002C50000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6E9F105E
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6EA5FEF2
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoEx, 0_2_6EA2FF3A
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6EA5F770
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6EA55F52
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EA55581
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6EA305D1
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EA5FAEC
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EA5FA51
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6EA600C6
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6EA5F9E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6EA5FEF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 3_2_6EA2FF3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6EA5F770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6EA55F52
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA55581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6EA305D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA5FAEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA5FA51
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6EA600C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6EA5F9E8
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C82E33 cpuid 0_2_02C82E33
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F109B GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E9F109B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6EA5B6BE _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_6EA5B6BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F1C6F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E9F1C6F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C82E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_02C82E33

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.457883512.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448559940.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448597664.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458003992.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457844986.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448496716.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457961241.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457926996.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462306.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457986489.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825811764.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448582889.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448524349.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448420040.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826711993.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458017733.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.457907127.0000000003BF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448613025.0000000004F68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: 2.3.rundll32.exe.2c68c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.3268c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.2658c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45394a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.31f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.2c48c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.5280000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4c88c9b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.51694a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.401727363.0000000002C60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.420035815.0000000002C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401325815.0000000002650000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.417864132.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.449697132.0000000005169000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.826309234.0000000004539000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.413516631.0000000003260000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.825738430.00000000031F9000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508544 Sample: 61766fc85163a.dll Startdate: 25/10/2021 Architecture: WINDOWS Score: 84 24 fio.linosheart.com 2->24 36 Found malware configuration 2->36 38 Yara detected  Ursnif 2->38 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 32 fx.rhinobuff.com 8->32 34 fio.linosheart.com 8->34 40 Writes or reads registry keys via WMI 8->40 42 Writes registry values via WMI 8->42 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 44 System process connects to network (likely due to code injection or exploit) 12->44 46 Rundll32 performs DNS lookup (likely malicious behavior) 12->46 48 Writes registry values via WMI 12->48 21 rundll32.exe 15->21         started        process9 dnsIp10 26 fx.rhinobuff.com 21->26 28 fio.linosheart.com 21->28 30 192.168.2.1 unknown unknown 21->30
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
fx.rhinobuff.com unknown unknown
fio.linosheart.com unknown unknown