Loading ...

Play interactive tourEdit tour

Windows Analysis Report 28b452d0000.dll

Overview

General Information

Sample Name:28b452d0000.dll
Analysis ID:524446
MD5:45d602c1878edac953ecfae4c1e059fe
SHA1:2f9606697894ee86d605cd4abafb74b60fed676b
SHA256:c621297f4361a727f803ad31bfb7388f45af5a9e5c7b6237d1492c23e1f8991f
Tags:exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4068 cmdline: loaddll64.exe "C:\Users\user\Desktop\28b452d0000.dll" MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 5392 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\28b452d0000.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5800 cmdline: rundll32.exe "C:\Users\user\Desktop\28b452d0000.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6360 cmdline: rundll32.exe C:\Users\user\Desktop\28b452d0000.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "YOKfuXyqdgHv95/1BC89q+2AtY47vYuaG5OtZJ8d6O6ochD7W6siPV2JrKeda84QkxbQO+VVfipAiJGPSLyuH5PBTp1YXEqe08AR6gPZo6msmG0AdzSZu04lMBJ6s9dvrfX21tvvbQCrAm9rEoH2LTGMGxwb6GrRlYPojaXCgymjHF8+Wxs+ywNU1vDh20U5572KvOpHGtuDRZW9YnPHdsBHMITSJSbHFvMPwL6X4nog3m+qn/5iuA2C1SS5z5hMdEXbPPoNMy/yM43jrMrHJvwhw/1S/Bic2SpzCRK1QjeERTBPIZgKrE7S6grdequ0fzjD0bO1k1U5WZrLvAlUH/of13KSH7yIqc66k8zdL1k=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
28b452d0000.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 28b452d0000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "YOKfuXyqdgHv95/1BC89q+2AtY47vYuaG5OtZJ8d6O6ochD7W6siPV2JrKeda84QkxbQO+VVfipAiJGPSLyuH5PBTp1YXEqe08AR6gPZo6msmG0AdzSZu04lMBJ6s9dvrfX21tvvbQCrAm9rEoH2LTGMGxwb6GrRlYPojaXCgymjHF8+Wxs+ywNU1vDh20U5572KvOpHGtuDRZW9YnPHdsBHMITSJSbHFvMPwL6X4nog3m+qn/5iuA2C1SS5z5hMdEXbPPoNMy/yM43jrMrHJvwhw/1S/Bic2SpzCRK1QjeERTBPIZgKrE7S6grdequ0fzjD0bO1k1U5WZrLvAlUH/of13KSH7yIqc66k8zdL1k=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 28b452d0000.dll, type: SAMPLE

    E-Banking Fraud:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 28b452d0000.dll, type: SAMPLE
    Source: 28b452d0000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: 28b452d0000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: classification engineClassification label: mal56.troj.winDLL@7/0@0/0
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\28b452d0000.dll,#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\28b452d0000.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\28b452d0000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\28b452d0000.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\28b452d0000.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\28b452d0000.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\28b452d0000.dll,#1Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\28b452d0000.dll",#1Jump to behavior
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: 28b452d0000.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 28b452d0000.dll, type: SAMPLE
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\28b452d0000.dll",#1Jump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 28b452d0000.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected UrsnifShow sources
    Source: Yara matchFile source: 28b452d0000.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Rundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 524446 Sample: 28b452d0000.dll Startdate: 18/11/2021 Architecture: WINDOWS Score: 56 15 Found malware configuration 2->15 17 Yara detected  Ursnif 2->17 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.