Windows Analysis Report Rats4dIOmA.exe

Overview

General Information

Sample Name: Rats4dIOmA.exe
Analysis ID: 528071
MD5: 76a29095e02a151adc1f42ec844a65bd
SHA1: afd4593a0e709a11296556d5b1fb1833bb394c4d
SHA256: c26838865c476704101363c16c535dfae494dedadae972c0377c4f67669578b5
Tags: exeGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Machine Learning detection for sample
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: Rats4dIOmA.exe Metadefender: Detection: 22% Perma Link
Source: Rats4dIOmA.exe ReversingLabs: Detection: 45%
Machine Learning detection for sample
Source: Rats4dIOmA.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Rats4dIOmA.exe.1fe0e50.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Rats4dIOmA.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.3.Rats4dIOmA.exe.3bf0000.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Unpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack
Uses 32bit PE files
Source: Rats4dIOmA.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\Rats4dIOmA.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: Binary string: C:\sax\w.pdb source: Rats4dIOmA.exe
Source: Binary string: C:\sax\w.pdbP+C source: Rats4dIOmA.exe

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 74.6.143.26 74.6.143.26
Source: Joe Sandbox View IP Address: 87.248.100.216 87.248.100.216
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=b5jn619gpst97&b=3&s=c6
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 24 Nov 2021 17:23:51 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 9server: ATSAge: 0Transfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc01o4tgpst97&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309794637.00000000021A6000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309794637.00000000021A6000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp String found in binary or memory: +www.yahoo.com=- equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: +www.yahoo.comS- equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2FGYs9V_%2f2BcaIfj8lzbe6dwp1S50%2fqnf1CtPsO2EGsTOGBt0%2fTpQo4OHaLh1DZAzOHIElg2%2fLmJhngmT2kJ_2%2fFHuNwneH%2fOlki6SGkOhEdHnRV6_2B266%2fI71jLcWlaJ%2fWAM1n0wLbM0TzOock%2fJ5o_2ByTSV9y%2fSAhEyWB5DMB%2f4lW4ok5N%2fnAsrN2WO_%2f2Fjc4.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: Host: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp String found in binary or memory: Location: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/k=# equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2FGYs9V_%2f2BcaIfj8lzbe6dwp1S50%2fqnf1CtPsO2EGsTOGBt0%2fTpQo4OHaLh1DZAzOHIElg2%2fLmJhngmT2kJ_2%2fFHuNwneH%2fOlki6SGkOhEdHnRV6_2B266%2fI71jLcWlaJ%2fWAM1n0wLbM0TzOock%2fJ5o_2ByTSV9y%2fSAhEyWB5DMB%2f4lW4ok5N%2fnAsrN2WO_%2f2Fjc4.crw'; equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.518270171.000000000502A000.00000004.00000010.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com' equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com7 equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comVB equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.combA equals www.yahoo.com (Yahoo)
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc0
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp String found in binary or memory: https://qoderunovos.website
Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.website
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/jdraw/ldez60nkcypupl/Y8k6P2TKljJ3iNZCDUKjs/bDzAl0Dd4aRnqW1G/ctGW3CyINNEj
Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.websiten
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/
Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/Tp
Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/k=#
Source: unknown DNS traffic detected: queries for: yahoo.com
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 0_2_03C45988
Source: global traffic HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=b5jn619gpst97&b=3&s=c6
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.5:49763 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\Rats4dIOmA.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\Rats4dIOmA.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Rats4dIOmA.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: Rats4dIOmA.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C4AFC0 0_2_03C4AFC0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C47FBE 0_2_03C47FBE
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C4836E 0_2_03C4836E
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_00401703 NtMapViewOfSection, 0_2_00401703
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset, 0_2_00401C90
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_004019A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_03C49A0F
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C4B1E5 NtQueryVirtualMemory, 0_2_03C4B1E5
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_01FE1BF0 NtQuerySystemInformation,Sleep,CreateThread,QueueUserAPC,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread, 0_2_01FE1BF0
PE file contains strange resources
Source: Rats4dIOmA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Rats4dIOmA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Rats4dIOmA.exe Metadefender: Detection: 22%
Source: Rats4dIOmA.exe ReversingLabs: Detection: 45%
Source: Rats4dIOmA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@4/2
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_03C48F1B
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: pemahu 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: Regefiri 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: Hucet 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: Xegixaze 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: \H 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: zijiwe 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: 2Y? 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: mecevituxe 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Command line argument: Petoco 0_2_0042F0A0
Source: C:\Users\user\Desktop\Rats4dIOmA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Rats4dIOmA.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: Rats4dIOmA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Rats4dIOmA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Rats4dIOmA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Rats4dIOmA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Rats4dIOmA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Rats4dIOmA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Rats4dIOmA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\sax\w.pdb source: Rats4dIOmA.exe
Source: Binary string: C:\sax\w.pdbP+C source: Rats4dIOmA.exe

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Unpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Unpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C4E9AC push 0B565A71h; ret 0_2_03C4E9B1
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C4AFAF push ecx; ret 0_2_03C4AFBF
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C4AC00 push ecx; ret 0_2_03C4AC09
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C4E62F push edi; retf 0_2_03C4E630
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_0042E7D0 push ecx; mov dword ptr [esp], 00000000h 0_2_0042E7D1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_00401264 LoadLibraryA,GetProcAddress, 0_2_00401264
Source: initial sample Static PE information: section name: .text entropy: 7.04444899707

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Rats4dIOmA.exe TID: 6852 Thread sleep count: 33 > 30 Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_00401264 LoadLibraryA,GetProcAddress, 0_2_00401264
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_01FE0D90 mov eax, dword ptr fs:[00000030h] 0_2_01FE0D90
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_01FE092B mov eax, dword ptr fs:[00000030h] 0_2_01FE092B
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C47A2E cpuid 0_2_03C47A2E
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_00401E22
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_00401752
Source: C:\Users\user\Desktop\Rats4dIOmA.exe Code function: 0_2_03C47A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_03C47A2E

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528071 Sample: Rats4dIOmA.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 10 qoderunovos.website 2->10 18 Found malware configuration 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected  Ursnif 2->22 24 Machine Learning detection for sample 2->24 6 Rats4dIOmA.exe 12 2->6         started        signatures3 process4 dnsIp5 12 soderunovos.website 6->12 14 new-fp-shed.wg1.b.yahoo.com 87.248.100.216, 443, 49763 YAHOO-IRDGB United Kingdom 6->14 16 2 other IPs or domains 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Detected unpacking (overwrites its own PE header) 6->28 30 Writes or reads registry keys via WMI 6->30 32 Writes registry values via WMI 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
74.6.143.26
 yahoo.com United States
26101 YAHOO-3US false
87.248.100.216
 new-fp-shed.wg1.b.yahoo.com United Kingdom
34010 YAHOO-IRDGB false

Contacted Domains

Name IP Active
new-fp-shed.wg1.b.yahoo.com 87.248.100.216 true
yahoo.com 74.6.143.26 true
www.yahoo.com unknown unknown
qoderunovos.website unknown unknown
soderunovos.website unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw false
    		high
    https://yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw false
      		high