Windows Analysis Report R0xLHA2mT5.exe

Overview

General Information

Sample Name: R0xLHA2mT5.exe
Analysis ID: 528072
MD5: 9f3b8462c508884f6966f3ad4a275799
SHA1: 6288e611de585a6dc56c6399ef03012698d60392
SHA256: a548ac73d6acb5a260cb2e1760946c37ce94d89f3cd2a5b126e266e007dfc543
Tags: exeGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Machine Learning detection for sample
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.558633327.0000000002130000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: R0xLHA2mT5.exe Metadefender: Detection: 22% Perma Link
Source: R0xLHA2mT5.exe ReversingLabs: Detection: 45%
Machine Learning detection for sample
Source: R0xLHA2mT5.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.R0xLHA2mT5.exe.2130e50.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.R0xLHA2mT5.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.3.R0xLHA2mT5.exe.2140000.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Unpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack
Uses 32bit PE files
Source: R0xLHA2mT5.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
Source: Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 74.6.231.21 74.6.231.21
Source: Joe Sandbox View IP Address: 87.248.100.216 87.248.100.216
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 24 Nov 2021 17:24:25 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 12server: ATSContent-Length: 1048Age: 2Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p10fa5gpsta9&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp String found in binary or memory: +www.yahoo.com; equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: Location: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: MUxOnew-fp-shed.wg1.b.yahoo.comwww.yahoo.comVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTK equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: com.yahoo.www. equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/6 equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/? equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/\en-US\CRYPT32.dll.muiq equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: s://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'; equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560060461.0000000004FDA000.00000004.00000010.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com- equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com5 equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com>Y equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comG equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p1
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp String found in binary or memory: https://qoderunovos.website
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.website
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/0
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/T
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/_
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIv
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/s
Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.website
Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/6
Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/?
Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz
Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJ
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp String found in binary or memory: https://yahoo.com/b
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp String found in binary or memory: https://yahoo.com/d
Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp String found in binary or memory: https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd
Source: unknown DNS traffic detected: queries for: yahoo.com
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022B5988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 0_2_022B5988
Source: global traffic HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki
Source: unknown HTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: R0xLHA2mT5.exe, 00000000.00000002.559091455.000000000234A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: R0xLHA2mT5.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022B836E 0_2_022B836E
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022B7FBE 0_2_022B7FBE
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022BAFC0 0_2_022BAFC0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_00401703 NtMapViewOfSection, 0_2_00401703
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset, 0_2_00401C90
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_004019A0
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022B9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_022B9A0F
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022BB1E5 NtQueryVirtualMemory, 0_2_022BB1E5
PE file contains strange resources
Source: R0xLHA2mT5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: R0xLHA2mT5.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: R0xLHA2mT5.exe Metadefender: Detection: 22%
Source: R0xLHA2mT5.exe ReversingLabs: Detection: 45%
Source: R0xLHA2mT5.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@4/2
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022B8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_022B8F1B
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: R0xLHA2mT5.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: R0xLHA2mT5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: R0xLHA2mT5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: R0xLHA2mT5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: R0xLHA2mT5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: R0xLHA2mT5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: R0xLHA2mT5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: R0xLHA2mT5.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
Source: Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Unpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Unpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022BE62F push edi; retf 0_2_022BE630
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022BAC00 push ecx; ret 0_2_022BAC09
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022BAFAF push ecx; ret 0_2_022BAFBF
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022BE9AC push 0B565A71h; ret 0_2_022BE9B1
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_0042E630 push ecx; mov dword ptr [esp], 00000000h 0_2_0042E631
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_023600A6 push esp; iretd 0_2_023600B7
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_02363EAD push 12BFE4EFh; ret 0_2_02363EB2
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_0235EE91 push edx; iretd 0_2_0235EEC8
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_0235E89D push esi; iretd 0_2_0235E89E
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_02362CF3 push es; iretd 0_2_02362CF6
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_0235F184 push ebx; retf 0_2_0235F196
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_02365B88 push ds; ret 0_2_02365B89
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_00401264 LoadLibraryA,GetProcAddress, 0_2_00401264
Source: initial sample Static PE information: section name: .text entropy: 7.03993935197

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_00401264 LoadLibraryA,GetProcAddress, 0_2_00401264
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_0235C2F6 push dword ptr fs:[00000030h] 0_2_0235C2F6
Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022B7A2E cpuid 0_2_022B7A2E
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_00401E22
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_00401752
Source: C:\Users\user\Desktop\R0xLHA2mT5.exe Code function: 0_2_022B7A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_022B7A2E

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs