Play interactive tour
Edit tourWindows Analysis Report 202c6770000.dll
Overview
General Information
| Sample Name: | 202c6770000.dll |
| Analysis ID: | 547692 |
| MD5: | 4b76083e201810b0a6430846ca94250a |
| SHA1: | 963f018eb2d3a6ae81c40486a63795cdf137be52 |
| SHA256: | 8cba0769d25a6cc0cd53961a53b1a13568446ea01f0d72724e15eaef087f314a |
| Tags: | exegozi |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Ursnif
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected Ursnif
Sigma detected: Suspicious Call by Ordinal
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Ursnif |
|---|
{"RSA Public Key": "R+UxqbV/y+ZU1c0seFgwYm43sz1DSmatV8GC7d9ajlQ+vaAx2oxbmrXwev8mSqGGA/bUt2ZkpqSt/nxO6+/Ak7RHUIzazuikwj2CwtI2KIDL8nZsOoWBzTyOzo34t4SghKOmz0ogisuhvhvEfnzRtTwTwtCrGujd4Sa3+qw1BPxaNAN0DFEVfIrq201z4jAs", "c2_domain": ["lycos.com", "mail.yahoo.com", "193.56.255.251", "193.56.255.250", "193.56.255.249", "numolerunosell.online", "gumolerunosell.online", "rumolerunosell.online"], "dga_tld": "com ru org", "DGA_count": "10", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "60", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "1000", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "122", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "1000", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "122", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "4474", "SetWaitableTimer_value": "200"}Yara Overview |
|---|
Initial Sample |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Suspicious Call by Ordinal | Show sources | ||
| Source: | Author: Florian Roth: | ||
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
E-Banking Fraud: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
System Summary: | |
|---|
| Source: | Static PE information: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | ||
| Source: | Classification label: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Process queried: | ||
| Source: | Process created: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected Ursnif | Show sources | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | DLL Side-Loading1 | Process Injection11 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Rundll321 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | DLL Side-Loading1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
