Windows Analysis Report 1e60aca0000.dll

Overview

General Information

Sample Name: 1e60aca0000.dll
Analysis ID: 547693
MD5: f09f51fb30891aa93446c01018e92d49
SHA1: 28e62b9495bf58b7ff183c327a6eaa3ac7461b5b
SHA256: 68f2f77b88e5575b360d05f84ff11a026a62fa42f48aeec2cd44523692e40a6a
Tags: exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Sigma detected: Suspicious Call by Ordinal
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 1e60aca0000.dll Avira: detected
Found malware configuration
Source: 1e60aca0000.dll Malware Configuration Extractor: Ursnif {"RSA Public Key": "1ez6ZX9GBMHuzrxYcEvmkX0k1/y/WRE5hgthXVQ4P44VmZDRyl+qzgB3X8mQxx9hX87voxwb+7CbnJcCZ4hp/XwNIs0rUcJj4wwNctiIvZb8gIPsgWrAjjXLGMBCWjpmhIdWmYD7oSqxAb7ciAuhtWabiveV3OFwUuMRDbNtONTWpz/J4JVtQJ3XBbp99SutX5vbOPhgKBI3aszrv+0c1EkjrakCFHlOqMs8bjEjNDxrhaBWjOM1EU17zvHVkK7hxDkKQ5buzWmjrzDZEEWnvM3aa5uVRR1v44XnbolU0ltUakCZT4sH963oonk1uijxExj7eWoI4x+donYvsc/nFxNyfe6c/mfSKb7U2RhPG4g=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "poi.redhatbabby.at", "fgx.dangerboy.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "apr.intoolkom.at"], "ip_check_url": ["curlmyip.net"], "serpent_key": "KCVH9K5GZjoxwKSf", "server": "580", "sleep_time": "10", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "300", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "300", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "505050", "SetWaitableTimer_value": "60"}
Multi AV Scanner detection for submitted file
Source: 1e60aca0000.dll ReversingLabs: Detection: 34%

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 1e60aca0000.dll, type: SAMPLE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 1e60aca0000.dll, type: SAMPLE

System Summary:

barindex
PE file does not import any functions
Source: 1e60aca0000.dll Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: .dll Jump to behavior
Source: 1e60aca0000.dll ReversingLabs: Detection: 34%
Source: 1e60aca0000.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal76.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\1e60aca0000.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\1e60aca0000.dll,#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: 1e60aca0000.dll Static PE information: Image base 0x180000000 > 0x60000000

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 1e60aca0000.dll, type: SAMPLE
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1e60aca0000.dll",#1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 1e60aca0000.dll, type: SAMPLE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 1e60aca0000.dll, type: SAMPLE