Windows Analysis Report 9091.dll

Overview

General Information

Sample Name: 9091.dll
Analysis ID: 548724
MD5: 8cef4bb6ea32fc461e3a954500413512
SHA1: d0612a06f724ebdb72db009010207c929aac9007
SHA256: 6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
Tags: dllexeZloader
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Registers a DLL
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "aScpE7CilQ9VtygBXbwXm3cD296yz+RssVO+4h8dSJN8SwshLOZQ8SH7VEx70uuWiFjdqr+uklWJF/baQZUtCK4Bm7884qZ6qhDkBdiQK8V2zH0dHiFpHhB//0WN950qgmnuJAQbYHO78/vC+UGIVbVNILi+zFGHaDdiP/Ka/IdBmgobFFhN6+VD656EnLLJ", "c2_domain": ["google.mail.com", "firsone1.online", "kdsjdsadas.online"], "botnet": "9091", "server": "12", "serpent_key": "01026655AALLKENM", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: 9091.dll Virustotal: Detection: 22% Perma Link
Source: 9091.dll ReversingLabs: Detection: 30%
Machine Learning detection for sample
Source: 9091.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.regsvr32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 5.2.rundll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 4.2.rundll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: 9091.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49813 version: TLS 1.2

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 134.0.117.195 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: google.mail.com
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: firsone1.online
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: kdsjdsadas.online
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-REGRU AS-REGRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9inDS3N_2BAw6xzSFVI4I3r/K9MZrdcrj9/apJueAkO6z3aFPMvl/1u8BPeULfl0I/HXQ5umECQED/KqvCLcJ4CKU902/Ue_2BCWirDHmDgB_2FqvO/givATx4gqqgglwS7/v4BEhQLSTM_2B/_2Fe_2Bu.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNBu0uT/PguFQeLj5VBY4GnMnUK/UA0cB1h_2F_2BMAAiPyhOY/5Iw7z41oIrnZb/4nW_2Ff2/TobIBfFnKF4Ggs861byzcAY/C9cxP76_2B/WGhxpkLq_2Fup2HWB/_2BU22RdSz/9MAm9.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:39 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 460Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 437Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:42 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 449Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:46 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 424Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: loaddll32.exe, 00000000.00000003.484041107.0000000000AC5000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 9091.dll String found in binary or memory: http://www.symantec.com
Source: loaddll32.exe, 00000000.00000003.484055973.0000000000ADA000.00000004.00000001.sdmp String found in binary or memory: https://firsone1.online/jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu5
Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmp String found in binary or memory: https://google.mail.com/jkloll/SrOhqn0MT2IAkG_2B4u/QUT97q1sQV0r5x6X8tk4tl/QK7oXiqO2sMkr/Uet1eMX4/DBd
Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmp String found in binary or memory: https://kdsjdsadas.online/
Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmp String found in binary or memory: https://kdsjdsadas.online/jkloll/n1yCX1bWO/IyJVfm7yH8jH38Bki7vn/f4C45hYEgppc8I7zVra/TaacUzdsuPU7_2Bk
Source: unknown DNS traffic detected: queries for: google.mail.com
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 0_2_00D45988
Source: global traffic HTTP traffic detected: GET /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9inDS3N_2BAw6xzSFVI4I3r/K9MZrdcrj9/apJueAkO6z3aFPMvl/1u8BPeULfl0I/HXQ5umECQED/KqvCLcJ4CKU902/Ue_2BCWirDHmDgB_2FqvO/givATx4gqqgglwS7/v4BEhQLSTM_2B/_2Fe_2Bu.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNBu0uT/PguFQeLj5VBY4GnMnUK/UA0cB1h_2F_2BMAAiPyhOY/5Iw7z41oIrnZb/4nW_2Ff2/TobIBfFnKF4Ggs861byzcAY/C9cxP76_2B/WGhxpkLq_2Fup2HWB/_2BU22RdSz/9MAm9.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49813 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 9091.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100021B4 0_2_100021B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4AFC0 0_2_00D4AFC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D47FBE 0_2_00D47FBE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4836E 0_2_00D4836E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910B68 0_2_00910B68
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910B6A 0_2_00910B6A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD7FBE 3_2_02BD7FBE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDAFC0 3_2_02BDAFC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD836E 3_2_02BD836E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40B68 3_2_00A40B68
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40B6A 3_2_00A40B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A47FBE 4_2_04A47FBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A4AFC0 4_2_04A4AFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A4836E 4_2_04A4836E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD0B68 4_2_00BD0B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD0B6A 4_2_00BD0B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0428836E 5_2_0428836E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04287FBE 5_2_04287FBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0428AFC0 5_2_0428AFC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B70B6A 5_2_00B70B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B70B68 5_2_00B70B68
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000129A NtMapViewOfSection, 0_2_1000129A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000119D GetProcAddress,NtCreateSection,memset, 0_2_1000119D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001540 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_10001540
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100023D5 NtQueryVirtualMemory, 0_2_100023D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00D49A0F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4B1E5 NtQueryVirtualMemory, 0_2_00D4B1E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910541 NtAllocateVirtualMemory, 0_2_00910541
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910779 NtProtectVirtualMemory, 0_2_00910779
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BD9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_02BD9A0F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDB1E5 NtQueryVirtualMemory, 3_2_02BDB1E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40779 NtProtectVirtualMemory, 3_2_00A40779
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40541 NtAllocateVirtualMemory, 3_2_00A40541
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_04A49A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A4B1E5 NtQueryVirtualMemory, 4_2_04A4B1E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD0779 NtProtectVirtualMemory, 4_2_00BD0779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD0541 NtAllocateVirtualMemory, 4_2_00BD0541
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_04289A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_04289A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0428B1E5 NtQueryVirtualMemory, 5_2_0428B1E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B70779 NtProtectVirtualMemory, 5_2_00B70779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B70541 NtAllocateVirtualMemory, 5_2_00B70541
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: 9091.dll Static PE information: invalid certificate
Source: 9091.dll Virustotal: Detection: 22%
Source: 9091.dll ReversingLabs: Detection: 30%
Source: 9091.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\9091.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@9/0@16/1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00D48F1B
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100021A3 push ecx; ret 0_2_100021B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002150 push ecx; ret 0_2_10002159
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4AC00 push ecx; ret 0_2_00D4AC09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4D00C push 00000076h; iretd 0_2_00D4D01A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4E62F push edi; retf 0_2_00D4E630
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4E9AC push 0B565A71h; ret 0_2_00D4E9B1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D4AFAF push ecx; ret 0_2_00D4AFBF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910384 push dword ptr [ebp-00000284h]; ret 0_2_00910540
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009108B2 push dword ptr [esp+0Ch]; ret 0_2_009108C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009108B2 push dword ptr [esp+10h]; ret 0_2_0091090C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009103B6 push dword ptr [ebp-00000284h]; ret 0_2_00910425
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910725 push edx; ret 0_2_009107C7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910725 push dword ptr [esp+10h]; ret 0_2_009108B1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910541 push dword ptr [ebp-00000284h]; ret 0_2_00910577
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910779 push edx; ret 0_2_009107C7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDE62F push edi; retf 3_2_02BDE630
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDD00C push 00000076h; iretd 3_2_02BDD01A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDAC00 push ecx; ret 3_2_02BDAC09
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDE9AC push 0B565A71h; ret 3_2_02BDE9B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_02BDAFAF push ecx; ret 3_2_02BDAFBF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A408B2 push dword ptr [esp+0Ch]; ret 3_2_00A408C6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A408B2 push dword ptr [esp+10h]; ret 3_2_00A4090C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A403B6 push dword ptr [ebp-00000284h]; ret 3_2_00A40425
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40384 push dword ptr [ebp-00000284h]; ret 3_2_00A40540
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40725 push edx; ret 3_2_00A407C7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40725 push dword ptr [esp+10h]; ret 3_2_00A408B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40779 push edx; ret 3_2_00A407C7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40541 push dword ptr [ebp-00000284h]; ret 3_2_00A40577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A4E62F push edi; retf 4_2_04A4E630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A4AC00 push ecx; ret 4_2_04A4AC09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_04A4D00C push 00000076h; iretd 4_2_04A4D01A
PE file contains sections with non-standard names
Source: 9091.dll Static PE information: section name: .arthros
Source: 9091.dll Static PE information: section name: .preter
Source: 9091.dll Static PE information: section name: .witched
Source: 9091.dll Static PE information: section name: .restitu
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001753 LoadLibraryA,GetProcAddress, 0_2_10001753
PE file contains an invalid checksum
Source: 9091.dll Static PE information: real checksum: 0xc73e4 should be: 0xd0994
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dll

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking system information)
Source: C:\Windows\System32\loaddll32.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4532 Thread sleep time: -1773297476s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4532 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4532 Thread sleep count: 37 > 30 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes

Anti Debugging:

barindex
Found API chain indicative of debugger detection
Source: C:\Windows\System32\loaddll32.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001753 LoadLibraryA,GetProcAddress, 0_2_10001753
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0091099E mov eax, dword ptr fs:[00000030h] 0_2_0091099E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009108B2 mov eax, dword ptr fs:[00000030h] 0_2_009108B2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_009107C9 mov eax, dword ptr fs:[00000030h] 0_2_009107C9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0091090D mov eax, dword ptr fs:[00000030h] 0_2_0091090D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00910725 mov eax, dword ptr fs:[00000030h] 0_2_00910725
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A408B2 mov eax, dword ptr fs:[00000030h] 3_2_00A408B2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A4099E mov eax, dword ptr fs:[00000030h] 3_2_00A4099E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A407C9 mov eax, dword ptr fs:[00000030h] 3_2_00A407C9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A40725 mov eax, dword ptr fs:[00000030h] 3_2_00A40725
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00A4090D mov eax, dword ptr fs:[00000030h] 3_2_00A4090D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD08B2 mov eax, dword ptr fs:[00000030h] 4_2_00BD08B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD099E mov eax, dword ptr fs:[00000030h] 4_2_00BD099E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD07C9 mov eax, dword ptr fs:[00000030h] 4_2_00BD07C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD0725 mov eax, dword ptr fs:[00000030h] 4_2_00BD0725
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00BD090D mov eax, dword ptr fs:[00000030h] 4_2_00BD090D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B708B2 mov eax, dword ptr fs:[00000030h] 5_2_00B708B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B7099E mov eax, dword ptr fs:[00000030h] 5_2_00B7099E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B707C9 mov eax, dword ptr fs:[00000030h] 5_2_00B707C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B70725 mov eax, dword ptr fs:[00000030h] 5_2_00B70725
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_00B7090D mov eax, dword ptr fs:[00000030h] 5_2_00B7090D

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 134.0.117.195 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: google.mail.com
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: firsone1.online
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: kdsjdsadas.online
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.796932415.0000000001280000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.797914818.0000000003260000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.797442073.0000000002F90000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.797503474.0000000002D90000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D47A2E cpuid 0_2_00D47A2E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001E13 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_10001E13
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001EE5 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_10001EE5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D49267 wsprintfA,GetUserNameW,GetComputerNameW,GetUserNameW,GetComputerNameW,WideCharToMultiByte, 0_2_00D49267

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548724 Sample: 9091.dll Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected  Ursnif 2->49 51 2 other signatures 2->51 7 loaddll32.exe 13 2->7         started        process3 dnsIp4 29 kdsjdsadas.online 7->29 31 firsone1.online 7->31 33 google.mail.com 7->33 55 Found evasive API chain (may stop execution after checking system information) 7->55 57 Found API chain indicative of debugger detection 7->57 59 Writes or reads registry keys via WMI 7->59 61 Writes registry values via WMI 7->61 11 regsvr32.exe 12 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 12 7->17         started        signatures5 process6 dnsIp7 35 kdsjdsadas.online 11->35 37 google.mail.com 11->37 63 System process connects to network (likely due to code injection or exploit) 11->63 65 Writes or reads registry keys via WMI 11->65 67 Writes registry values via WMI 11->67 19 rundll32.exe 12 15->19         started        39 firsone1.online 134.0.117.195, 443, 49803, 49811 AS-REGRU Russian Federation 17->39 41 kdsjdsadas.online 17->41 43 google.mail.com 17->43 signatures8 process9 dnsIp10 23 kdsjdsadas.online 19->23 25 firsone1.online 19->25 27 google.mail.com 19->27 53 Writes registry values via WMI 19->53 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
134.0.117.195
 firsone1.online Russian Federation
197695 AS-REGRU true

Contacted Domains

Name IP Active
firsone1.online 134.0.117.195 true
google.mail.com unknown unknown
kdsjdsadas.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://firsone1.online/jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki true
  • Avira URL Cloud: safe
 unknown
https://firsone1.online/jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki true
  • Avira URL Cloud: safe
 unknown