Windows Analysis Report
4f20000.dll

Overview

General Information

Sample Name: 4f20000.dll
Analysis ID: 561399
MD5: 50ec25e826f1e5401fd1f0af760ca2b0
SHA1: 593dda97ae3c106e61137693d206a893bbd81a45
SHA256: fbe7cb98973b46d24031d2b592acf21dba0918af11149fd55a6e04095d9e25cf
Tags: dllgozi
Infos:

Detection

Ursnif
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Sigma detected: Suspicious Call by Ordinal
Uses 32bit PE files
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 4f20000.dll Avira: detected
Found malware configuration
Source: 4f20000.dll Malware Configuration Extractor: Ursnif {"RSA Public Key": "WkHRFovJwpCCR5K5Nh8VR2q4c9stfUFZS1MHkr0NbHvphiXoTaUlD1/ctLAfC4eNiBry7yNi2pi8XJCO6p3vaVMYHl+Gh8P9CIYtaQY/U+yigzsKNQvo6kcbuYeKw6BstCnvrjwK9kKQY/DLPMQbKCeqq946niDdT4Jo7uaX2Km1i6F5OSZa3LsG21EhcL0odRRu4qIQmj94n5ytXGrD0tBoZlp6o3WFCqV0cRPm/cA75C444IV3sssDjOF/QFpx65JggE4ZkgosS8eInutrg2THDmvWNgzLntcT1UjrHUSzbVYMusnRJJCgoePG+Ilfqw1xUNrgob24M7woWIrC6vhPn01XLrMc+7iDKY4kBpE=", "c2_domain": ["giporedtrip.at", "habpfans.at"], "botnet": "20000", "server": "50", "serpent_key": "gs0W1Y167ccgpQOG", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Multi AV Scanner detection for submitted file
Source: 4f20000.dll ReversingLabs: Detection: 44%

Compliance
barindex
Uses 32bit PE files
Source: 4f20000.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 4f20000.dll, type: SAMPLE

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 4f20000.dll, type: SAMPLE

System Summary
barindex
Uses 32bit PE files
Source: 4f20000.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
PE file does not import any functions
Source: 4f20000.dll Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: .dll Jump to behavior
Source: 4f20000.dll ReversingLabs: Detection: 44%
Source: 4f20000.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal76.troj.winDLL@5/0@0/0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4f20000.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\4f20000.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4f20000.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4f20000.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\4f20000.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4f20000.dll",#1 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 4f20000.dll, type: SAMPLE
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging
barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\4f20000.dll",#1 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 4f20000.dll, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 4f20000.dll, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 561399 Sample: 4f20000.dll Startdate: 27/01/2022 Architecture: WINDOWS Score: 76 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 2 other signatures 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
No contacted IP infos