Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
62835e34e60c1.dll

Overview

General Information

Sample Name:62835e34e60c1.dll
Analysis ID:628111
MD5:5572213d17be7de71f36fa68eb6808a8
SHA1:5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e
SHA256:f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
Tags:DHLdllgoziisfbitalyursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 7012 cmdline: loaddll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 7064 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7120 cmdline: rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 1448 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 400 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 408 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3272 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 436 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
00000003.00000003.409022533.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.408311834.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.409143246.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.408868417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.408399417.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries
            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.cb0000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.2.rundll32.exe.49e94a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.400000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.49e94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    No Sigma rule has matched
                    Timestamp:192.168.2.513.107.43.1649772802033203 05/17/22-10:46:47.467879
                    SID:2033203
                    Source Port:49772
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 3.2.rundll32.exe.400000.0.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                    Source: 62835e34e60c1.dllVirustotal: Detection: 28%Perma Link
                    Source: 62835e34e60c1.dllReversingLabs: Detection: 29%
                    Source: http://185.189.151.70/drew/aaJEUlLh_/2FLHWWSII4z5Zv8IHOi1/CMWvnEAIAbago4IEJQ4/RXWAEAvira URL Cloud: Label: malware
                    Source: 62835e34e60c1.dllJoe Sandbox ML: detected
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00CB5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_00CB5FBB
                    Source: 62835e34e60c1.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000001.00000000.379008516.00000000006BD000.00000002.00000001.01000000.00000003.sdmp, 62835e34e60c1.dll

                    Networking

                    barindex
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.70 80Jump to behavior
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49772 -> 13.107.43.16:80
                    Source: global trafficTCP traffic: 192.168.2.6:49764 -> 185.189.151.28:80
                    Source: global trafficTCP traffic: 192.168.2.6:49808 -> 185.189.151.70:80
                    Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                    Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                    Source: Joe Sandbox ViewIP Address: 185.189.151.28 185.189.151.28
                    Source