Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BJp3aUvrt9

Overview

General Information

Sample Name:BJp3aUvrt9 (renamed file extension from none to dll)
Analysis ID:628121
MD5:9046f78804227bd742d558325fa8f4c0
SHA1:37ddabb88b909290e1da368f275448a880887482
SHA256:e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d
Tags:dll
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 6424 cmdline: loaddll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6452 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6472 cmdline: rundll32.exe "C:\Users\user\Desktop\BJp3aUvrt9.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6532 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 388 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 424 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries
            SourceRuleDescriptionAuthorStrings
            2.2.rundll32.exe.8f0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.rundll32.exe.10f0000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.2.rundll32.exe.49c94a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.2.rundll32.exe.49c94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    No Sigma rule has matched
                    Timestamp:192.168.2.313.107.42.1649754802033203 05/17/22-11:01:06.002753
                    SID:2033203
                    Source Port:49754
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 2.2.rundll32.exe.8f0000.0.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                    Source: BJp3aUvrt9.dllReversingLabs: Detection: 31%
                    Source: http://185.189.151.28/Avira URL Cloud: Label: malware
                    Source: http://185.189.151.28/drew/Gno4E_2Fz/JYCqWA_2FqMmY1RZwoiB/wugIArNn94bFR0HD9u1/3DvnzuRELDO66MgbIMgnTXAvira URL Cloud: Label: malware
                    Source: http://185.189.151.70/?Avira URL Cloud: Label: malware
                    Source: http://185.189.151.70/Avira URL Cloud: Label: malware
                    Source: BJp3aUvrt9.dllJoe Sandbox ML: detected
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010F5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_010F5FBB
                    Source: BJp3aUvrt9.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.262732571.000000000085D000.00000002.00000001.01000000.00000003.sdmp, BJp3aUvrt9.dll

                    Networking

                    barindex
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.70 80Jump to behavior
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 13.107.42.16:80
                    Source: global trafficTCP traffic: 192.168.2.3:49755 -> 185.189.151.28:80
                    Source: global trafficTCP traffic: 192.168.2.3:49825 -> 185.189.151.70:80
                    Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                    Source: Joe Sandbox ViewIP Address: 185.189.151.28 185.189.151.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.70
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.70
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.70
                    Source: rundll32.exe, 00000002.00000002.784882231.00000000010DC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.18
                    Source: rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/
                    Source: rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/Gno4E_2Fz/JYCqWA_2FqMmY1RZwoiB/wugIArNn94bFR0HD9u1/3DvnzuRELDO66MgbIMgnTX
                    Source: rundll32.exe, 00000002.00000002.784646579.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.70/
                    Source: rundll32.exe, 00000002.00000002.784730150.0000000000A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.70/?
                    Source: rundll32.exe, 00000002.00000002.784646579.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.70/drew/1TloxXPDggvUU7SO132dXHA/UogwcX8C6t/D9_2FjX0SVQAwUvNJ/ygMnY8n2kRf7/6ETlzT9
                    Source: rundll32.exe, 00000002.00000002.784646579.0000000000A49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/qzdAP1F4C_/2FVSRXifD6LesfvXQ/eiTPfMcJsPzH/EhN9_2BOs9N/TNtCRj3BFJm7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010F1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,2_2_010F1CA5

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: Yara matchFile source: 00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364394991.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364278031.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364350159.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.785582568.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6472, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.rundll32.exe.10f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.rundll32.exe.49c94a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.rundll32.exe.49c94a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.785174567.00000000049C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                    E-Banking Fraud

                    barindex
                    Source: Yara matchFile source: 00000002.00000003.364421717.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364070986.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364312063.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364235828.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364148388.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364394991.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364278031.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.364350159.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.785582568.00000000051A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6472, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.rundll32.exe.10f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.rundll32.exe.49c94a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.rundll32.exe.49c94a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.785174567.00000000049C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_010F5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_010F5FBB

                    System Summary