Windows Analysis Report
400000.dll

Overview

General Information

Sample Name:	400000.dll
Analysis ID:	632394
MD5:	3b242348cab0068aa4ed98a0c4c8cf95
SHA1:	ed28762dcfbd9e1892e56d261a3facf7248817c4
SHA256:	c0f637c3bc32ba773e2a3ef78b086eb680521482bc5e46cb99f231237c9b9265
Tags:	dll
Infos:

Detection

Ursnif

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Registers a DLL

Uses 32bit PE files

Tries to load missing DLLs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 400000.dll

Avira: detected

Found malware configuration

Source: 400000.dll

Malware Configuration Extractor: Ursnif {"RSA Public Key": "aVn5cc4yxmeeaLO1GhSDa9E9i9AhiobBqld00ioGlWOx7yX95FcGN3HicG7Ma8K4OSypooZMeS/Q9RHBbebiZB0htVqQfpLIdb7MhjDHDEBHCtTQeeoA8LfDaJAEQ2IdhSWjXZZqcMncDfNRXuwiAWQdEo+PTa9HSuW2G4AqVIhs9hBL2BAZZa8Egh74wCmZjW5gvEmkB+aIKoafUXWf9rJ70sGHrX3U1JPn9tSGnbML+e9g5HE/xe2QT/jXivxkLmTVQv5cQZbQWCQmVvKyQzH4ZmE8FDdAahhD8LLQyis0qatiz93QdIa9WeAg8/W3ijW7qgygdKBu/PDPFWkBFjL9Ourt+q4fqApYM+hMcvc=", "c2_domain": ["agenziaent.top", "agenziaentr.top", "statusline.ru", "statuslines.ru"], "botnet": "7631", "server": "50", "serpent_key": "xlmWrvhFyvbUdepr", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Multi AV Scanner detection for submitted file

Source: 400000.dll

ReversingLabs: Detection: 63%

Machine Learning detection for sample

Source: 400000.dll

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 400000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

DNS traffic detected: queries for: fp-afd.azureedge.us

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match

File source: 400000.dll, type: SAMPLE

E-Banking Fraud

Yara detected Ursnif

Source: Yara match

File source: 400000.dll, type: SAMPLE

Uses 32bit PE files

Source: 400000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: 400000.dll

ReversingLabs: Detection: 63%

Source: 400000.dll

Static PE information: Section: .text IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal76.troj.winDLL@9/0@1/0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\400000.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\400000.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\400000.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\400000.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\400000.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\400000.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\400000.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1	Jump to behavior

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\400000.dll

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match

File source: 400000.dll, type: SAMPLE

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1

Jump to behavior

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match

File source: 400000.dll, type: SAMPLE

Remote Access Functionality

Yara detected Ursnif

Source: Yara match

File source: 400000.dll, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
eafd-ffgov-phx01.elasticafd.msedge.azure.us	20.141.10.208	true
b-9999.b-msedge.net	13.107.6.254	true
fp-afd.azureedge.us	unknown	unknown

ID:	632394
Product:	CloudBasic
Start time:	16:36:26
Start date:	23.05.2022
Sample:	400000.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3b242348cab0068aa4ed98a0c4c8cf95
SHA1:	ed28762dcfbd9e1892e56d261a3facf7248817c4
SHA256:	c0f637c3bc32ba773e2a3ef78b086eb680521482bc5e46cb99f231237c9b9265
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
400000.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report 400000.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
400000.dll