Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
400000.dll

Overview

General Information

Sample Name:400000.dll
Analysis ID:632394
MD5:3b242348cab0068aa4ed98a0c4c8cf95
SHA1:ed28762dcfbd9e1892e56d261a3facf7248817c4
SHA256:c0f637c3bc32ba773e2a3ef78b086eb680521482bc5e46cb99f231237c9b9265
Tags:dll
Infos:

Detection

Ursnif
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Registers a DLL
Uses 32bit PE files
Tries to load missing DLLs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 1260 cmdline: loaddll32.exe "C:\Users\user\Desktop\400000.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6444 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\400000.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6424 cmdline: rundll32.exe "C:\Users\user\Desktop\400000.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6440 cmdline: regsvr32.exe /s C:\Users\user\Desktop\400000.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 4116 cmdline: rundll32.exe C:\Users\user\Desktop\400000.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
{"RSA Public Key": "aVn5cc4yxmeeaLO1GhSDa9E9i9AhiobBqld00ioGlWOx7yX95FcGN3HicG7Ma8K4OSypooZMeS/Q9RHBbebiZB0htVqQfpLIdb7MhjDHDEBHCtTQeeoA8LfDaJAEQ2IdhSWjXZZqcMncDfNRXuwiAWQdEo+PTa9HSuW2G4AqVIhs9hBL2BAZZa8Egh74wCmZjW5gvEmkB+aIKoafUXWf9rJ70sGHrX3U1JPn9tSGnbML+e9g5HE/xe2QT/jXivxkLmTVQv5cQZbQWCQmVvKyQzH4ZmE8FDdAahhD8LLQyis0qatiz93QdIa9WeAg8/W3ijW7qgygdKBu/PDPFWkBFjL9Ourt+q4fqApYM+hMcvc=", "c2_domain": ["agenziaent.top", "agenziaentr.top", "statusline.ru", "statuslines.ru"], "botnet": "7631", "server": "50", "serpent_key": "xlmWrvhFyvbUdepr", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
400000.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 400000.dllAvira: detected
    Source: 400000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "aVn5cc4yxmeeaLO1GhSDa9E9i9AhiobBqld00ioGlWOx7yX95FcGN3HicG7Ma8K4OSypooZMeS/Q9RHBbebiZB0htVqQfpLIdb7MhjDHDEBHCtTQeeoA8LfDaJAEQ2IdhSWjXZZqcMncDfNRXuwiAWQdEo+PTa9HSuW2G4AqVIhs9hBL2BAZZa8Egh74wCmZjW5gvEmkB+aIKoafUXWf9rJ70sGHrX3U1JPn9tSGnbML+e9g5HE/xe2QT/jXivxkLmTVQv5cQZbQWCQmVvKyQzH4ZmE8FDdAahhD8LLQyis0qatiz93QdIa9WeAg8/W3ijW7qgygdKBu/PDPFWkBFjL9Ourt+q4fqApYM+hMcvc=", "c2_domain": ["agenziaent.top", "agenziaentr.top", "statusline.ru", "statuslines.ru"], "botnet": "7631", "server": "50", "serpent_key": "xlmWrvhFyvbUdepr", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
    Source: 400000.dllReversingLabs: Detection: 63%
    Source: 400000.dllJoe Sandbox ML: detected
    Source: 400000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: unknownDNS traffic detected: queries for: fp-afd.azureedge.us

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: 400000.dll, type: SAMPLE

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 400000.dll, type: SAMPLE
    Source: 400000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: 400000.dllReversingLabs: Detection: 63%
    Source: 400000.dllStatic PE information: Section: .text IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: classification engineClassification label: mal76.troj.winDLL@9/0@1/0
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\400000.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\400000.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\400000.dll
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\400000.dll,DllRegisterServer
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\400000.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\400000.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\400000.dll,DllRegisterServerJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\400000.dll

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Yara matchFile source: 400000.dll, type: SAMPLE
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\400000.dll",#1Jump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 400000.dll, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 400000.dll, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    11
    Process Injection
    1
    Regsvr32
    OS Credential Dumping1
    Virtualization/Sandbox Evasion
    Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Non-Application Layer Protocol
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Rundll32
    LSASS Memory1
    System Information Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Virtualization/Sandbox Evasion
    Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
    Process Injection
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading
    LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 632394 Sample: 400000.dll Startdate: 23/05/2022 Architecture: WINDOWS Score: 76 18 t-0001.msedge.azure.us 2->18 20 fp-afd.azureedge.us 2->20 22 4 other IPs or domains 2->22 24 Found malware configuration 2->24 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 2 other signatures 2->30 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        14 rundll32.exe 8->14         started        process6 16 rundll32.exe 10->16         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.