Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5300000.dll

Overview

General Information

Sample Name:5300000.dll
Analysis ID:632396
MD5:67f12b772561c13041ada1de17bff6c1
SHA1:39a3c933a2fe4e0d373da3bbf556c4a58d051732
SHA256:9af5351d4a0384db5af18c90007cc7aacd856b701c6a8d8da49bdaa4e9c2a3a7
Tags:dll
Infos:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Uses 32bit PE files
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

  • System is w10x64
  • loaddll32.exe (PID: 6412 cmdline: loaddll32.exe "C:\Users\user\Desktop\5300000.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6420 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6448 cmdline: rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
{"RSA Public Key": "aVn5cc4yxmeeaLO1GhSDa9E9i9AhiobBqld00ioGlWOx7yX95FcGN3HicG7Ma8K4OSypooZMeS/Q9RHBbebiZB0htVqQfpLIdb7MhjDHDEBHCtTQeeoA8LfDaJAEQ2IdhSWjXZZqcMncDfNRXuwiAWQdEo+PTa9HSuW2G4AqVIhs9hBL2BAZZa8Egh74wCmZjW5gvEmkB+aIKoafUXWf9rJ70sGHrX3U1JPn9tSGnbML+e9g5HE/xe2QT/jXivxkLmTVQv5cQZbQWCQmVvKyQzH4ZmE8FDdAahhD8LLQyis0qatiz93QdIa9WeAg8/W3ijW7qgygdKBu/PDPFWkBFjL9Ourt+q4fqApYM+hMcvc=", "c2_domain": ["agenziaent.top", "agenziaentr.top", "statusline.ru", "statuslines.ru"], "botnet": "7631", "server": "50", "serpent_key": "xlmWrvhFyvbUdepr", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
5300000.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 5300000.dllAvira: detected
    Source: 5300000.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "aVn5cc4yxmeeaLO1GhSDa9E9i9AhiobBqld00ioGlWOx7yX95FcGN3HicG7Ma8K4OSypooZMeS/Q9RHBbebiZB0htVqQfpLIdb7MhjDHDEBHCtTQeeoA8LfDaJAEQ2IdhSWjXZZqcMncDfNRXuwiAWQdEo+PTa9HSuW2G4AqVIhs9hBL2BAZZa8Egh74wCmZjW5gvEmkB+aIKoafUXWf9rJ70sGHrX3U1JPn9tSGnbML+e9g5HE/xe2QT/jXivxkLmTVQv5cQZbQWCQmVvKyQzH4ZmE8FDdAahhD8LLQyis0qatiz93QdIa9WeAg8/W3ijW7qgygdKBu/PDPFWkBFjL9Ourt+q4fqApYM+hMcvc=", "c2_domain": ["agenziaent.top", "agenziaentr.top", "statusline.ru", "statuslines.ru"], "botnet": "7631", "server": "50", "serpent_key": "xlmWrvhFyvbUdepr", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
    Source: 5300000.dllReversingLabs: Detection: 51%
    Source: 5300000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: 5300000.dll, type: SAMPLE

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 5300000.dll, type: SAMPLE
    Source: 5300000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: 5300000.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll32.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll32.exeSection loaded: .dll
    Source: C:\Windows\System32\loaddll32.exeSection loaded: .dll
    Source: 5300000.dllReversingLabs: Detection: 51%
    Source: 5300000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: classification engineClassification label: mal72.troj.winDLL@5/0@0/0
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5300000.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Yara matchFile source: 5300000.dll, type: SAMPLE
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 5300000.dll, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 5300000.dll, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    11
    Process Injection
    1
    Virtualization/Sandbox Evasion
    OS Credential Dumping1
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Rundll32
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
    Process Injection
    Security Account Manager1
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    DLL Side-Loading
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 632396 Sample: 5300000.dll Startdate: 23/05/2022 Architecture: WINDOWS Score: 72 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    5300000.dll51%ReversingLabsWin32.Trojan.Razy
    5300000.dll100%AviraHEUR/AGEN.1245293
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    No contacted IP infos
    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:632396
    Start date and time: 23/05/202216:40:382022-05-23 16:40:38 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 31s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:5300000.dll
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:28
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal72.troj.winDLL@5/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Adjust boot time
    • Enable AMSI
    • Override analysis time to 240s for rundll32
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: 5300000.dll
    No simulations
    No context
    No context
    No context
    No context
    No context
    No created / dropped files found
    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.648453671897272
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:5300000.dll
    File size:44544
    MD5:67f12b772561c13041ada1de17bff6c1
    SHA1:39a3c933a2fe4e0d373da3bbf556c4a58d051732
    SHA256:9af5351d4a0384db5af18c90007cc7aacd856b701c6a8d8da49bdaa4e9c2a3a7
    SHA512:75dd963ff30de23e581a2eb6fecf90d69111d613960e48c9508c756dfca2374280145cbb6f9f1ea840e433b39ecd5bd538dcf3e36489037ec59a349841b037a8
    SSDEEP:768:65pad4LOyeTJRRtpg6DBpLuS7rmWucAh1gRhOEOQJMkhe0gspoEs/P:Mpapy6JRRY6D3LPrM0RhOEJJMk1VjaP
    TLSH:38138D02F6F90CF2D3A39E746610FBF867FA863112786094E72399CA59A4953E53D307
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p...............i.......i..................H...:.......:.......:........i.......i.......i......Rich............PE..L......b...
    Icon Hash:74f0e4ecccdce0e4
    Entrypoint:0x1000586c
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x10000000
    Subsystem:windows gui
    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    DLL Characteristics:
    Time Stamp:0x6213BE96 [Mon Feb 21 16:32:22 2022 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:
    Instruction
    mov eax, dword ptr [esp+08h]
    push esi
    xor esi, esi
    inc esi
    sub eax, 00000000h
    je 00007F80909BEA45h
    dec eax
    jne 00007F80909BEA56h
    push 1000A2DCh
    call dword ptr [1000900Ch]
    cmp eax, esi
    jne 00007F80909BEA47h
    push dword ptr [esp+08h]
    call 00007F80909BE9A4h
    test eax, eax
    je 00007F80909BEA3Ah
    xor esi, esi
    jmp 00007F80909BEA36h
    push 1000A2DCh
    call dword ptr [10009010h]
    test eax, eax
    jne 00007F80909BEA27h
    call 00007F80909BB267h
    mov eax, esi
    pop esi
    retn 000Ch
    push ebp
    mov ebp, esp
    push ecx
    xor eax, eax
    inc eax
    cmp dword ptr [ebp+08h], 00000000h
    mov dword ptr [ebp-04h], eax
    je 00007F80909BEA35h
    push eax
    push dword ptr [ebp+10h]
    push dword ptr [ebp+0Ch]
    push dword ptr [ebp+08h]
    call 00007F80909BDD23h
    test eax, eax
    je 00007F80909BEA3Ah
    push 00000004h
    lea eax, dword ptr [ebp-04h]
    push eax
    push dword ptr [ebp+10h]
    push dword ptr [ebp+0Ch]
    push 00000004h
    push 80000001h
    call 00007F80909BE18Bh
    leave
    retn 000Ch
    push ebp
    mov ebp, esp
    sub esp, 58h
    push ebx
    push esi
    push edi
    mov esi, eax
    xor eax, eax
    mov word ptr [ebp-44h], ax
    lea edi, dword ptr [ebp-42h]
    stosd
    stosd
    stosd
    stosw
    xor eax, eax
    mov word ptr [ebp-34h], ax
    lea edi, dword ptr [ebp-32h]
    stosd
    stosd
    stosd
    stosw
    xor eax, eax
    mov word ptr [ebp-24h], ax
    lea edi, dword ptr [ebp-22h]
    stosd
    stosd
    push 00000008h
    pop ebx
    push dword ptr [ebp+08h]
    stosd
    stosw
    call dword ptr [000090D0h]
    Programming Language:
    • [ASM] VS2008 SP1 build 30729
    • [LNK] VS2008 SP1 build 30729
    • [C++] VS2005 build 50727
    • [IMP] VS2008 SP1 build 30729
    • [EXP] VS2008 SP1 build 30729
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x9f100x32.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x98d40x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x744.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x90000x12c.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x92a40xe0.rdata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x76630x7800False0.621875data6.52907311562IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0x90000xf420x1000False0.4609375data4.70307546866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0xa0000x3e80x200False0.572265625ARJ archive data, v29, original name: , os: MS-DOS3.67785998014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .bss0xb0000xeae0x1000False0.901123046875data7.52389912782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .reloc0xc0000x10000x1000False0.610107421875data5.4947263917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    No network behavior found

    Click to jump to process

    Target ID:0
    Start time:16:41:49
    Start date:23/05/2022
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\5300000.dll"
    Imagebase:0x840000
    File size:116736 bytes
    MD5 hash:7DEB5DB86C0AC789123DEC286286B938
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:1
    Start time:16:41:50
    Start date:23/05/2022
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1
    Imagebase:0xc20000
    File size:232960 bytes
    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Target ID:2
    Start time:16:41:50
    Start date:23/05/2022
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\5300000.dll",#1
    Imagebase:0x100000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    No disassembly