Edit tour
Windows
Analysis Report
d610000.dll.exe
Overview
General Information
| Sample Name: | d610000.dll.exe (renamed file extension from exe to dll) |
| Analysis ID: | 725156 |
| MD5: | c5280e5552a8fb5066f56616df777bcc |
| SHA1: | 8ea200f303f42df4e6a18286bd92c18c1c61a92e |
| SHA256: | f9641b26c887ef0abd66f0e0b614b6599b339b424c671bd83dddb2e59d91bbb1 |
| Tags: | exegozi |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Sample execution stops while process was sleeping (likely an evasion)
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged
Classification
- System is w10x64
loaddll64.exe (PID: 5052 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\d61 0000.dll.d ll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 4952 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5932 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\d61 0000.dll.d ll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 5944 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\d610 000.dll.dl l",#1 MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 5784 cmdline:
rundll32.e xe C:\User s\user\Des ktop\d6100 00.dll.dll ,#1 MD5: 73C519F050C20580F8A62C849D49215A)
- cleanup
{"RSA Public Key": "GE4Kf3pbrel1zpiOoLCHqOkVEoQCjXZcwDJgnKKashzu0ThAOIAJ/NQb3zKPQODOcEFRZfugbCviR+t+viu5jwjNVxTXEO+9Oq9MXvnhL3atJQPuJlCCvGC4jxqOl1+k9/pwik62mMuWd8AoXgZ/WmjcnNaQRQszlbtuRbQoHZr3ItTrVv9BHP0eOyDB8QSDHjb8UnRBZMZZaqAL2uRE2sPmEgdRIm6Wuju2n1FVZtl1kxpF/++L23MifEqV2vCG4veI+iRsyoDo+5dNzy/SoNvG0JmlelPoFeRD0XGBrM85vXLHSpsv4AWDYzOs7NLBs/ynxrCVGuIVfCRpyyhS7Zc5Z5ky0QHC4pY+36zr4yQ=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "siwdmfkshsgw.com", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com", "ijduwhsbvk.com"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "YFVenkBsAbUmuHYi", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "10103", "SetWaitableTimer_value": "1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Rundll32 | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
