Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d610000.dll.exe

Overview

General Information

Sample Name:d610000.dll.exe (renamed file extension from exe to dll)
Analysis ID:725156
MD5:c5280e5552a8fb5066f56616df777bcc
SHA1:8ea200f303f42df4e6a18286bd92c18c1c61a92e
SHA256:f9641b26c887ef0abd66f0e0b614b6599b339b424c671bd83dddb2e59d91bbb1
Tags:exegozi
Infos:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Sample execution stops while process was sleeping (likely an evasion)
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

  • System is w10x64
  • loaddll64.exe (PID: 5052 cmdline: loaddll64.exe "C:\Users\user\Desktop\d610000.dll.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5932 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5944 cmdline: rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5784 cmdline: rundll32.exe C:\Users\user\Desktop\d610000.dll.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
{"RSA Public Key": "GE4Kf3pbrel1zpiOoLCHqOkVEoQCjXZcwDJgnKKashzu0ThAOIAJ/NQb3zKPQODOcEFRZfugbCviR+t+viu5jwjNVxTXEO+9Oq9MXvnhL3atJQPuJlCCvGC4jxqOl1+k9/pwik62mMuWd8AoXgZ/WmjcnNaQRQszlbtuRbQoHZr3ItTrVv9BHP0eOyDB8QSDHjb8UnRBZMZZaqAL2uRE2sPmEgdRIm6Wuju2n1FVZtl1kxpF/++L23MifEqV2vCG4veI+iRsyoDo+5dNzy/SoNvG0JmlelPoFeRD0XGBrM85vXLHSpsv4AWDYzOs7NLBs/ynxrCVGuIVfCRpyyhS7Zc5Z5ky0QHC4pY+36zr4yQ=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "siwdmfkshsgw.com", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com", "ijduwhsbvk.com"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "YFVenkBsAbUmuHYi", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "10103", "SetWaitableTimer_value": "1"}
SourceRuleDescriptionAuthorStrings
d610000.dll.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: d610000.dll.dllAvira: detected
    Source: d610000.dll.dllMalware Configuration Extractor: Ursnif {"RSA Public Key": "GE4Kf3pbrel1zpiOoLCHqOkVEoQCjXZcwDJgnKKashzu0ThAOIAJ/NQb3zKPQODOcEFRZfugbCviR+t+viu5jwjNVxTXEO+9Oq9MXvnhL3atJQPuJlCCvGC4jxqOl1+k9/pwik62mMuWd8AoXgZ/WmjcnNaQRQszlbtuRbQoHZr3ItTrVv9BHP0eOyDB8QSDHjb8UnRBZMZZaqAL2uRE2sPmEgdRIm6Wuju2n1FVZtl1kxpF/++L23MifEqV2vCG4veI+iRsyoDo+5dNzy/SoNvG0JmlelPoFeRD0XGBrM85vXLHSpsv4AWDYzOs7NLBs/ynxrCVGuIVfCRpyyhS7Zc5Z5ky0QHC4pY+36zr4yQ=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "siwdmfkshsgw.com", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com", "ijduwhsbvk.com"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "YFVenkBsAbUmuHYi", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "10103", "SetWaitableTimer_value": "1"}

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: d610000.dll.dll, type: SAMPLE

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: d610000.dll.dll, type: SAMPLE
    Source: d610000.dll.dllStatic PE information: No import functions for PE file found
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeSection loaded: .dllJump to behavior
    Source: d610000.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: classification engineClassification label: mal56.troj.winDLL@8/0@0/0
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d610000.dll.dll,#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\d610000.dll.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d610000.dll.dll,#1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d610000.dll.dll,#1Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: d610000.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Yara matchFile source: d610000.dll.dll, type: SAMPLE
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1Jump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: d610000.dll.dll, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: d610000.dll.dll, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    11
    Process Injection
    1
    Virtualization/Sandbox Evasion
    OS Credential Dumping1
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Rundll32
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
    Process Injection
    Security Account Manager1
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    DLL Side-Loading
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 725156 Sample: d610000.dll.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 56 17 Antivirus / Scanner detection for submitted sample 2->17 19 Yara detected  Ursnif 2->19 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 rundll32.exe 9->15         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.