Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ursnif_IAT_corrected.exe.dll

Overview

General Information

Sample Name:ursnif_IAT_corrected.exe.dll
Analysis ID:727158
MD5:8b52c277c63c5877c0e4ca32d1458957
SHA1:1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
SHA256:8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
Tags:dllursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Yara signature match
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Registers a DLL
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 4124 cmdline: loaddll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5080 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5020 cmdline: rundll32.exe "C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 5216 cmdline: regsvr32.exe /s C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 780 cmdline: rundll32.exe C:\Users\user\Desktop\ursnif_IAT_corrected.exe.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
{"RSA Public Key": "oZWPUqrPbA1nh5KeblvW58CGuN1e4qDR3J71aATar5O00raqKE8xUkhFQUaw8R0BlZUnpL1tyzW+efqFkhCLYWrMw9nZJeYEd473/0tPEq2VGwv1oB9Pv2/fdgDd6u50PW0dH+R3uMkcvvSQWa4B8bKoi7inCm10C8UL7vaPiLpNIvtqiX4DmnU8XJVFUqOUDuOPHQVcBCPrZcWDAnVXnLWrHhRfXLI5WYFsVRJSde33pVRkM7XdYHtOhkTQlmghQJYxytxJ0sf95vDL6iv7epWQHBvzkG4uQNqLKhs25dvCXYJYNvjJXuqOqa9OkYezI8hW7hiiyxvLszulw2SxcIP0Ki+iShbrMtTsnnUoNQ4=", "c2_domain": ["config.edge.skype.com", "onlinetwork.top", "linetwork.top"], "botnet": "5000", "server": "50", "serpent_key": "7Lmoq8QMk7P7gY63", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
ursnif_IAT_corrected.exe.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    SourceRuleDescriptionAuthorStrings
    00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0xff0:$a1: /C ping localhost -n %u && del "%s"
      • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xca8:$a5: filename="%.4u.%lu"
      • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe72:$a9: &whoami=%s
      • 0xe5a:$a10: %u.%u_%u_%u_x%u
      • 0xc22:$a11: size=%u&hash=0x%08x
      • 0xc13:$a12: &uptime=%u
      • 0xda7:$a13: %systemroot%\system32\c_1252.nls
      • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
      00000004.00000003.347389084.0000000004EA8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
      • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
      • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
      • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
      • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
      • 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
      00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.354187401.0000000004F88000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
        • 0xff0:$a1: /C ping localhost -n %u && del "%s"
        • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
        • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
        • 0xca8:$a5: filename="%.4u.%lu"
        • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
        • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
        • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
        • 0xe72:$a9: &whoami=%s
        • 0xe5a:$a10: %u.%u_%u_%u_x%u
        • 0xc22:$a11: size=%u&hash=0x%08x
        • 0xc13:$a12: &uptime=%u
        • 0xda7:$a13: %systemroot%\system32\c_1252.nls
        • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP