Windows Analysis Report
71e0000.dll.exe

Overview

General Information

Sample Name: 71e0000.dll.exe (renamed file extension from exe to dll)
Analysis ID: 745704
MD5: 4a97461216c8a905f374ebb4f9d5423c
SHA1: 972bcb9401faa74c1b66a1929b6cfa20ce26aa70
SHA256: 1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4
Tags: exegozi
Infos:

Detection

Ursnif
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Sample execution stops while process was sleeping (likely an evasion)
PE file does not import any functions
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 71e0000.dll.dll Avira: detected
Source: 71e0000.dll.dll Malware Configuration Extractor: Ursnif {"RSA Public Key": "jl3OiSb2v7y37ljQ6Wyz+Y0CvgAX1wFCqMlzAxRsCG3qD38OzQczLWVjurYCsuEoUrl862ftBKgvFoKN2O0DO0LqpRtmlsgOuzLD56JaGSas/UPLMKPbURKpIJgaL7ETLvP66TG2+zWMzBRZ7A24/MXB1WNzVNE0si2igwojjBo9fwDkFL3VT9TnNAgv+mBjGnq6Z5YtDYf3juf/MEplSZ/w+pUV8pXx6VwaPRCHkcRQFkWTkyqTFCyG0ijsCptq9SoAusD8YObw3vaWSG6mwDIl5khfkR7ehBXnjLRF7OGKhsvOMK6pennTL4SO4NkROI5bkIr4DQio9UB4D6qLyZm5Af/z5Lcc2vflZnbtV04=", "c2_domain": ["telemetry.skype.com", "pushkin-kotero.ru", "ballya99.ru", "tympedyrra66kos2.ru", "svoona8vdia88.ru", "okpoker009291.ru", "sandinsd7x6e.ru", "p4elauus.ru", "kraskinaayd7imus.ru", "dukatto03lo.ru", "leikocitoosih9racker.ru", "simenshina88a8.ru"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "2Egw4N9I7z6IN0of", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "15072022", "SetWaitableTimer_value": "1"}

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 71e0000.dll.dll, type: SAMPLE

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 71e0000.dll.dll, type: SAMPLE
PE file does not import any functions
Source: 71e0000.dll.dll Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: .dll Jump to behavior
Source: 71e0000.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal56.troj.winDLL@8/0@0/0
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\71e0000.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 71e0000.dll.dll Static PE information: Image base 0x180000000 > 0x60000000

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 71e0000.dll.dll, type: SAMPLE
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 71e0000.dll.dll, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 71e0000.dll.dll, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745704 Sample: 71e0000.dll.exe Startdate: 14/11/2022 Architecture: WINDOWS Score: 56 17 Antivirus / Scanner detection for submitted sample 2->17 19 Yara detected  Ursnif 2->19 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 rundll32.exe 9->15         started       
No contacted IP infos