Source: 71e0000.dll.dll |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "jl3OiSb2v7y37ljQ6Wyz+Y0CvgAX1wFCqMlzAxRsCG3qD38OzQczLWVjurYCsuEoUrl862ftBKgvFoKN2O0DO0LqpRtmlsgOuzLD56JaGSas/UPLMKPbURKpIJgaL7ETLvP66TG2+zWMzBRZ7A24/MXB1WNzVNE0si2igwojjBo9fwDkFL3VT9TnNAgv+mBjGnq6Z5YtDYf3juf/MEplSZ/w+pUV8pXx6VwaPRCHkcRQFkWTkyqTFCyG0ijsCptq9SoAusD8YObw3vaWSG6mwDIl5khfkR7ehBXnjLRF7OGKhsvOMK6pennTL4SO4NkROI5bkIr4DQio9UB4D6qLyZm5Af/z5Lcc2vflZnbtV04=", "c2_domain": ["telemetry.skype.com", "pushkin-kotero.ru", "ballya99.ru", "tympedyrra66kos2.ru", "svoona8vdia88.ru", "okpoker009291.ru", "sandinsd7x6e.ru", "p4elauus.ru", "kraskinaayd7imus.ru", "dukatto03lo.ru", "leikocitoosih9racker.ru", "simenshina88a8.ru"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "2Egw4N9I7z6IN0of", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "15072022", "SetWaitableTimer_value": "1"} |
Source: Yara match |
File source: 71e0000.dll.dll, type: SAMPLE |
Source: Yara match |
File source: 71e0000.dll.dll, type: SAMPLE |
Source: 71e0000.dll.dll |
Static PE information: No import functions for PE file found |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: .dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: .dll |
Jump to behavior |
Source: 71e0000.dll.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: classification engine |
Classification label: mal56.troj.winDLL@8/0@0/0 |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\71e0000.dll.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\71e0000.dll.dll,#1 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01 |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: 71e0000.dll.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: Yara match |
File source: 71e0000.dll.dll, type: SAMPLE |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\71e0000.dll.dll",#1 |
Jump to behavior |
Source: Yara match |
File source: 71e0000.dll.dll, type: SAMPLE |
Source: Yara match |
File source: 71e0000.dll.dll, type: SAMPLE |