Source: 5c70000.dll.dll |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "1YS+8ex35zN9kFMQs4RcfOKUmfCAaU0Lcfu1iseYX9IxbcqZK9hJdYV/74jBVBA6JO68Ru8JOWn/RmNg8d7T0+FQZIVpBXNiOk2xNMZZPtpnl3X1bPr1Vmre1/DxbKiLhLcvtMBKAXIg1zNit7KxigirEJG/ku6tJcMh0TLbcCu27YHnXWDhg7HjmZxuWjFyfjMhYMTdOKUvGknIQO77/hV077QsjSjpitxZiJFZ2RVJ8MV0nWjmf00JtMDWZ9Ffvj1GykmqnUcZtFk07J7EXj5AiBSs4p0dt1xv2gd2WYreN72DbYoSzwMVrVBp3GYiZ7mt8kqkIn5qxL2O4prebho8DzyufEssS9cpwTVwdYo=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "N5VIZHuGoTvq3iY8", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5", "SetWaitableTimer_value": "1"} |
Source: Yara match |
File source: 5c70000.dll.dll, type: SAMPLE |
Source: Yara match |
File source: 5c70000.dll.dll, type: SAMPLE |
Source: 5c70000.dll.dll |
Static PE information: No import functions for PE file found |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: .dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: .dll |
Jump to behavior |
Source: 5c70000.dll.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: classification engine |
Classification label: mal56.troj.winDLL@8/0@0/0 |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5c70000.dll.dll,#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\5c70000.dll.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5c70000.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5c70000.dll.dll,#1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5c70000.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5c70000.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\5c70000.dll.dll,#1 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5c70000.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_01 |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: 5c70000.dll.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: Yara match |
File source: 5c70000.dll.dll, type: SAMPLE |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5c70000.dll.dll",#1 |
Jump to behavior |
Source: Yara match |
File source: 5c70000.dll.dll, type: SAMPLE |
Source: Yara match |
File source: 5c70000.dll.dll, type: SAMPLE |