Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pzG0rkIchr.dll

Overview

General Information

Sample Name:pzG0rkIchr.dll
Analysis ID:752975
MD5:d6ef4778f7dc9c31a0a2a989ef42d2fd
SHA1:5dad8394ef37d5a006674589754f7a3187d303b1
SHA256:54de1f2c26a63a8f6b7f8d5de99f8ebd4093959ab07f027db1985d0652258736
Tags:exeLDR4
Infos:

Detection

Ursnif
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Performs DNS queries to domains with low reputation
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 1556 cmdline: loaddll64.exe "C:\Users\user\Desktop\pzG0rkIchr.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1076 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5268 cmdline: rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 2356 cmdline: regsvr32.exe /s C:\Users\user\Desktop\pzG0rkIchr.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 5264 cmdline: rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6044 cmdline: rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,ItsnPq5v MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 5572 cmdline: C:\Windows\system32\WerFault.exe -u -p 6044 -s 276 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6136 cmdline: rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,QlqYo259k MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 5404 cmdline: C:\Windows\system32\WerFault.exe -u -p 6136 -s 304 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
      • WerFault.exe (PID: 680 cmdline: C:\Windows\system32\WerFault.exe -u -p 6136 -s 304 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"c2_domain": ["https://gigimas.xyz", "https://reaso.xyz"], "botnet": "202206061", "aes key": "eq2opFFpGzpd2p9t", "sleep time": "20", "request time": "30", "host keep time": "120", "host shift time": "120"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: loaddll64.exe PID: 1556JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security
    Process Memory Space: regsvr32.exe PID: 2356JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security
      Process Memory Space: rundll32.exe PID: 5268JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security
        Process Memory Space: rundll32.exe PID: 5264JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.48.8.8.864906532039645 11/24/22-05:22:35.810533
          SID:2039645
          Source Port:64906
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.48.8.8.861007532039645 11/24/22-05:20:02.978332
          SID:2039645
          Source Port:61007
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.48.8.8.861124532039645 11/24/22-05:21:04.451832
          SID:2039645
          Source Port:61124
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.48.8.8.859444532039645 11/24/22-05:21:34.871041
          SID:2039645
          Source Port:59444
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.48.8.8.855570532039645 11/24/22-05:22:05.359167
          SID:2039645
          Source Port:55570
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.48.8.8.860686532039645 11/24/22-05:20:33.386749
          SID:2039645
          Source Port:60686
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.48.8.8.859446532039645 11/24/22-05:23:06.390786
          SID:2039645
          Source Port:59446
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: pzG0rkIchr.dllVirustotal: Detection: 57%Perma Link
          Source: pzG0rkIchr.dllReversingLabs: Detection: 73%
          Antivirus detection for URL or domain
          Source: https://reaso.xyzAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: gigimas.xyzVirustotal: Detection: 14%Perma Link
          Source: https://gigimas.xyzVirustotal: Detection: 11%Perma Link
          Source: 4.3.rundll32.exe.17b359400d0.0.raw.unpackMalware Configuration Extractor: Ursnif {"c2_domain": ["https://gigimas.xyz", "https://reaso.xyz"], "botnet": "202206061", "aes key": "eq2opFFpGzpd2p9t", "sleep time": "20", "request time": "30", "host keep time": "120", "host shift time": "120"}
          Source: pzG0rkIchr.dllStatic PE information: certificate valid
          Source: pzG0rkIchr.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 0000000D.00000003.359316080.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370137520.000001EA8F2F7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: oleaut32.pdb"V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: elbase.pdb source: WerFault.exe, 0000000D.00000002.379074933.000001EA8D552000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.375083510.000001EA8FE94000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.375077557.000001EA8FE90000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.373102112.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359276516.000001EA8F2EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.371722395.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.359287144.000001EA8F2F1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: dwmapi.pdb6V source: WerFault.exe, 0000000D.00000003.375045922.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375091188.000001EA8FE97000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000D.00000003.359149665.000001EA8F2E4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.370270156.000001EA8D563000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000D.00000003.375037408.000001EA8FE91000.00000004