Edit tour
Windows
Analysis Report
c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll
Overview
General Information
| Sample Name: | c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll |
| Analysis ID: | 753126 |
| MD5: | 590d96a7be55240ad868ebec78ce38f2 |
| SHA1: | 2aaf8acb010dfe83b808d7cc77f6821aaf44f3d2 |
| SHA256: | 846a8058cda54207aebb885f99dab0eab57529eb8dd94a3d57bbde2e93c4aad4 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 5252 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\c2b 80b8cbd660 c3208162ed 596e0443ea 8f786b6fd1 f809f2d2a1 e07fe6475c d.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 1332 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 916 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\c2b 80b8cbd660 c3208162ed 596e0443ea 8f786b6fd1 f809f2d2a1 e07fe6475c d.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 4540 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\c2b8 0b8cbd660c 3208162ed5 96e0443ea8 f786b6fd1f 809f2d2a1e 07fe6475cd .dll",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 4848 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\c2 b80b8cbd66 0c3208162e d596e0443e a8f786b6fd 1f809f2d2a 1e07fe6475 cd.dll MD5: D78B75FC68247E8A63ACBA846182740E) - cmd.exe (PID: 5680 cmdline:
cmd /c "ec ho Command s" >> C:\U sers\user\ AppData\Lo cal\Temp\2 F60.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 1380 cmdline:
cmd /c "di r" >> C:\U sers\user\ AppData\Lo cal\Temp\2 F60.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - rundll32.exe (PID: 864 cmdline:
rundll32.e xe C:\User s\user\Des ktop\c2b80 b8cbd660c3 208162ed59 6e0443ea8f 786b6fd1f8 09f2d2a1e0 7fe6475cd. dll,DllReg isterServe r MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 5052 cmdline:
rundll32.e xe C:\User s\user\Des ktop\c2b80 b8cbd660c3 208162ed59 6e0443ea8f 786b6fd1f8 09f2d2a1e0 7fe6475cd. dll,FgnfMv SNFULXZx MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 5904 cmdline:
rundll32.e xe C:\User s\user\Des ktop\c2b80 b8cbd660c3 208162ed59 6e0443ea8f 786b6fd1f8 09f2d2a1e0 7fe6475cd. dll,KVpawd rrKTUjeZuk MD5: 73C519F050C20580F8A62C849D49215A)
- cleanup
{"c2_domain": ["https://higmon.cyou", "https://prises.cyou"], "botnet": "202208151", "aes key": "VHpr3Unea0fVqBYc", "sleep time": "1", "request time": "10", "host keep time": "2", "host shift time": "1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnifv4 | Yara detected Ursnif | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.78.8.8.860326532039637 11/24/22-10:49:03.324067 |
| SID: | 2039637 |
| Source Port: | 60326 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Domain query: | |||
| Source: | Snort IDS: | ||
| Source: | ASN Name: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Code function: | 0_2_000000018000508C | |
| Source: | Code function: | 0_2_0000000180004A14 | |
| Source: | Code function: | 0_2_0000000180003A24 | |
| Source: | Code function: | 0_2_0000000180001844 | |
| Source: | Code function: | 0_2_0000000180009C54 | |
| Source: | Code function: | 0_2_0000000180006344 | |
| Source: | Code function: | 0_2_0000000180005748 | |
| Source: | Code function: | 0_2_0000000180002B60 | |
| Source: | Code function: | 0_2_0000000180008D78 | |
| Source: | Code function: | 0_2_00000001800027D4 | |
| Source: | Code function: | 3_2_0000000180004A14 | |
| Source: | Code function: | 3_2_0000000180001844 | |
| Source: | Code function: | 3_2_000000018000508C | |
| Source: | Code function: | 3_2_0000000180006344 | |
| Source: | Code function: | 3_2_00000001800027D4 | |
| Source: | Code function: | 3_2_0000000180003A24 | |
| Source: | Code function: | 3_2_0000000180009C54 | |
| Source: | Code function: | 3_2_0000000180005748 | |
| Source: | Code function: | 3_2_0000000180002B60 | |
| Source: | Code function: | 3_2_0000000180008D78 | |
| Source: | Code function: | 4_2_000000018000508C | |
| Source: | Code function: | 4_2_0000000180004A14 | |
| Source: | Code function: | 4_2_0000000180003A24 | |
| Source: | Code function: | 4_2_0000000180001844 | |
| Source: | Code function: | 4_2_0000000180009C54 | |
| Source: | Code function: | 4_2_0000000180006344 | |
| Source: | Code function: | 4_2_0000000180005748 | |
| Source: | Code function: | 4_2_0000000180002B60 | |
| Source: | Code function: | 4_2_0000000180008D78 | |
| Source: | Code function: | 4_2_00000001800027D4 | |
| Source: | Code function: | 5_2_000000018000508C | |
| Source: | Code function: | 5_2_0000000180004A14 | |
| Source: | Code function: | 5_2_0000000180003A24 | |
| Source: | Code function: | 5_2_0000000180001844 | |
| Source: | Code function: | 5_2_0000000180009C54 | |
| Source: | Code function: | 5_2_0000000180006344 | |
| Source: | Code function: | 5_2_0000000180005748 | |
| Source: | Code function: | 5_2_0000000180002B60 | |
| Source: | |||