Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Overview

General Information

Sample Name:c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll
Analysis ID:753126
MD5:590d96a7be55240ad868ebec78ce38f2
SHA1:2aaf8acb010dfe83b808d7cc77f6821aaf44f3d2
SHA256:846a8058cda54207aebb885f99dab0eab57529eb8dd94a3d57bbde2e93c4aad4
Tags:exe
Infos:

Detection

Ursnif
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 5252 cmdline: loaddll64.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 1332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 916 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4540 cmdline: rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 4848 cmdline: regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • cmd.exe (PID: 5680 cmdline: cmd /c "echo Commands" >> C:\Users\user\AppData\Local\Temp\2F60.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 1380 cmdline: cmd /c "dir" >> C:\Users\user\AppData\Local\Temp\2F60.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 864 cmdline: rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5052 cmdline: rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5904 cmdline: rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
{"c2_domain": ["https://higmon.cyou", "https://prises.cyou"], "botnet": "202208151", "aes key": "VHpr3Unea0fVqBYc", "sleep time": "1", "request time": "10", "host keep time": "2", "host shift time": "1"}
SourceRuleDescriptionAuthorStrings
Process Memory Space: loaddll64.exe PID: 5252JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security
    Process Memory Space: regsvr32.exe PID: 4848JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security
      Process Memory Space: rundll32.exe PID: 4540JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security
        Process Memory Space: rundll32.exe PID: 864JoeSecurity_Ursnifv4Yara detected UrsnifJoe Security
          No Sigma rule has matched
          Timestamp:192.168.2.78.8.8.860326532039637 11/24/22-10:49:03.324067
          SID:2039637
          Source Port:60326
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dllVirustotal: Detection: 33%Perma Link
          Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dllReversingLabs: Detection: 21%
          Source: https://higmon.cyou/index.htmlceAvira URL Cloud: Label: malware
          Source: https://higmon.cyou/index.htmlAvira URL Cloud: Label: malware
          Source: https://higmon.cyou/Avira URL Cloud: Label: malware
          Source: https://prises.cyouAvira URL Cloud: Label: malware
          Source: https://higmon.cyouAvira URL Cloud: Label: malware
          Source: higmon.cyouVirustotal: Detection: 20%Perma Link
          Source: https://prises.cyouVirustotal: Detection: 18%Perma Link
          Source: https://higmon.cyou/index.htmlVirustotal: Detection: 10%Perma Link
          Source: 3.2.regsvr32.exe.ac1e00.0.raw.unpackMalware Configuration Extractor: Ursnif {"c2_domain": ["https://higmon.cyou", "https://prises.cyou"], "botnet": "202208151", "aes key": "VHpr3Unea0fVqBYc", "sleep time": "1", "request time": "10", "host keep time": "2", "host shift time": "1"}
          Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

          Networking

          barindex
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 45.8.147.179 443Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeDomain query: higmon.cyou
          Source: TrafficSnort IDS: 2039637 ET TROJAN Observed DNS Query to Ursnif Domain (higmon .cyou) 192.168.2.7:60326 -> 8.8.8.8:53
          Source: Joe Sandbox ViewASN Name: VMAGE-ASRU VMAGE-ASRU
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
          Source: loaddll64.exe, 00000000.00000002.587434823.0000023124120000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701616295.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701604821.000000000266E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.311124854.000002233FD80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.311225044.0000020DA3AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://higmon.cyou
          Source: regsvr32.exe, 00000003.00000002.701457779.0000000000AE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://higmon.cyou/
          Source: regsvr32.exe, 00000003.00000002.701416611.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701474761.0000000000B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://higmon.cyou/index.html
          Source: regsvr32.exe, 00000003.00000002.701416611.0000000000A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://higmon.cyou/index.htmlce
          Source: regsvr32.exe, 00000003.00000002.701604821.000000000266E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://higmon.cyouhttps://prises.cyou
          Source: loaddll64.exe, 00000000.00000002.587439990.0000023124122000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701620342.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.311135038.000002233FD82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.311230320.0000020DA3AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://http://Mozilla/5.0
          Source: regsvr32.exe, regsvr32.exe, 00000003.00000002.701786113.00007FFA0AE63000.00000008.00000001.01000000.00000003.sdmp, c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dllString found in binary or memory: https://my.tealiumiq.com/urest/legacy/tagcompanion/getProfile?utid=
          Source: loaddll64.exe, 00000000.00000002.587434823.0000023124120000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701616295.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.701604821.000000000266E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.311124854.000002233FD80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.311225044.0000020DA3AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prises.cyou
          Source: unknownDNS traffic detected: queries for: higmon.cyou

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 5252, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 5252, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000018000508C0_2_000000018000508C
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180004A140_2_0000000180004A14
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180003A240_2_0000000180003A24
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800018440_2_0000000180001844
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180009C540_2_0000000180009C54
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800063440_2_0000000180006344
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800057480_2_0000000180005748
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180002B600_2_0000000180002B60
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000180008D780_2_0000000180008D78
          Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001800027D40_2_00000001800027D4
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004A143_2_0000000180004A14
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800018443_2_0000000180001844
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000508C3_2_000000018000508C
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800063443_2_0000000180006344
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800027D43_2_00000001800027D4
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180003A243_2_0000000180003A24
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009C543_2_0000000180009C54
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800057483_2_0000000180005748
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002B603_2_0000000180002B60
          Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D783_2_0000000180008D78
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000508C4_2_000000018000508C
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004A144_2_0000000180004A14
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180003A244_2_0000000180003A24
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800018444_2_0000000180001844
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009C544_2_0000000180009C54
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800063444_2_0000000180006344
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800057484_2_0000000180005748
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002B604_2_0000000180002B60
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008D784_2_0000000180008D78
          Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800027D44_2_00000001800027D4
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000508C5_2_000000018000508C
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180004A145_2_0000000180004A14
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180003A245_2_0000000180003A24
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800018445_2_0000000180001844
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180009C545_2_0000000180009C54
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800063445_2_0000000180006344
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800057485_2_0000000180005748
          Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002B605_2_0000000180002B60
          Source: C:\Windows\System32\rundll32.exe