Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
unpacked (1).dll

Overview

General Information

Sample Name:unpacked (1).dll
Original Sample Name:unpacked (1).bin
Analysis ID:828171
MD5:895004ddaa3758ac453d73e3d8c1f45f
SHA1:0fb1a2c06513134ff699f4f286a71f1671918180
SHA256:74ef237a5145c0d85ee7575c283493a2bd0ae116590c06749cf1ed72f655b997
Infos:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 5984 cmdline: loaddll32.exe "C:\Users\user\Desktop\unpacked (1).dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6032 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6092 cmdline: rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 1236 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
No configs have been found
SourceRuleDescriptionAuthorStrings
unpacked (1).dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    SourceRuleDescriptionAuthorStrings
    0.2.loaddll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      3.2.rundll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: unpacked (1).dllAvira: detected
        Source: unpacked (1).dllReversingLabs: Detection: 43%
        Source: unpacked (1).dllJoe Sandbox ML: detected
        Source: 0.2.loaddll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: 3.2.rundll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: unpacked (1).dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: loaddll32.exe, 00000000.00000002.308072090.0000000000DFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: unpacked (1).dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: unpacked (1).dllStatic PE information: No import functions for PE file found
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F41096
        Source: unpacked (1).dllReversingLabs: Detection: 43%
        Source: unpacked (1).dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\unpacked (1).dll"
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6092
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER962D.tmpJump to behavior
        Source: classification engineClassification label: mal68.troj.winDLL@7/6@0/0
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F490F8 push 00000078h; ret
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F490C0 pushad ; ret
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F46646 push ds; iretd
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F3B826 push ds; retf
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F3B816 push ds; ret
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02F3B80E push ds; iretd

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: Amcache.hve.6.drBinary or memory string: VMware
        Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: Amcache.hve.6.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.6.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.6.drBinary or memory string: VMware7,1
        Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.me
        Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
        Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: unpacked (1).dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception11
        Process Injection
        1
        Virtualization/Sandbox Evasion
        1
        Input Capture
        21
        Security Software Discovery
        Remote Services1
        Input Capture
        Exfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Rundll32
        LSASS Memory1
        Virtualization/Sandbox Evasion
        Remote Desktop Protocol1
        Archive Collected Data
        Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Software Packing
        Security Account Manager1
        System Information Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Process Injection
        NTDS1
        Remote System Discovery
        Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information
        LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet