Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test2.dll

Overview

General Information

Sample Name:test2.dll
(renamed file extension from bin to dll, renamed because original name is a hash value)
Original Sample Name:test2.bin
Analysis ID:828211
MD5:69a88f93c1ec9c8ecc66b7d19fb4a9aa
SHA1:74dca80be03ab4dcc6bac81e794b6a02b56c4574
SHA256:c825d867fb0bf1ba55b89f4bb1c6db13020792ceb175e84fac5f72cfa161726f
Infos:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2952 cmdline: loaddll32.exe "C:\Users\user\Desktop\test2.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1292 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5092 cmdline: rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 4136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
test2.dllJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.loaddll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      3.2.rundll32.exe.10000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: test2.dllAvira: detected
        Multi AV Scanner detection for submitted file
        Source: test2.dllVirustotal: Detection: 39%Perma Link
        Machine Learning detection for sample
        Source: test2.dllJoe Sandbox ML: detected
        Source: 0.2.loaddll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: 3.2.rundll32.exe.10000000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
        Source: test2.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        E-Banking Fraud

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: test2.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: test2.dllStatic PE information: No import functions for PE file found
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636
        Source: test2.dllVirustotal: Detection: 39%
        Source: test2.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\test2.dll"
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1Jump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:488:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF153.tmpJump to behavior
        Source: classification engineClassification label: mal68.troj.winDLL@7/6@0/0
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075C079 push ebx; ret 3_2_0075C093
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076AC78 push eax; iretd 3_2_0076AC79
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076A050 pushad ; ret 3_2_0076A12D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076D25D pushfd ; ret 3_2_0076D283
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076BE4D pushad ; ret 3_2_0076BE59
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076A832 push esp; ret 3_2_0076A833
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00769022 push ebp; ret 3_2_0076902B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007662E9 push ds; ret 3_2_00766363
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00768ED0 pushad ; ret 3_2_00768ED1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075EAAD push edx; retf 3_2_0075EB39
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075EAA8 pushad ; retf 3_2_0075EAA9
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076CE9D push cs; ret 3_2_0076CF13
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075E975 push edi; ret 3_2_0075E98B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075CF72 push esi; ret 3_2_0075D023
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00766364 push es; ret 3_2_007663A3
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075A952 push esp; ret 3_2_0075A953
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075E95D push esp; ret 3_2_0075E973
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075E95A push ecx; ret 3_2_0075E95B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075C735 push es; ret 3_2_0075C75B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00769725 pushad ; ret 3_2_0076998B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075EB22 push edx; retf 3_2_0075EB39
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075AB10 push edi; ret 3_2_0075AB11
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075A912 push eax; ret 3_2_0075A933
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075D91C push 800075D8h; iretd 3_2_0075D921
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075C700 push 200075C7h; retn 0075h3_2_0075C70D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075EB0F push ecx; retf 3_2_0075EB21
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_007663E2 push cs; ret 3_2_007663E3
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076CFDD push esi; ret 3_2_0076D053
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0075E7C0 push ds; ret 3_2_0075E7C3
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0076B1BE pushfd ; ret 3_2_0076B27B
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00760BA5 push ecx; ret 3_2_00760BBB

        Hooking and other Techniques for Hiding and Protection

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: Amcache.hve.6.drBinary or memory string: VMware
        Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: Amcache.hve.6.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.6.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.6.drBinary or memory string: VMware7,1
        Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.me
        Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
        Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
        Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1Jump to behavior
        Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

        Stealing of Sensitive Information

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality

        barindex
        Yara detected Ursnif
        Source: Yara matchFile source: test2.dll, type: SAMPLE
        Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception11
        Process Injection        		1
        Virtualization/Sandbox Evasion        		OS Credential Dumping21
        Security Software Discovery        		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Rundll32        		LSASS Memory1
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Software Packing        		Security Account Manager1
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Process Injection        		NTDS1
        Remote System Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet