Source: d610000.dll.dll |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "GE4Kf3pbrel1zpiOoLCHqOkVEoQCjXZcwDJgnKKashzu0ThAOIAJ/NQb3zKPQODOcEFRZfugbCviR+t+viu5jwjNVxTXEO+9Oq9MXvnhL3atJQPuJlCCvGC4jxqOl1+k9/pwik62mMuWd8AoXgZ/WmjcnNaQRQszlbtuRbQoHZr3ItTrVv9BHP0eOyDB8QSDHjb8UnRBZMZZaqAL2uRE2sPmEgdRIm6Wuju2n1FVZtl1kxpF/++L23MifEqV2vCG4veI+iRsyoDo+5dNzy/SoNvG0JmlelPoFeRD0XGBrM85vXLHSpsv4AWDYzOs7NLBs/ynxrCVGuIVfCRpyyhS7Zc5Z5ky0QHC4pY+36zr4yQ=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "siwdmfkshsgw.com", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com", "ijduwhsbvk.com"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "YFVenkBsAbUmuHYi", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *wallet* *bank* *banco*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "10103", "SetWaitableTimer_value": "1"} |
Source: Yara match |
File source: d610000.dll.dll, type: SAMPLE |
Source: Yara match |
File source: d610000.dll.dll, type: SAMPLE |
Source: d610000.dll.dll |
Static PE information: No import functions for PE file found |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: .dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: .dll |
Jump to behavior |
Source: d610000.dll.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: classification engine |
Classification label: mal56.troj.winDLL@8/0@0/0 |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d610000.dll.dll,#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\d610000.dll.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d610000.dll.dll,#1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\d610000.dll.dll,#1 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01 |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: d610000.dll.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: Yara match |
File source: d610000.dll.dll, type: SAMPLE |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d610000.dll.dll",#1 |
Jump to behavior |
Source: Yara match |
File source: d610000.dll.dll, type: SAMPLE |
Source: Yara match |
File source: d610000.dll.dll, type: SAMPLE |