Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
AV Detection: |
---|
Found malware configuration |
Source: |
Malware Configuration Extractor: |
Machine Learning detection for sample |
Source: |
Joe Sandbox ML: |
Antivirus or Machine Learning detection for unpacked file |
Source: |
Avira: |
||
Source: |
Avira: |
Compliance: |
---|
Uses 32bit PE files |
Source: |
Static PE information: |
Uses new MSVCR Dlls |
Source: |
File opened: |
Jump to behavior |
Binary contains paths to debug symbols |
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
Source: |
Code function: |
0_2_00D83771 |
Source: |
HTTP traffic detected: |
||
Source: |
HTTP traffic detected: |
||
Source: |
HTTP traffic detected: |
||
Source: |
HTTP traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Creates a DirectInput object (often for capturing keystrokes) |
Source: |
Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
System Summary: |
---|
Writes or reads registry keys via WMI |
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
Writes registry values via WMI |
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
Contains functionality to call native functions |
Source: |
Code function: |
0_2_10001B88 | |
Source: |
Code function: |
0_2_100018B2 | |
Source: |
Code function: |
0_2_100019C8 | |
Source: |
Code function: |
0_2_100022E5 | |
Source: |
Code function: |
0_2_00D81FAC | |
Source: |
Code function: |
0_2_00D8B321 |
Detected potential crypto function |
Source: |
Code function: |
0_2_100020C4 | |
Source: |
Code function: |
0_2_00D8B0FC | |
Source: |
Code function: |
0_2_00D85270 | |
Source: |
Code function: |
0_2_00D8832D |
PE / OLE file has an invalid certificate |
Source: |
Static PE information: |
PE file does not import any functions |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Searches for the Microsoft Outlook file path |
Source: |
Key opened: |
Jump to behavior |
Uses 32bit PE files |
Source: |
Static PE information: |
Source: |
Classification label: |
Source: |
Code function: |
0_2_00D814FE |
Source: |
File created: |
Jump to behavior |
Source: |
Mutant created: |
||
Source: |
Mutant created: |
Source: |
File created: |
Jump to behavior |
Source: |
Static PE information: |
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Source: |
Key value queried: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
Window detected: |
Source: |
File opened: |
Source: |
File opened: |
Jump to behavior |
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
Data Obfuscation: |
---|
Suspicious powershell command line found |
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior |
Compiles C# or VB.Net code |
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
PE file contains an invalid checksum |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
PE file contains sections with non-standard names |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
0_2_100020C3 | |
Source: |
Code function: |
0_2_10002069 | |
Source: |
Code function: |
0_2_00D8B0FB | |
Source: |
Code function: |
0_2_00D8AD39 | |
Source: |
Code function: |
0_2_007EB804 | |
Source: |
Code function: |
0_2_007E2440 | |
Source: |
Code function: |
0_2_007E3D80 | |
Source: |
Code function: |
0_2_007E11CE | |
Source: |
Code function: |
0_2_007E2E4E | |
Source: |
Code function: |
0_2_007E1607 | |
Source: |
Code function: |
0_2_007E27F5 | |
Source: |
Code function: |
0_2_007E27F5 |
Persistence and Installation Behavior: |
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Hooks registry keys query functions (used to hide registry keys) |
Source: |
IAT, EAT, inline or SSDT hook detected: |
Modifies the export address table of user mode modules (user mode EAT hooks) |
Source: |
IAT of a user mode module has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) |
Source: |
EAT of a user mode module has changed: |
Modifies the prolog of user mode functions (user mode inline hooks) |
Source: |
User mode code has changed: |
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Source: |
Registry key monitored for changes: |
Jump to behavior |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
Malware Analysis System Evasion: |
---|
Contains capabilities to detect virtual machines |
Source: |
File opened / queried: |
Jump to behavior |
Contains long sleeps (>= 3 min) |
Source: |
Thread delayed: |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Source: |
Window / User API: |
||
Source: |
Window / User API: |
Found dropped PE file which has not been started or loaded |
Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
Source: |
Dropped PE file which has not been started: |
Jump to dropped file |
May sleep (evasive loops) to hinder dynamic analysis |
Source: |
Thread sleep time: |
Source: |
Code function: |
0_2_00D83771 |
Source: |
Process information queried: |
Jump to behavior |
Anti Debugging: |
---|
Enables debug privileges |
Source: |
Process token adjusted: |
Source: |
Memory protected: |
Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Compiles code for process injection (via .Net compiler) |
Source: |
File written: |
Jump to dropped file |
Creates a thread in another existing process (thread injection) |
Source: |
Thread created: |
Maps a DLL or memory area into another process |
Source: |
Section loaded: |
Modifies the context of a thread in another process (thread injection) |
Source: |
Thread register set: |
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
Source: |
Process created: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query CPU information (cpuid) |
Source: |
Code function: |
0_2_00D83F50 |
Queries the volume information (name, serial number etc) of a device |
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
Source: |
Code function: |
0_2_10001CBE |
Source: |
Code function: |
0_2_00D83F50 |
Source: |
Code function: |
0_2_10001F35 |
Source: |
Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.186.244.49 | unknown | Netherlands | 35415 | WEBZILLANL | false |
Private |
---|
IP |
---|
192.168.2.1 |
Name | IP | Active |
---|---|---|
resolver1.opendns.com | 208.67.222.222 | true |
lopppooole.xyz | 185.186.244.49 | true |
1.0.0.127.in-addr.arpa | unknown | unknown |
8.8.8.8.in-addr.arpa | unknown | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
|
unknown | |
false |
|
unknown | |
false |
|
unknown |