Play interactive tour
Edit tourAnalysis Report xls.xls
Overview
General Information
| Sample Name: | xls.xls |
| Analysis ID: | 350432 |
| MD5: | 0e6d3ca70f81e25baf88e5a2bb5cde7e |
| SHA1: | 830932f1ec44148a6327f08d95b2ebaa4694d2ad |
| SHA256: | b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0 |
Most interesting Screenshot:  | |
Detection
Hidden Macro 4.0 Gozi Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Gozi e-Banking trojan
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Office process drops PE file
Overwrites Mozilla Firefox settings
Searches for Windows Mail specific files
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses nslookup.exe to query domains
Writes registry values via WMI
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Ursnif |
|---|
{"server": "12", "whoami": "user@134349$]", "dns": "134349", "version": "250177", "uptime": "1079", "crc": "2", "id": "3131", "user": "7035163551f465eb3c6bced5387f24a3", "soft": "3"}Yara Overview |
|---|
Initial Sample |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 5 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Dot net compiler compiles file from suspicious location | Show sources | ||
| Source: | Author: Joe Security: | ||
| Sigma detected: MSHTA Spawning Windows Shell | Show sources | ||
| Source: | Author: Michael Haag: | ||
| Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources | ||
| Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: | ||
| Sigma detected: Suspicious Rundll32 Activity | Show sources | ||
| Source: | Author: juju4: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Antivirus detection for URL or domain | Show sources | ||
| Source: | Avira URL Cloud: | ||
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Compliance: | |
|---|
| Uses new MSVCR Dlls | Show sources | ||
| Source: | File opened: | Jump to behavior | ||
| Uses secure TLS version for HTTPS connections | Show sources | ||
| Source: | HTTPS traffic detected: | ||
| Binary contains paths to debug symbols | Show sources | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 28_2_02919064 | |
| Source: | Code function: | 4_2_003851E8 | |
| Source: | Code function: | 4_2_00477AA8 | |
| Source: | Code function: | 4_2_02359B00 | |
| Source: | Code function: | 4_2_0234E8CE | |
| Source: | Code function: | 4_2_02349945 | |
| Source: | Code function: | 4_2_02349F54 | |
| Source: | Code function: | 28_2_0291EEAC | |
| Source: | Code function: | 28_2_0291537C | |
| Source: | Code function: | 4_2_0234BB01 | |
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
Software Vulnerabilities: | |
|---|
| Document exploit detected (drops PE files) | Show sources | ||
| Source: | File created: | Jump to dropped file | ||
| Document exploit detected (UrlDownloadToFile) | Show sources | ||
| Source: | Section loaded: | Jump to behavior | ||
| Document exploit detected (process start blacklist hit) | Show sources | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Memory has grown: | ||
Networking: | |
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Downloads files with wrong headers with respect to MIME Content-Type | Show sources | ||
| Source: | Image file has PE prefix: | ||