Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
AV Detection: |
---|
Found malware configuration |
Source: |
Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file |
Source: |
Virustotal: |
Perma Link | ||
Source: |
ReversingLabs: |
Machine Learning detection for sample |
Source: |
Joe Sandbox ML: |
Antivirus or Machine Learning detection for unpacked file |
Source: |
Avira: |
||
Source: |
Avira: |
Compliance: |
---|
Uses 32bit PE files |
Source: |
Static PE information: |
Uses new MSVCR Dlls |
Source: |
File opened: |
Jump to behavior |
Uses secure TLS version for HTTPS connections |
Source: |
HTTPS traffic detected: |
Binary contains paths to debug symbols |
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
Spreading: |
---|
Contains functionality to get notified if a device is plugged in / out |
Source: |
Code function: |
37_2_04DB9064 |
Source: |
Code function: |
0_2_004051E8 | |
Source: |
Code function: |
0_2_02F37AA8 | |
Source: |
Code function: |
1_2_004051E8 | |
Source: |
Code function: |
37_2_04DBA0C4 | |
Source: |
Code function: |
37_2_04DBEEAC | |
Source: |
Code function: |
37_2_04DB537C |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) |
Source: |
Snort IDS: |
Internet Provider seen in connection with other malware |
Source: |
ASN Name: |
JA3 SSL client fingerprint seen in connection with other malware |
Source: |
JA3 fingerprint: |
Source: |
Code function: |
37_2_04DB2690 |
Source: |
HTTP traffic detected: |
||
Source: |
HTTP traffic detected: |
||
Source: |
HTTP traffic detected: |
||
Source: |
HTTP traffic detected: |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
Source: |
HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Contains functionality to record screenshots |
Source: |
Code function: |
1_2_004225C8 |
Contains functionality to retrieve information about pressed keystrokes |
Source: |
Code function: |
0_2_00449950 |
E-Banking Fraud: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Disables SPDY (HTTP compression, likely to perform web injects) |
Source: |
Registry key value created / modified: |
System Summary: |
---|
Writes or reads registry keys via WMI |
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
||
Source: |
WMI Queries: |
Writes registry values via WMI |
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
||
Source: |
WMI Registry write: |
Contains functionality to call native functions |
Source: |
Code function: |
0_2_0044C8CC | |
Source: |
Code function: |
0_2_0042863C | |
Source: |
Code function: |
0_2_0044281C | |
Source: |
Code function: |
0_2_00439348 | |
Source: |
Code function: |
0_2_00439AF0 | |
Source: |
Code function: |
0_2_00439BA0 | |
Source: |
Code function: |
0_2_02C914E8 | |
Source: |
Code function: |
0_2_02C9183B | |
Source: |
Code function: |
0_2_02C922C5 | |
Source: |
Code function: |
0_2_02F372D8 | |
Source: |
Code function: |
0_2_02F31371 | |
Source: |
Code function: |
0_2_02F37507 | |
Source: |
Code function: |
0_2_02F3B2F1 | |
Source: |
Code function: |
1_2_0044C8CC | |
Source: |
Code function: |
1_2_0042863C | |
Source: |
Code function: |
1_2_0044281C | |
Source: |
Code function: |
1_2_00439348 | |
Source: |
Code function: |
1_2_00439AF0 | |
Source: |
Code function: |
1_2_00439BA0 | |
Source: |
Code function: |
1_2_045422C5 | |
Source: |
Code function: |
37_2_04DA14D0 | |
Source: |
Code function: |
37_2_04DC20B4 | |
Source: |
Code function: |
37_2_04DC4064 | |
Source: |
Code function: |
37_2_04DA7008 | |
Source: |
Code function: |
37_2_04DA5DF4 | |
Source: |
Code function: |
37_2_04DC7278 | |
Source: |
Code function: |
37_2_04DA527C | |
Source: |
Code function: |
37_2_04DB6A74 | |
Source: |
Code function: |
37_2_04DB2FD0 | |
Source: |
Code function: |
37_2_04DBFF54 | |
Source: |
Code function: |
37_2_04DAEF1C | |
Source: |
Code function: |
37_2_04DB4B24 | |
Source: |
Code function: |
37_2_04DDA002 | |
Source: |
Code function: |
38_2_00117008 | |
Source: |
Code function: |
38_2_00134064 | |
Source: |
Code function: |
38_2_001320B4 | |
Source: |
Code function: |
38_2_001114D0 | |
Source: |
Code function: |
38_2_00115DF4 | |
Source: |
Code function: |
38_2_00137278 | |
Source: |
Code function: |
38_2_0011527C | |
Source: |
Code function: |
38_2_0011EF1C | |
Source: |
Code function: |
38_2_00124B24 | |
Source: |
Code function: |
38_2_0012FF54 | |
Source: |
Code function: |
38_2_0014A002 |
Detected potential crypto function |
Source: |
Code function: |
0_2_0044281C | |
Source: |
Code function: |
0_2_00433840 | |
Source: |
Code function: |
0_2_02C920A4 | |
Source: |
Code function: |
0_2_02F323FC | |
Source: |
Code function: |
0_2_02F3936B | |
Source: |
Code function: |
1_2_0044281C | |
Source: |
Code function: |
1_2_00433840 | |
Source: |
Code function: |
1_2_045420A4 | |
Source: |
Code function: |
1_2_04521618 | |
Source: |
Code function: |
37_2_04DC0CDC | |
Source: |
Code function: |
37_2_04DBA0C4 | |
Source: |
Code function: |
37_2_04DA58FC | |
Source: |
Code function: |
37_2_04DB2080 | |
Source: |
Code function: |
37_2_04DAA8B8 | |
Source: |
Code function: |
37_2_04DB059C | |
Source: |
Code function: |
37_2_04DBE178 | |
Source: |
Code function: |
37_2_04DB3520 | |
Source: |
Code function: |
37_2_04DC36F4 | |
Source: |
Code function: |
37_2_04DBAE94 | |
Source: |
Code function: |
37_2_04DA16B4 | |
Source: |
Code function: |
37_2_04DA7A0C | |
Source: |
Code function: |
37_2_04DB537C | |
Source: |
Code function: |
37_2_04DAEF1C | |
Source: |
Code function: |
37_2_04DC40F8 | |
Source: |
Code function: |
37_2_04DA3088 | |
Source: |
Code function: |
37_2_04DBE87C | |
Source: |
Code function: |
37_2_04DC5010 | |
Source: |
Code function: |
37_2_04DA4828 | |
Source: |
Code function: |
37_2_04DC2994 | |
Source: |
Code function: |
37_2_04DAD590 | |
Source: |
Code function: |
37_2_04DB154C | |
Source: |
Code function: |
37_2_04DAB170 | |
Source: |
Code function: |
37_2_04DA6168 | |
Source: |
Code function: |
37_2_04DADD18 | |
Source: |
Code function: |
37_2_04DAAD03 | |
Source: |
Code function: |
37_2_04DB8504 | |
Source: |
Code function: |
37_2_04DB0134 | |
Source: |
Code function: |
37_2_04DA66D0 | |
Source: |
Code function: |
37_2_04DA1AD0 | |
Source: |
Code function: |
37_2_04DB6E88 | |
Source: |
Code function: |
37_2_04DC1A30 | |
Source: |
Code function: |
37_2_04DABF6C | |
Source: |
Code function: |
37_2_04DAB730 | |
Source: |
Code function: |
37_2_04DB3F2C | |
Source: |
Code function: |
37_2_04DACF24 | |
Source: |
Code function: |
38_2_00130CDC | |
Source: |
Code function: |
38_2_0012059C | |
Source: |
Code function: |
38_2_0011EF1C | |
Source: |
Code function: |
38_2_00135010 | |
Source: |
Code function: |
38_2_00114828 | |
Source: |
Code function: |
38_2_0012E87C | |
Source: |
Code function: |
38_2_00122080 | |
Source: |
Code function: |
38_2_00113088 | |
Source: |
Code function: |
38_2_0011A8B8 | |
Source: |
Code function: |
38_2_0012A0C4 | |
Source: |
Code function: |
38_2_001340F8 | |
Source: |
Code function: |
38_2_001158FC | |
Source: |
Code function: |
38_2_0011DD18 | |
Source: |
Code function: |
38_2_0011AD03 | |
Source: |
Code function: |
38_2_00128504 | |
Source: |
Code function: |
38_2_00120134 | |
Source: |
Code function: |
38_2_00123520 | |
Source: |
Code function: |
38_2_0012154C | |
Source: |
Code function: |
38_2_0011B170 | |
Source: |
Code function: |
38_2_0012E178 | |
Source: |
Code function: |
38_2_00116168 | |
Source: |
Code function: |
38_2_0011D590 | |
Source: |
Code function: |
38_2_00132994 | |
Source: |
Code function: |
38_2_00117A0C | |
Source: |
Code function: |
38_2_00131A30 | |
Source: |
Code function: |
38_2_0012AE94 | |
Source: |
Code function: |
38_2_00126E88 | |
Source: |
Code function: |
38_2_001116B4 | |
Source: |
Code function: |
38_2_00111AD0 | |
Source: |
Code function: |
38_2_001166D0 | |
Source: |
Code function: |
38_2_001336F4 | |
Source: |
Code function: |
38_2_0011B730 | |
Source: |
Code function: |
38_2_0011CF24 | |
Source: |
Code function: |
38_2_00123F2C | |
Source: |
Code function: |
38_2_0012537C |
Found potential string decryption / allocating functions |
One or more processes crash |
Source: |
Process created: |
PE file contains strange resources |
Source: |
Static PE information: |
PE file does not import any functions |
Source: |
Static PE information: |
||
Source: |
Static PE information: |
Searches for the Microsoft Outlook file path |
Source: |
Key opened: |
Uses 32bit PE files |
Source: |
Static PE information: |
Source: |
Classification label: |
Source: |
Code function: |
0_2_00420AE8 |
Source: |
Code function: |
0_2_004085C6 |
Source: |
Code function: |
0_2_02F382EB |
Source: |
Code function: |
0_2_00416AE4 |
Source: |
File created: |
Jump to behavior |
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
||
Source: |
Mutant created: |
Source: |
File created: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior | ||
Source: |
Key opened: |
Jump to behavior |
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
||
Source: |
Section loaded: |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
File read: |
Jump to behavior | ||
Source: |
File read: |
Jump to behavior |
Source: |
Process created: |
Source: |
Virustotal: |
||
Source: |
ReversingLabs: |
Source: |
String found in binary or memory: |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Source: |
Key value queried: |
Jump to behavior |
Source: |
Key opened: |
Source: |
File opened: |
Source: |
Window detected: |
Source: |
File opened: |
Source: |
Key opened: |
Source: |
File opened: |
Jump to behavior |
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
||
Source: |
Binary string: |
Data Obfuscation: |
---|
Suspicious powershell command line found |
Source: |
Process created: |
||
Source: |
Process created: |
Compiles C# or VB.Net code |
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
||
Source: |
Process created: |
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
0_2_0042743C |
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
0_2_00453EE5 | |
Source: |
Code function: |
0_2_00406064 | |
Source: |
Code function: |
0_2_004160F5 | |
Source: |
Code function: |
0_2_00418179 | |
Source: |
Code function: |
0_2_00414149 | |
Source: |
Code function: |
0_2_00416139 | |
Source: |
Code function: |
0_2_004144A0 | |
Source: |
Code function: |
0_2_004144A0 | |
Source: |
Code function: |
0_2_00428455 | |
Source: |
Code function: |
0_2_0041C53E | |
Source: |
Code function: |
0_2_00458637 | |
Source: |
Code function: |
0_2_00428AB7 | |
Source: |
Code function: |
0_2_00428B18 | |
Source: |
Code function: |
0_2_00406ABD | |
Source: |
Code function: |
0_2_0043CB74 | |
Source: |
Code function: |
0_2_00458B88 | |
Source: |
Code function: |
0_2_0040CB69 | |
Source: |
Code function: |
0_2_00428B5C | |
Source: |
Code function: |
0_2_00428BE4 | |
Source: |
Code function: |
0_2_00458BF8 | |
Source: |
Code function: |
0_2_00458BC0 | |
Source: |
Code function: |
0_2_00458C2A | |
Source: |
Code function: |
0_2_0042EC30 | |
Source: |
Code function: |
0_2_00428D14 | |
Source: |
Code function: |
0_2_00426D2A | |
Source: |
Code function: |
0_2_00428CBB | |
Source: |
Code function: |
0_2_00406CC4 | |
Source: |
Code function: |
0_2_00428D7B | |
Source: |
Code function: |
0_2_00426DA4 | |
Source: |
Code function: |
0_2_00402D3C | |
Source: |
Code function: |
0_2_00454D85 |
Persistence and Installation Behavior: |
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Hooks registry keys query functions (used to hide registry keys) |
Source: |
IAT, EAT, inline or SSDT hook detected: |
Modifies the export address table of user mode modules (user mode EAT hooks) |
Source: |
IAT of a user mode module has changed: |
Modifies the import address table of user mode modules (user mode IAT hooks) |
Source: |
EAT of a user mode module has changed: |
Modifies the prolog of user mode functions (user mode inline hooks) |
Source: |
User mode code has changed: |
Contains functionality to check if a window is minimized (may be used to check if an application is visible) |
Source: |
Code function: |
0_2_004363F8 | |
Source: |
Code function: |
0_2_0044E8A4 | |
Source: |
Code function: |
0_2_0044F1C8 | |
Source: |
Code function: |
0_2_004393D0 | |
Source: |
Code function: |
0_2_00425390 | |
Source: |
Code function: |
0_2_00439AF0 | |
Source: |
Code function: |
0_2_00439BA0 | |
Source: |
Code function: |
0_2_0044DFF0 | |
Source: |
Code function: |
1_2_004363F8 | |
Source: |
Code function: |
1_2_0044E8A4 | |
Source: |
Code function: |
1_2_0044F1C8 | |
Source: |
Code function: |
1_2_004393D0 | |
Source: |
Code function: |
1_2_00425390 | |
Source: |
Code function: |
1_2_00439AF0 | |
Source: |
Code function: |
1_2_00439BA0 | |
Source: |
Code function: |
1_2_0044DFF0 |
Extensive use of GetProcAddress (often used to hide API calls) |
Source: |
Code function: |
0_2_0042743C |
Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
Source: |
Registry key monitored for changes: |
Jump to behavior |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
|||
Source: |
Process information set: |
Malware Analysis System Evasion: |
---|
Contains functionality to detect sleep reduction / modifications |
Source: |
Code function: |
0_2_0042DDB8 | |
Source: |
Code function: |
1_2_0042DDB8 |
Contains capabilities to detect virtual machines |
Source: |
File opened / queried: |
Contains functionality to detect sandboxes (mouse cursor move detection) |
Source: |
Code function: |
0_2_00438940 | |
Source: |
Code function: |
1_2_00438940 |
Contains long sleeps (>= 3 min) |
Source: |
Thread delayed: |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Source: |
Window / User API: |
||
Source: |
Window / User API: |
Found dropped PE file which has not been started or loaded |
Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
Source: |
Dropped PE file which has not been started: |
Jump to dropped file |
May check if the current machine is a sandbox (GetTickCount - Sleep) |
Source: |
Code function: |
0_2_0042DDB8 | |
Source: |
Code function: |
1_2_0042DDB8 |
May sleep (evasive loops) to hinder dynamic analysis |
Source: |
Thread sleep time: |
||
Source: |
Thread sleep time: |
Source: |
Code function: |
0_2_004051E8 | |
Source: |
Code function: |
0_2_02F37AA8 | |
Source: |
Code function: |
1_2_004051E8 | |
Source: |
Code function: |
37_2_04DBA0C4 | |
Source: |
Code function: |
37_2_04DBEEAC | |
Source: |
Code function: |
37_2_04DB537C |
Source: |
Code function: |
0_2_00421078 |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Source: |
Process information queried: |
Jump to behavior |
Anti Debugging: |
---|
Checks if the current process is being debugged |
Source: |
Process queried: |
Jump to behavior | ||
Source: |
Process queried: |
Jump to behavior |
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
Source: |
Code function: |
1_2_00447EB0 |
Contains functionality to dynamically determine API calls |
Source: |
Code function: |
0_2_0042743C |
Enables debug privileges |
Source: |
Process token adjusted: |
Source: |
Memory protected: |
Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes |
Source: |
Memory allocated: |
Jump to behavior | ||
Source: |
Memory allocated: |
Changes memory attributes in foreign processes to executable or writable |
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
||
Source: |
Memory protected: |
Compiles code for process injection (via .Net compiler) |
Source: |
File written: |
Jump to dropped file |
Creates a thread in another existing process (thread injection) |
Source: |
Thread created: |
||
Source: |
Thread created: |
||
Source: |
Thread created: |
||
Source: |
Thread created: |
||
Source: |
Thread created: |
||
Source: |
Thread created: |
||
Source: |
Thread created: |
Injects code into the Windows Explorer (explorer.exe) |
Source: |
Memory written: |
||
Source: |
Memory written: |
||
Source: |
Memory written: |
||
Source: |
Memory written: |
Maps a DLL or memory area into another process |
Source: |
Section loaded: |
Jump to behavior | ||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
|||
Source: |
Section loaded: |
Modifies the context of a thread in another process (thread injection) |
Source: |
Thread register set: |
Jump to behavior | ||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
|||
Source: |
Thread register set: |
Writes to foreign memory regions |
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
|||
Source: |
Memory written: |
|||
Source: |
Memory written: |
|||
Source: |
Memory written: |
|||
Source: |
Memory written: |
|||
Source: |
Memory written: |
|||
Source: |
Memory written: |
|||
Source: |
Memory written: |
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
Source: |
Process created: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query CPU information (cpuid) |
Source: |
Code function: |
0_2_02F3A446 |
Contains functionality to query locales information (e.g. system language) |
Source: |
Code function: |
0_2_004053A0 | |
Source: |
Code function: |
0_2_0040C3B0 | |
Source: |
Code function: |
0_2_0040ADFC | |
Source: |
Code function: |
0_2_0040AE48 | |
Source: |
Code function: |
0_2_004054AC | |
Source: |
Code function: |
0_2_00405C96 | |
Source: |
Code function: |
0_2_00405C98 | |
Source: |
Code function: |
1_2_004053A0 | |
Source: |
Code function: |
1_2_0040C3B0 | |
Source: |
Code function: |
1_2_0040ADFC | |
Source: |
Code function: |
1_2_0040AE48 | |
Source: |
Code function: |
1_2_004054AC | |
Source: |
Code function: |
1_2_00405C96 | |
Source: |
Code function: |
1_2_00405C98 |
Queries the volume information (name, serial number etc) of a device |
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
||
Source: |
Queries volume information: |
Source: |
Code function: |
0_2_004098C8 |
Source: |
Code function: |
0_2_02F3A446 |
Source: |
Code function: |
0_2_00453E60 |
Source: |
Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Tries to harvest and steal browser information (history, passwords, etc) |
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
||
Source: |
File opened: |
Tries to steal Mail credentials (via file access) |
Source: |
Key opened: |
||
Source: |
Key opened: |
Remote Access Functionality: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.16.249.249 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
80.208.230.180 | unknown | Lithuania | 62282 | RACKRAYUABRakrejusLT | false | |
45.67.231.135 | unknown | Moldova Republic of | 50673 | SERVERIUS-ASNL | true |
Name | IP | Active |
---|---|---|
pronpepsipirpyamvioerd.com | 80.208.230.180 | true |
mozilla.cloudflare-dns.com | 104.16.249.249 | true |
eorctconthoelrrpentshfex.com | 45.67.231.135 | true |
resolver1.opendns.com | 208.67.222.222 | true |
1.0.0.127.in-addr.arpa | unknown | unknown |
assets.onestore.ms | unknown | unknown |
8.8.8.8.in-addr.arpa | unknown | unknown |
ajax.aspnetcdn.com | unknown | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
|
unknown | |
false |
|
unknown | |
false |
|
unknown | |
false |
|
unknown |