setup.exe

Status: finished

Submission Time: 2020-06-29 13:19:02 +02:00

Malicious

E-Banking Trojan

Trojan

Evader

Ursnif

Comments

Details

Analysis ID:
241985
API (Web) ID:
379690
Analysis Started:

2020-06-29 13:19:02 +02:00
Analysis Finished:

2020-06-29 13:25:37 +02:00
MD5:
eb320243d41500647b767f567a285401
SHA1:
ffe46db953bc5227f323baf29008a8eb79ed8dc9
SHA256:
3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
		malicious
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 16/72

malicious

Score: 11/48

IPs

IP	Country	Detection
152.195.39.165	United States
87.248.100.137	United Kingdom
212.82.100.140	United Kingdom
Click to see the 21 hidden entries
87.248.100.136	United Kingdom
141.136.36.13	Lithuania
212.82.100.182	United Kingdom
152.199.23.180	United States
51.210.87.125	France
35.158.60.52	United States
3.126.56.137	United States
18.156.0.31	United States
188.125.72.139	United Kingdom
172.217.22.6	United States
87.248.118.23	United Kingdom
152.195.51.15	United States
87.248.118.22	United Kingdom
35.178.2.28	United States
54.152.208.155	United States
152.199.21.71	United States
3.87.126.14	United States
152.199.21.65	United States
52.213.155.56	United States
212.82.100.176	United Kingdom
185.64.190.80	United Kingdom

Domains

Name	IP	Detection
sb.scorecardresearch.com	0.0.0.0
apx.moatads.com	0.0.0.0
geo.moatads.com	0.0.0.0
Click to see the 40 hidden entries
s.yimg.com	0.0.0.0
udc.yahoo.com	0.0.0.0
ad.doubleclick.net	0.0.0.0
service.idsync.analytics.yahoo.com	0.0.0.0
us.y.atwola.com	0.0.0.0
tag.idsync.analytics.yahoo.com	0.0.0.0
ups.analytics.yahoo.com	0.0.0.0
opus.analytics.yahoo.com	0.0.0.0
tag.sp.advertising.com	0.0.0.0
geo.yahoo.com	0.0.0.0
nado-ecs-lb-eu-west-1-587487851.eu-west-1.elb.amazonaws.com	52.213.155.56
mail.yahoo.com	0.0.0.0
image2.pubmatic.com	0.0.0.0
cms.analytics.yahoo.com	0.0.0.0
fc.yahoo.com	0.0.0.0
pixel.advertising.com	0.0.0.0
login.yahoo.com	0.0.0.0
aka-cdn.adtechus.com	0.0.0.0
pr-bh.ybp.yahoo.com	0.0.0.0
pool3.moatads.com	3.87.126.14
dart.l.doubleclick.net	172.217.22.6
spcms-global.pbp.gysm.yahoodns.net	212.82.100.182
pug-lhr.pubmatic.com	185.64.190.80
sdarlasplitroute.gapx.yahoodns.net	87.248.118.23
nado-ecs-lb-eu-west-2-768621275.eu-west-2.elb.amazonaws.com	35.178.2.28
prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud	35.158.60.52
pool8.moatads.com	54.152.208.155
ds-ats.member.g02.yahoodns.net	212.82.100.140
line.ehrlum.com	51.210.87.125
cs815200983.wac.omegacdn.net	152.195.51.15
fam-geo-atsv2.prod.media.g03.yahoodns.net	188.125.72.139
cs1696.wpc.thetacdn.net	152.199.21.65
ds-geoycpi-uno-lite.gycpi.b.yahoodns.net	87.248.100.136
cs1935.wpc.thetacdn.net	152.199.21.71
ds-pr-bh.ybp.gysm.yahoodns.net	212.82.100.176
cs747173190.wac.omegacdn.net	152.195.39.165
service.sp-ats.aolp-ds-prd.aws.oath.cloud	3.126.56.137
prod.ups-ats.eu-central-1.aolp-ds-prd.aws.oath.cloud	18.156.0.31
edge.gycpi.b.yahoodns.net	87.248.118.22
cs964199420.wpc.mucdn.net	152.199.23.180

URLs

Name	Detection
https://login.yahoo.com/?.src=ym&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimage
https://mb.moatads.com/a.js?yd=
https://s.yimg.com/rz/p/yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x.png
Click to see the 34 hidden entries
https://opus.analytics.yahoo.com/opus/tag/opus-frame.html?id=4
http://nsis.sf.net/NSIS_Error
http://l.yimg.com/d/
http://www.youtube.com/
https://z.moatads.com/swf/p6.v3.swf
http://www.wikipedia.com/
https://s.yimg.com/wm/mbr/js/rapid-3.53.17.js
https://apx.moatads.com/pixel.gif?e=24&d=data%3Adata%3Adata%3Adata&i=
http://www.live.com/
https://s.yimg.com/lq/
https://s.yimg.com/rz/p/yahoo_frontpage_en-US_s_f_w_bestfit_frontpage_2x.png
http://line.ehrlum.com/images/KDaaNc0Su1e0oWXBLDn/8FwOuN2QLrn1DsJOg7UGoJ/TL_2FG_2BuYvm/kbUZjCU0/V6jv
http://www.reddit.com/
https://policies.oath.com/us/en/oath/terms/otos/index.html
https://apx.moatads.com
https://s.yimg.com/wm/mbr/images/yahoo-apple-touch-v0.0.2.png
http://nsis.sf.net/NSIS_ErrorError
http://commercialtype.com/licenseCopyright
http://www.nytimes.com/
http://commercialtype.com/license
https://s.yimg.com/wm/mbr/images/yahoo-favicon-img-v0.0.2.ico
http://line.ehrlum.com/images/KDaaNc0Su1e0oWXBLDn/8FwOuN2QLrn1DsJOg7UGoJ/TL_2FG_2BuYvm/kbUZjCU0/V6jvbzejjNcZd6lOmt0nQl5/upDpEu1Ag6/mMX8pXLU1tntdcjYw/8x7wGWp_2Fv4/_2BQCRSRau6/7fQqJFGzu8xtCq/amIq_2BEdo/O.avi
https://s.yimg.com/wm/mbr/images/yahoo-favicon-img-v0.0.2.ico~
https://tag.idsync.analytics.yahoo.com/sp-frame.html?referrer=
http://www.amazon.com/
http://commercialtype.com/licenseYahoo
http://www.twitter.com/
https://geo.moatads.com/n.js?
https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c5=794200018&ns_c&#x3D
https://www.yahoo.com/
http://commercialtype.comhttp://www.timripper.comNot
https://z.moatads.com/omidverificationclient/verification-client-v1.js
https://policies.oath.com/us/en/oath/privacy/index.html
https://z.moatads.com/px2/client.js

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Yahoo_Sans-ExtraBold[1].eot	Embedded OpenType (EOT), Yahoo Sans ExtraBold family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\B24289788[1].gif	GIF image data, version 89a, 1 x 1	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\r-csc[1].htm	HTML document, ASCII text, with very long lines	#
Click to see the 70 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\pixel[1].gif	GIF image data, version 89a, 1 x 1	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\opus-frame[1].htm	HTML document, ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\n[1].htm	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\bid-apid-idsync[1].htm	HTML document, ASCII text	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Yahoo_Sans-Light[1].eot	Embedded OpenType (EOT), Yahoo Sans Light family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Yahoo_Sans-ExtraLight[1].eot	Embedded OpenType (EOT), Yahoo Sans ExtraLight family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Yahoo_Sans-Black[1].eot	Embedded OpenType (EOT), Yahoo Sans Black family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x[1].png	PNG image data, 240 x 72, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\sp-frame[1].htm	HTML document, ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\rapid-3.53.17[1].js	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\r-sf[1].htm	HTML document, ASCII text	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\pixel[1].gif	GIF image data, version 89a, 1 x 1	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\fuji-spinner-dark-1.0.0[1].svg	SVG Scalable Vector Graphics image	#
C:\Users\user\AppData\Local\Temp\87263763	data	#
C:\Users\user\AppData\Local\Temp\~DFF6C208E4C9B813A1.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFDBE4D5120AC248A5.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFAF279CA67F9F42C7.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF48F0564494D3AC86.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF2365DDB61D86E9A2.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF1CF7BFF90A1EE8AE.TMP	data	#
C:\Users\user\AppData\Local\Temp\nssEEAD.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\sfext-min[1].js	ASCII text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\moatad[1].js	ASCII text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\mcompi_1440x1024_VERIZON_22_06_2020[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 1440x1024, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\boot[1].js	exported SGML document, ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\Yahoo_Sans-Semibold[1].eot	Embedded OpenType (EOT), Yahoo Sans Semibold family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\Yahoo_Sans-Medium[1].eot	Embedded OpenType (EOT), Yahoo Sans Semibold family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\Yahoo_Sans-Bold[1].eot	Embedded OpenType (EOT), Yahoo Sans Bold family	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat	data	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\D2690C92-2385-4724-B0A7-33D2093ACB64[1].gif	GIF image data, version 89a, 1 x 1	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FF599422-BA45-11EA-AADE-C25F135D3C65}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E3F14A80-BA45-11EA-AADE-C25F135D3C65}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0E4C7E39-BA46-11EA-AADE-C25F135D3C65}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FF599420-BA45-11EA-AADE-C25F135D3C65}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3F14A7E-BA45-11EA-AADE-C25F135D3C65}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0E4C7E37-BA46-11EA-AADE-C25F135D3C65}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\D1YBPPLZ\opus.analytics.yahoo[1].xml	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\sp[1].js	ASCII text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\bid-apid-idsync[1].js	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\Yahoo_Sans-Regular[1].eot	Embedded OpenType (EOT), Yahoo Sans Regular family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\Yahoo_Sans-Italic[1].eot	Embedded OpenType (EOT), Yahoo Sans Regular family	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\RBWM84JR.js	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\QHNP84JW.htm	HTML document, UTF-8 Unicode text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\yahoo_frontpage_en-US_s_f_w_bestfit_frontpage_2x[1].png	PNG image data, 240 x 72, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x[1].png	PNG image data, 240 x 72, 8-bit colormap, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\yahoo-favicon-img-v0.0.2[1].ico	MS Windows icon resource - 1 icon, 16x16, 8 bits/pixel	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\9K719AIK\tag.idsync.analytics.yahoo[1].xml	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\pixels[2].json	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\pixels[1].json	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\opus-frame[1].htm	HTML document, ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\n[1].htm	ASCII text, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\g-r-min[1].js	ASCII text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\bvr[1].js	ASCII text, with very long lines	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\UCNFCIGK.js	very short file (no magic)	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\OH2I0YVB.htm	HTML document, UTF-8 Unicode text, with very long lines	#

setup.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

setup.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

setup.exe