Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
AV Detection: |
---|
Found malware configuration |
Source: |
Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file |
Source: |
Virustotal: |
Perma Link | ||
Source: |
Metadefender: |
Perma Link | ||
Source: |
ReversingLabs: |
Machine Learning detection for dropped file |
Source: |
Joe Sandbox ML: |
||
Source: |
Joe Sandbox ML: |
Source: |
File opened: |
Jump to behavior |
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) |
Source: |
File created: |
Jump to dropped file |
Document exploit detected (UrlDownloadToFile) |
Source: |
Section loaded: |
Jump to behavior |
Document exploit detected (process start blacklist hit) |
Source: |
Process created: |
Potential document exploit detected (performs DNS queries) |
Source: |
DNS query: |
Potential document exploit detected (performs HTTP gets) |
Source: |
TCP traffic: |
Potential document exploit detected (unknown TCP traffic) |
Source: |
TCP traffic: |
Networking: |
---|
IP address seen in connection with other malware |
Source: |
IP Address: |
||
Source: |
IP Address: |
JA3 SSL client fingerprint seen in connection with other malware |
Source: |
JA3 fingerprint: |
Source: |
File created: |
Jump to behavior |
Source: |
String found in binary or memory: |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
||
Source: |
HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) |
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas |
Source: |
Initial sample: |
||
Source: |
Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet |
Source: |
Initial sample: |
||
Source: |
Initial sample: |
Found obfuscated Excel 4.0 Macro |
Source: |
Initial sample: |
Office process drops PE file |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc) |
Source: |
Memory allocated: |
Jump to behavior | ||
Source: |
Memory allocated: |
Jump to behavior |
Detected potential crypto function |
Source: |
Code function: |
6_2_00125F16 | |
Source: |
Code function: |
6_2_00123A14 | |
Source: |
Code function: |
6_2_00121B1E | |
Source: |
Code function: |
6_2_0012150C | |
Source: |
Code function: |
6_2_00125A25 | |
Source: |
Code function: |
6_2_00125378 | |
Source: |
Code function: |
6_2_00125262 | |
Source: |
Code function: |
6_2_00122566 | |
Source: |
Code function: |
6_2_00121967 | |
Source: |
Code function: |
6_2_00122A69 | |
Source: |
Code function: |
6_2_001292B2 | |
Source: |
Code function: |
6_2_001231B3 | |
Source: |
Code function: |
6_2_001288BA | |
Source: |
Code function: |
6_2_00123FAB | |
Source: |
Code function: |
6_2_00122FAF | |
Source: |
Code function: |
6_2_00121CD0 | |
Source: |
Code function: |
6_2_001227D4 | |
Source: |
Code function: |
6_2_001243D8 | |
Source: |
Code function: |
6_2_001213C5 |
Document contains embedded VBA macros |
Source: |
OLE indicator, VBA macros: |
Yara signature match |
Source: |
Matched rule: |
||
Source: |
Matched rule: |
Source: |
Binary or memory string: |
Source: |
Classification label: |
Source: |
File created: |
Jump to behavior |
Source: |
File created: |
Jump to behavior |
Source: |
OLE indicator, Workbook stream: |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
Process created: |
Source: |
Virustotal: |
||
Source: |
Metadefender: |
||
Source: |
ReversingLabs: |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
||
Source: |
Automated click: |
Source: |
Window detected: |
Source: |
Key opened: |
Jump to behavior |
Source: |
File opened: |
Jump to behavior |
Data Obfuscation: |
---|
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
6_2_00125F7B | |
Source: |
Code function: |
6_2_00125F94 | |
Source: |
Code function: |
6_2_00125FDD | |
Source: |
Code function: |
6_2_0012604B | |
Source: |
Code function: |
6_2_00126124 | |
Source: |
Code function: |
6_2_0012614F | |
Source: |
Code function: |
6_2_0012625E | |
Source: |
Code function: |
6_2_001262B5 | |
Source: |
Code function: |
6_2_00126343 | |
Source: |
Code function: |
6_2_0012635D | |
Source: |
Code function: |
6_2_00126368 | |
Source: |
Code function: |
6_2_00126385 | |
Source: |
Code function: |
6_2_001263B4 | |
Source: |
Code function: |
6_2_00126483 | |
Source: |
Code function: |
6_2_001264F2 | |
Source: |
Code function: |
6_2_001264FE | |
Source: |
Code function: |
6_2_0012650A | |
Source: |
Code function: |
6_2_00126567 | |
Source: |
Code function: |
6_2_001265A9 | |
Source: |
Code function: |
6_2_00126610 | |
Source: |
Code function: |
6_2_00126685 | |
Source: |
Code function: |
6_2_001266C2 | |
Source: |
Code function: |
6_2_001266E8 | |
Source: |
Code function: |
6_2_00126781 | |
Source: |
Code function: |
6_2_001267B6 | |
Source: |
Code function: |
6_2_0012684C | |
Source: |
Code function: |
6_2_00126858 | |
Source: |
Code function: |
6_2_00126926 | |
Source: |
Code function: |
6_2_00126945 | |
Source: |
Code function: |
6_2_00126951 | |
Source: |
Code function: |
6_2_001269D6 |
Persistence and Installation Behavior: |
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Drops PE files to the user directory |
Source: |
File created: |
Jump to dropped file |
Drops files with a non-matching file extension (content does not match file extension) |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory |
Source: |
File created: |
Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
---|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Source: |
Window / User API: |
Jump to behavior |
Found dropped PE file which has not been started or loaded |
Source: |
Dropped PE file which has not been started: |
Jump to dropped file |
Anti Debugging: |
---|
Contains functionality to read the PEB |
Source: |
Code function: |
6_2_00122A69 |
HIPS / PFW / Operating System Protection Evasion: |
---|
Yara detected hidden Macro 4.0 in Excel |
Source: |
File source: |
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior |
Yara detected Xls With Macro 4.0 |
Source: |
File source: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif |
Source: |
File source: |
||
Source: |
File source: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
207.174.213.126 | vts.us.com | United States | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false | |
198.50.218.68 | comosairdoburaco.com.br | Canada | 16276 | OVHFR | false | |
162.241.62.4 | mundotecnologiasolar.com | United States | 46606 | UNIFIEDLAYER-AS-1US | false | |
5.100.155.169 | ponchokhana.com | United Kingdom | 394695 | PUBLIC-DOMAIN-REGISTRYUS | false | |
192.185.129.4 | accesslinksgroup.com | United States | 46606 | UNIFIEDLAYER-AS-1US | false |
Name | IP | Active |
---|---|---|
mundotecnologiasolar.com | 162.241.62.4 | true |
accesslinksgroup.com | 192.185.129.4 | true |
ponchokhana.com | 5.100.155.169 | true |
vts.us.com | 207.174.213.126 | true |
comosairdoburaco.com.br | 198.50.218.68 | true |