Play interactive tourEdit tour
Analysis Report Attachment_32954.vbs
Overview
General Information
Detection
Ursnif
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Deletes itself after installation
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
[{"RSA Public Key": "Xbs4Yk4n2aUcz4nAfmYBHRwWIvRHnuvNCkzGzFhWDffWAD6kAaz2nCrF+u1fBJy8EZGc5Sx4iFpGkK2Uml3/gsvcGmjbZA/KVSRirY7ISIz8qSDXCl7R7DH3QGwTH7G685n2r1rm1yDtD6HT1if24i3j6DsMpQyEccHcvxhbfoMgObXp5CGN5OHsQ+ytis2D"}, {"c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "hPdaZZCB2qcI31br", "sleep_time": "10", "SetWaitableTimer_value": "1"}]
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Binary string: |
Source: | Code function: | 20_2_00DC3512 | |
Source: | Code function: | 20_2_702A088D |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 20_2_7025161B | |
Source: | Code function: | 20_2_702515D9 | |
Source: | Code function: | 20_2_702523C5 | |
Source: | Code function: | 20_2_00DC11A9 | |
Source: | Code function: | 20_2_00DCB159 |
Source: | Code function: | 20_2_702521A4 | |
Source: | Code function: | 20_2_00DC28E9 | |
Source: | Code function: | 20_2_00DCAF34 | |
Source: | Code function: | 20_2_702A466E | |
Source: | Code function: | 20_2_70290FE0 | |
Source: | Code function: | 20_2_702A7120 | |
Source: | Code function: | 20_2_7029BA3F | |
Source: | Code function: | 20_2_702AA29E | |
Source: | Code function: | 20_2_702AA3BE | |
Source: | Code function: | 20_2_702A75B8 | |
Source: | Code function: | 20_2_7029B7DA | |
Source: | Code function: | 20_2_702AB7DF |
Source: | Dropped File: |
Source: | Code function: |
Source: | Initial sample: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 20_2_00DC31DD |
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation: |
---|
VBScript performs obfuscated calls to suspicious functions | Show sources |
Source: | Anti Malware Scan Interface: |