Windows Analysis Report a3.exe

Overview

General Information

Sample Name: a3.exe
Analysis ID: 498881
MD5: 0cc6d274cd84b593210168f51fcd38cd
SHA1: 666fc3963609f4aff528b9a32f7516feebaa6ddf
SHA256: a3bdb9880bf419f2023e4015545c6c72835dbc5c68cd14fd81d35220bf9449fa
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: a3.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.576428660.0000000003410000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: a3.exe Virustotal: Detection: 79% Perma Link
Source: a3.exe ReversingLabs: Detection: 89%
Machine Learning detection for sample
Source: a3.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.a3.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.0.a3.exe.400000.0.unpack Avira: Label: TR/Crypt.Agent.dffnu
Source: 0.3.a3.exe.4e00000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.a3.exe.3410e50.1.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\a3.exe Unpacked PE file: 0.2.a3.exe.400000.0.unpack
Uses 32bit PE files
Source: a3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\a3.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F63EED Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_04F63EED

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 87.106.18.141:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 87.106.18.141:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.106.18.141 87.106.18.141
Source: Joe Sandbox View IP Address: 87.106.18.141 87.106.18.141
Source: msapplication.xml0.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: {063EC3E5-27C5-11EC-90E9-ECF4BB862DED}.dat.7.dr, ~DF1728008F459C4534.TMP.7.dr String found in binary or memory: http://api5.feen007.at/webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2F
Source: msapplication.xml.7.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.7.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.7.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.7.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.7.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.dr String found in binary or memory: http://www.youtube.com/
Source: unknown DNS traffic detected: queries for: api5.feen007.at
Source: global traffic HTTP traffic detected: GET /webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2FtIxdS/vSo3lpggS/jgk05AsnNx5dVlLwmu_2/FAFwkzA53QftC8xz3wT/fnjkouYQNR37gBMDH6qXvg/zMFbyF4s1JmGD/y5Fu3aSV/TmUAsAO_2BZNh80x_2FL9QD/SJCaUL6t8y/cM9WgnTGqUY3ueTtK/VgEDjaagDntZ/uB1lRFThucd/4921ywV6NYjMkC/jnp_2BoOlFuQm1snVe_0A/_0DPF5OO0IeFwPM_/2FxPK7FahYNj2AP/3bZ4D9BzvVH_2BCtQdVgfC/l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api5.feen007.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api5.feen007.atConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\a3.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\a3.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\a3.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\a3.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\a3.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\a3.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\a3.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: a3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6AEE4 0_2_04F6AEE4
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F62D68 0_2_04F62D68
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_0041C47A 0_2_0041C47A
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_0041E35E 0_2_0041E35E
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_0041CF02 0_2_0041CF02
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_0041E980 0_2_0041E980
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_0041C9BE 0_2_0041C9BE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_00401000 NtMapViewOfSection, 0_2_00401000
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_00401147 GetProcAddress,NtCreateSection,memset, 0_2_00401147
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6104E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_04F6104E
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6B105 NtQueryVirtualMemory, 0_2_04F6B105
Source: a3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: a3.exe Virustotal: Detection: 79%
Source: a3.exe ReversingLabs: Detection: 89%
Source: a3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\a3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6365A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_04F6365A
Source: unknown Process created: C:\Users\user\Desktop\a3.exe 'C:\Users\user\Desktop\a3.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\a3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF8F568B21079AA7B9.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/14@1/1
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\a3.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\a3.exe Unpacked PE file: 0.2.a3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\a3.exe Unpacked PE file: 0.2.a3.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6AED3 push ecx; ret 0_2_04F6AEE3
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6ABA0 push ecx; ret 0_2_04F6ABA9
Source: initial sample Static PE information: section name: .text entropy: 7.38003707514

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\a3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\a3.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F63EED Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_04F63EED
Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\a3.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_00401ED0
Queries the installation date of Windows
Source: C:\Users\user\Desktop\a3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6660B cpuid 0_2_04F6660B
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_00401A35 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_00401A35
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_00419FF0 LoadLibraryExA,CreateNamedPipeA,GetVersionExA,DeactivateActCtx,WriteFile,WritePrivateProfileStructA,IsDBCSLeadByteEx,SetFileApisToOEM,TlsGetValue,GetThreadPriority, 0_2_00419FF0
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_00401497 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_00401497
Source: C:\Users\user\Desktop\a3.exe Code function: 0_2_04F6660B wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_04F6660B

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
Source: Yara match File source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs