Loading... Additional Content is being loaded
Windows Analysis Report SwFlsh32.exe
Overview
General Information
| Sample Name: | SwFlsh32.exe (renamed file extension from exe to dll) |
| Analysis ID: | 551599 |
| MD5: | 4081fd95a87905a998b314f7bb4e8b14 |
| SHA1: | e9644e9686e3d5bc0f94099359520506722e601f |
| SHA256: | 45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4 |
| Tags: | exe |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
AV Detection: |
  |
|---|
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Multi AV Scanner detection for submitted file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Metadefender: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
0_2_034F4872 | |
| Source: |
Code function: |
2_2_04B94872 | |
| Source: |
Code function: |
3_2_00FA4872 | |
| Source: |
Code function: |
4_2_051E4872 | |
Compliance: |
|
|---|
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Source: |
File opened: |
Jump to behavior | ||
Networking: |
|
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) |
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| System process connects to network (likely due to code injection or exploit) |
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Domain query: |
|||
| Source: |
Domain query: |
|||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Domain query: |
|||
| Source: |
Network Connect: |
Jump to behavior | ||
| Internet Provider seen in connection with other malware |
| Source: |
ASN Name: |
||
| Source: |
ASN Name: |
||
| IP address seen in connection with other malware |
| Source: |
IP Address: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Creates a DirectInput object (often for capturing keystrokes) |
| Source: |
Binary or memory string: |
||
E-Banking Fraud: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
Code function: |
0_2_034F4872 | |
| Source: |
Code function: |
2_2_04B94872 | |
| Source: |
Code function: |
3_2_00FA4872 | |
| Source: |
Code function: |
4_2_051E4872 | |
System Summary: |
|
|---|
| Writes or reads registry keys via WMI |
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Source: |
WMI Queries: |
||
| Writes registry values via WMI |
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Source: |
WMI Registry write: |
||
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Detected potential crypto function |
| Source: |
Code function: |
0_2_10002244 | |
| Source: |
Code function: |
0_2_034F81DC | |
| Source: |
Code function: |
0_2_034F6C62 | |
| Source: |
Code function: |
0_2_034F4EF3 | |
| Source: |
Code function: |
2_2_04B94EF3 | |
| Source: |
Code function: |
2_2_04B96C62 | |
| Source: |
Code function: |
2_2_04B981DC | |
| Source: |
Code function: |
3_2_00FA4EF3 | |
| Source: |
Code function: |
3_2_00FA6C62 | |
| Source: |
Code function: |
3_2_00FA81DC | |
| Source: |
Code function: |
3_1_10002244 | |
| Source: |
Code function: |
4_2_051E81DC | |
| Source: |
Code function: |
4_2_051E6C62 | |
| Source: |
Code function: |
4_2_051E4EF3 | |
| Source: |
Code function: |
4_2_032F0DF9 | |
| Source: |
Code function: |
4_2_032F0DF7 | |
| Contains functionality to call native functions |
| Source: |
Code function: |
0_2_10001F61 | |
| Source: |
Code function: |
0_2_10001077 | |
| Source: |
Code function: |
0_2_100012BE | |
| Source: |
Code function: |
0_2_10002465 | |
| Source: |
Code function: |
0_2_034F77BB | |
| Source: |
Code function: |
0_2_034F8401 | |
| Source: |
Code function: |
2_2_04B977BB | |
| Source: |
Code function: |
2_2_04B98401 | |
| Source: |
Code function: |
3_2_00FA77BB | |
| Source: |
Code function: |
3_2_00FA8401 | |
| Source: |
Code function: |
3_1_10001077 | |
| Source: |
Code function: |
3_1_100012BE | |
| Source: |
Code function: |
3_1_10001F61 | |
| Source: |
Code function: |
3_1_10002465 | |
| Source: |
Code function: |
4_2_051E77BB | |
| Source: |
Code function: |
4_2_051E8401 | |
| Source: |
Code function: |
4_2_032F0ABA | |
| Source: |
Code function: |
4_2_032F08B7 | |
| Source: |
Code function: |
4_2_032F0880 | |
| Sample file is different than original file name gathered from version info |
| Source: |
Binary or memory string: |
||
| PE file contains strange resources |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Tries to load missing DLLs |
| Source: |
Section loaded: |
Jump to behavior | ||
| PE / OLE file has an invalid certificate |
| Source: |
Static PE information: |
||
| Source: |
Virustotal: |
||
| Source: |
Metadefender: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Static PE information: |
||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Classification label: |
||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Code function: |
0_2_034F2AB4 | |
| Source: |
Process created: |
||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Window detected: |
||
| Source: |
File opened: |
Jump to behavior | ||
Data Obfuscation: |
|
|---|
| Uses code obfuscation techniques (call, push, ret) |
| Source: |
Code function: |
0_2_10002243 | |
| Source: |
Code function: |
0_2_1000C83C | |
| Source: |
Code function: |
0_2_1000C152 | |
| Source: |
Code function: |
0_2_1000B964 | |
| Source: |
Code function: |
0_2_1000C480 | |
| Source: |
Code function: |
0_2_1000C3CD | |
| Source: |
Code function: |
0_2_100021E9 | |
| Source: |
Code function: |
0_2_034F81DB | |
| Source: |
Code function: |
0_2_034F7DE9 | |
| Source: |
Code function: |
2_2_04B97DE9 | |
| Source: |
Code function: |
2_2_04B981DB | |
| Source: |
Code function: |
3_2_00FA7DE9 | |
| Source: |
Code function: |
3_2_00FA81DB | |
| Source: |
Code function: |
3_1_10002243 | |
| Source: |
Code function: |
3_1_1000C83C | |
| Source: |
Code function: |
3_1_1000C480 | |
| Source: |
Code function: |
3_1_1000C152 | |
| Source: |
Code function: |
3_1_1000B964 | |
| Source: |
Code function: |
3_1_1000C3CD | |
| Source: |
Code function: |
3_1_100021E9 | |
| Source: |
Code function: |
4_2_051E81DB | |
| Source: |
Code function: |
4_2_051E7DE9 | |
| Source: |
Code function: |
4_2_032F0C10 | |
| Source: |
Code function: |
4_2_032F0C56 | |
| Source: |
Code function: |
4_2_032F087F | |
| Source: |
Code function: |
4_2_032F0B11 | |
| Source: |
Code function: |
4_2_032F0B11 | |
| Source: |
Code function: |
4_2_032F0A65 | |
| Source: |
Code function: |
4_2_032F0AB9 | |
| Source: |
Code function: |
4_2_032F0B11 | |
| Source: |
Code function: |
4_2_032F0BFB | |
| Contains functionality to dynamically determine API calls |
| Source: |
Code function: |
0_2_10001BE8 | |
| PE file contains an invalid checksum |
| Source: |
Static PE information: |
||
| Registers a DLL |
| Source: |
Process created: |
||
Hooking and other Techniques for Hiding and Protection: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Monitors certain registry keys / values for changes (often done to protect autostart functionality) |
| Source: |
Registry key monitored for changes: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
Malware Analysis System Evasion: |
|
|---|
| Found evasive API chain (may stop execution after checking system information) |
| Source: |
Evasive API call chain: |
||
| May sleep (evasive loops) to hinder dynamic analysis |
| Source: |
Thread sleep time: |
Jump to behavior | ||
| Found evasive API chain checking for process token information |
| Source: |
Check user administrative privileges: |
||
| Source: |
Check user administrative privileges: |
||
| Source: |
Check user administrative privileges: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
Anti Debugging: |
|
|---|
| Found API chain indicative of debugger detection |
| Source: |
Debugger detection routine: |
||
| Contains functionality to dynamically determine API calls |
| Source: |
Code function: |
0_2_10001BE8 | |
| Contains functionality to read the PEB |
| Source: |
Code function: |
4_2_032F0B14 | |
| Source: |
Code function: |
4_2_032F0BFC | |
| Source: |
Code function: |
4_2_032F0C57 | |
| Source: |
Code function: |
4_2_032F08B7 | |
| Source: |
Code function: |
4_2_032F0CE8 | |
HIPS / PFW / Operating System Protection Evasion: |
|
|---|
| System process connects to network (likely due to code injection or exploit) |
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Domain query: |
|||
| Source: |
Domain query: |
|||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Network Connect: |
Jump to behavior | ||
| Source: |
Domain query: |
|||
| Source: |
Network Connect: |
Jump to behavior | ||
| Creates a process in suspended mode (likely to inject code) |
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
Language, Device and Operating System Detection: |
|
|---|
| Contains functionality to query CPU information (cpuid) |
| Source: |
Code function: |
0_2_034F21BC | |
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
Code function: |
0_2_10001DCF | |
| Source: |
Code function: |
0_2_1000169C | |
| Source: |
Code function: |
0_2_034F21BC | |
Stealing of Sensitive Information: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
Remote Access Functionality: |
|
|---|
| Yara detected Ursnif |
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Contacted Public IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 31.41.45.66 | mmmmmm.bar | Russian Federation | 56577 | ASRELINKRU | true | |
| 198.54.117.210 | unknown | United States | 22612 | NAMECHEAP-NETUS | true | |
| 162.255.119.219 | mmmmmm.casa | United States | 22612 | NAMECHEAP-NETUS | true | |
| 198.54.117.212 | unknown | United States | 22612 | NAMECHEAP-NETUS | true | |
| 198.54.117.215 | parkingpage.namecheap.com | United States | 22612 | NAMECHEAP-NETUS | false | |
| 198.54.117.216 | unknown | United States | 22612 | NAMECHEAP-NETUS | true |
Private |
|---|
| IP |
|---|
| 192.168.2.1 |
Contacted Domains
| Name | IP | Active |
|---|---|---|
| mmmmmm.bar | 31.41.45.66 | true |
| parkingpage.namecheap.com | 198.54.117.215 | true |
| mmmmmm.casa | 162.255.119.219 | true |
| www.mmmmmm.casa | unknown | unknown |
Contacted URLs
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown | |
| true |
|
unknown |