Edit tour
Windows
Analysis Report
gnAYDP69br2v.vbs
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Antivirus detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Deletes itself after installation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
- wscript.exe (PID: 6536 cmdline:
C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\gnAYD P69br2v.vb s" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
- WmiPrvSE.exe (PID: 6620 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: A782A4ED336750D10B3CAF776AFE8E70) - rundll32.exe (PID: 6788 cmdline:
rundll32 C :\Users\us er\AppData \Local\Tem p\melange. yuv,DllReg isterServe r MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 6772 cmdline:
rundll32 C :\Users\us er\AppData \Local\Tem p\melange. yuv,DllReg isterServe r MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- cleanup
{"lang_id": "RU, CN", "RSA Public Key": "YH51zbw68XXolzw8uQmujXgr7vnasuZcFgH7AJ2kGBzL4PhjIyVzy5MDJsglBibg5h0RNR44WiefAtoK6SAdWueylFfdzQd683oCOk4rKCggPtdTeSl7hrve2I0aDaCBkoeiOxpSRC00pY0DaAjoBH1DxdU5ti0d0lMA4aqyGSJ+NcMQxJbjly/3eM1JgxTeRv8qfeoCn1t6fo9nKZliSXvxzEf8TXf46mNAineKBDDVsAYvylxjeMV9NuQnAN5bCZLiyp7C5x9eiMqtTEAUnFh9cMrGskg6XvfPGY7auFDj9EDMWtYHKhgHVdRDPVkTTSsGy44FUesZ+6Z4Xw7vU9rgofRZORY0rQQe0OFqz4s=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "gX5RILpAQgp3pEaS", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
⊘No Sigma rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Avira: |
Source: | Binary string: |
Source: | Code function: | 23_2_7000EEA1 |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 23_2_6FFA2274 | |
Source: | Code function: | 23_2_7000CA4A | |
Source: | Code function: | 23_2_70003761 |
Source: | Code function: |
Source: | Code function: | 23_2_6FFA14FE | |
Source: | Code function: | 23_2_6FFA1B4A | |
Source: | Code function: | 23_2_6FFA1382 | |
Source: | Code function: | 23_2_6FFA2495 |
Source: | Process Stats: |
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: |
Source: | Process created: |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Anti Malware Scan Interface: |