Edit tour
Windows
Analysis Report
OojqjHGE0W.exe
Overview
General Information
Detection
Ursnif
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Snort IDS alert for network traffic
Writes to foreign memory regions
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found API chain indicative of debugger detection
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- OojqjHGE0W.exe (PID: 3408 cmdline:
"C:\Users\ user\Deskt op\OojqjHG E0W.exe" MD5: 4ED3FA33609A51BAF209A5954BEF6633) - InstallUtil.exe (PID: 5584 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\Inst allUtil.ex e MD5: EFEC8C379D165E3F33B536739AEE26A3)
- cleanup
{"RSA Public Key": "S0cXgkczLn8DzpFkqJkBMx5geC7yniHR4ECyGeVYDO5jsqYVdXE2v679nj0L+4Im3j/P6z1P+Yt1BRosNI7Edvd1U5N0OYNwNVRfWwfbhm6jaX9Kjt9vEFS5dCsKX71jt2XzO+H4zoaN0nbuxJko5Np4J7p0zDkJiLw6HxWp4zGiWIwT2o7vLE3guRMwyRVXO9dkUDWYMn+gWBAKovUuxnaDZD7PIJ/H8zTx3Yz7628+O4pRw2KlIh0/fkIzdLb08ciTd+kW2cM+z/W40SWfyGxExAOJ7AMei6jzcKc68f1Bamsf4QGIbKQz9UqHR5cBlCKpLVi3hYeembcW9ep7oVhTb5Y2TC0ZAzzb/feTdhI=", "c2_domain": ["anm.msn.com", "194.76.225.45", "msi.msn.com", "194.76.225.56"], "botnet": "1700", "server": "50", "serpent_key": "1OoXFPbINCQ6HCAa", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.352.169.118.17349702802033203 05/19/22-14:41:40.292996 |
SID: | 2033203 |
Source Port: | 49702 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.352.169.118.17349702802033204 05/19/22-14:41:40.292996 |
SID: | 2033204 |
Source Port: | 49702 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |