analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://films.amishbrand.com/ncsdlszlfhk

Full analysis: https://app.any.run/tasks/898c99ed-8866-4636-a5f3-840753e1ac04
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: March 31, 2020, 12:00:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
gozi
ursnif
dreambot
Indicators:
MD5:

397210435C158E75A1EF0F1F4E44C68B

SHA1:

E66A93E5C0508F4B8D0D6CA0C2FDB7ADB539E6DB

SHA256:

020E460C70086E38A61F8355F8790DA80C5FA63E1FA84C2244286DE2A10B429A

SSDEEP:

3:N1KYa2YffO:CYaw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • player.exe (PID: 2860)
    • URSNIF was detected

      • IEXPLORE.EXE (PID: 2260)
      • IEXPLORE.EXE (PID: 996)
    • DREAMBOT was detected

      • IEXPLORE.EXE (PID: 2260)
      • IEXPLORE.EXE (PID: 996)
    • Connects to CnC server

      • IEXPLORE.EXE (PID: 2260)
      • IEXPLORE.EXE (PID: 996)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2772)
    • Executed via COM

      • iexplore.exe (PID: 1584)
      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 2360)
      • iexplore.exe (PID: 2912)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2376)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2900)
      • iexplore.exe (PID: 1584)
      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 2912)
      • iexplore.exe (PID: 2360)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2900)
      • iexplore.exe (PID: 1584)
      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 2912)
      • iexplore.exe (PID: 2360)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2900)
      • IEXPLORE.EXE (PID: 2800)
      • iexplore.exe (PID: 1584)
      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 2360)
    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2900)
      • iexplore.exe (PID: 1584)
      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 2912)
      • iexplore.exe (PID: 2360)
    • Manual execution by user

      • iexplore.exe (PID: 2344)
      • WinRAR.exe (PID: 2376)
      • player.exe (PID: 2860)
    • Creates files in the user directory

      • iexplore.exe (PID: 2900)
      • IEXPLORE.EXE (PID: 2800)
      • IEXPLORE.EXE (PID: 2260)
    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2800)
      • IEXPLORE.EXE (PID: 948)
      • IEXPLORE.EXE (PID: 2260)
      • IEXPLORE.EXE (PID: 592)
      • IEXPLORE.EXE (PID: 996)
      • IEXPLORE.EXE (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs iexplore.exe no specs winrar.exe player.exe iexplore.exe iexplore.exe no specs iexplore.exe #URSNIF iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2900"C:\Program Files\Internet Explorer\iexplore.exe" "http://films.amishbrand.com/ncsdlszlfhk"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2800"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2772"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\video_596.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2344"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2376"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\video_84.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2860"C:\Users\admin\Desktop\player.exe" C:\Users\admin\Desktop\player.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
1584"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
948"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3044"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2260"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
3 733
Read events
3 331
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
24
Text files
29
Unknown types
0

Dropped files

PID
Process
Filename
Type
2900iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9C520DEBCDF55ECB.TMP
MD5:
SHA256:
2900iexplore.exeC:\Users\admin\Downloads\video_596.zip.x6uulev.partial:Zone.Identifier
MD5:
SHA256:
2900iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2800IEXPLORE.EXEC:\Users\admin\Downloads\video_84.zip.mobe7wq.partial
MD5:
SHA256:
2900iexplore.exeC:\Users\admin\Downloads\video_84.zip.mobe7wq.partial:Zone.Identifier
MD5:
SHA256:
2900iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\K20D0F2S.txt
MD5:
SHA256:
2900iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FNOX7672.txt
MD5:
SHA256:
2900iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE56AA766E6DC904C.TMP
MD5:
SHA256:
2900iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:99E33F98CD6FDA980C0B17C75A1007D9
SHA256:CBAE4E13E79D48BDCBCE0F7D3485B58F796B055050F9639027C21C41938F38AD
2900iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{3AD1167B-7347-11EA-9BCF-5254004AAD21}.datbinary
MD5:900A5087D10B182C333D5C976311D227
SHA256:395B4DC07AAD2D8F148369C189117E35D8C1B85EF8CC523C6BC307AD7DC2CB66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
36
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2260
IEXPLORE.EXE
GET
200
62.109.31.180:80
http://link.philippeschellekens.com/images/WCeCLgpQ/N71C9TekWByAluyzgElzvyd/a2ICQRn6_2/FMt5NywWSaw7Y1_2F/tJgC3LQ1eBPg/7kI6t08v_2F/38Gh4PJUciGH3H/V2InDv7UZGVlyGRpSNqEa/SN8a8igMEhIJdMem/aXf6cbT4ehJMl4M/Hc_2FPzCz/uD.avi
RU
html
925 b
malicious
996
IEXPLORE.EXE
GET
200
62.109.31.180:80
http://link.philippeschellekens.com/images/s_2FBdzuAKT0WOG4PC/yvKahUzfn/N_2BxzYx2BNhjer3Nej7/7ohGrUmlP5FLJgerVjs/ypt4i9Qpdlb2RhkWgwMwKt/mdkDD1yajDatQ/pjIvYXCf/80_2BYL9KQcbpi_2BclyJVa/zyqhmVIbw5/vF3ZE_2B_2FH_2BK8/ZPlpL69CGABZ/HyTvmOTzcvW3D/3.avi
RU
html
925 b
malicious
2800
IEXPLORE.EXE
GET
200
31.148.99.73:80
http://films.amishbrand.com/
RU
compressed
112 Kb
suspicious
2800
IEXPLORE.EXE
GET
200
31.148.99.73:80
http://films.amishbrand.com/ncsdlszlfhk
RU
compressed
198 b
suspicious
3044
iexplore.exe
GET
200
62.109.31.180:80
http://link.philippeschellekens.com/favicon.ico
RU
image
5.30 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2900
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2800
IEXPLORE.EXE
13.107.5.80:443
api.bing.com
Microsoft Corporation
US
whitelisted
2900
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2800
IEXPLORE.EXE
31.148.99.73:80
films.amishbrand.com
MAROSNET Telecommunication Company LLC
RU
suspicious
2900
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted
2900
iexplore.exe
104.92.97.140:443
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
1584
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2900
iexplore.exe
13.92.246.37:443
query.prod.cms.msn.com
Microsoft Corporation
US
whitelisted
2360
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2944
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
films.amishbrand.com
  • 31.148.99.73
unknown
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 104.92.97.140
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
query.prod.cms.msn.com
  • 13.92.246.37
whitelisted
mcc.avast.com
whitelisted

Threats

PID
Process
Class
Message
2260
IEXPLORE.EXE
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
2260
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
996
IEXPLORE.EXE
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
996
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
996
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3 ETPRO signatures available at the full report
No debug info