File name:	G9996757243586095_5678.zip
Full analysis:	https://app.any.run/tasks/dc6f942a-b3b8-48e0-84d9-dc038ae09084
Verdict:	Malicious activity
Threats:	Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. Malware Trends Tracker >>>
Analysis date:	December 02, 2019, 20:08:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	evasion trojan hancitor gozi ursnif
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	AB8C2A1C3CEB5D3674C055CF7D644B8F
SHA1:	909AB631E9303D805C5F28C19BA0BBBF77F6880B
SHA256:	0A87EB9834F49DE095DF87CE3BE314772D34C95C7DA1A1846A313D58B430FB71
SSDEEP:	3072:hbqGgI895rrRpgCpRSWeOp2wLw5B6+Rsb/UekJxCZ6Eeby7vI:hbqi8/rrRpvTeOp2w6B6c0/UdJxCgtUQ

ZipFileName:	GAM_9996757243586095.vbs
ZipUncompressedSize:	696209
ZipCompressedSize:	180747
ZipCRC:	0x9750ebde
ZipModifyDate:	2019:12:02 22:09:28
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

PID	CMD	Path	Indicators	Parent process
2104	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\G9996757243586095_5678.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
1860	"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\GAM_9996757243586095.vbs"	C:\Windows\System32\WScript.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
2412	regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txt	C:\Windows\system32\regsvr32.exe	—	wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
988	-s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txt	C:\Windows\SysWOW64\regsvr32.exe	—	regsvr32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2304	C:\Windows\System32\svchost.exe	C:\Windows\SysWOW64\svchost.exe		regsvr32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2376	C:\Users\admin\AppData\Local\Temp\BNBA83.tmp	C:\Users\admin\AppData\Local\Temp\BNBA83.tmp		svchost.exe
User: admin Integrity Level: MEDIUM
328	"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding	C:\Program Files\Internet Explorer\iexplore.exe		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
2924	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:267521 /prefetch:2	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
1928	"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding	C:\Program Files\Internet Explorer\iexplore.exe		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
1084	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:267521 /prefetch:2	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700)

PID	Process	Filename		Type
2104	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2104.31507\GAM_9996757243586095.vbs		—
		MD5:—	SHA256:—
1860	WScript.exe	C:\Users\admin\AppData\Local\Temp\FEN.txt		—
		MD5:—	SHA256:—
328	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF1B3CEA71E2E7D8B5.TMP		—
		MD5:—	SHA256:—
328	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DFCF39638071B2824C.TMP		—
		MD5:—	SHA256:—
328	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{97CAF642-153F-11EA-9C27-5254004AAD21}.dat		—
		MD5:—	SHA256:—
1928	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF5490426F5ABB25B4.TMP		—
		MD5:—	SHA256:—
1928	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B13EF116-153F-11EA-9C27-5254004AAD21}.dat		—
		MD5:—	SHA256:—
1928	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF05657AA6B6FED584.TMP		—
		MD5:—	SHA256:—
1928	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B13EF114-153F-11EA-9C27-5254004AAD21}.dat		—
		MD5:—	SHA256:—
2936	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF2B8850A5B23021AF.TMP		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1928	iexplore.exe	GET	—	8.208.24.139:80	http://8.208.24.139/favicon.ico	US	—	—	malicious
1084	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://foo.fulldin.at/webstore/qpd_2B_2FnCiKEaRvUhB/FY_2BWrXmeb_2Fn5xa4/zKrPjkIcReyLfgsux99_2B/C1hv5MAs6sLjf/SKz7aLdl/s4DMW65KDd8OCpA2l9uEOHi/AGHKY6qxtK/Yckn0w9TiRAu4cPqD/CM1Pqe_2BU_2/FLw2dTI8ZEd/ZXOT0unmJCYzHJ/kV59Z23NzpbCRpz4E7WeS/PZHRzjGzmFcT88y0/TwFp2ERv0nM8ziX/1VFkEtdtmpkInuOIZJ/tfvlzq9Rd/scDgeT9EBKIMfApdYX_0/A_0DshcSOA9DQrvAK6n/Gw4TeGSC3V/y	US	—	—	malicious
328	iexplore.exe	GET	—	8.208.24.139:80	http://8.208.24.139/favicon.ico	US	—	—	malicious
2924	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://foo.fulldin.at/webstore/67nNBcPTc3bXzbkl_2Boi/7UmI4I4aidZLNNv3/yb2dMm0PgnuOCVy/3wmE0PLjh_2FhZ29_2/B8i58Stfx/5fHhoaxu_2FqvLK_2Fm3/7K6KB3HIh_2Faf01_2B/i3Uie511957PeWM_2FFr6v/5uvyyLKXyW4tf/pA2asl5n/Y0qz9o_2BkDYCNHD6IhHDiA/AyIZou7al_/2F_2ByCEiUY78_2Bo/FjRcMEFYN_2F/cSXbU9fs2yQ/wVuxmJy9aW76UU/_2BFrh0gzr7q01fLfsOza/VJhMwxTnd5U_0A_0/DAcMyoD_2BKgDIr/J_2FnjipUn/yKT_2F_2B/a	US	—	—	malicious
2844	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://foo.fulldin.at/webstore/keABF0EMOyLxt/EunGnqhC/bOJQ_2BSuuzEM3_2BFuH9e3/4cQp26j4tj/d3sYAW8HPL2_2FXJa/lymxZ2v74_2B/q_2BuEdi0p7/rZrBUnyifTox_2/FGYCuJN6BBz7WMeLJGr9k/kv36W8DS2PBUGK3Q/h1eawE_2F78jj9l/etKZXHHVQhtbDibGMw/c1urIJBnL/6xw5cFg_2B9Y8QX3_2Fl/WcHRrq1427bFqxv12KR/o_2BniX5mOLB2YjZSVtE23/7CID4xGjGvIWh/dqx8UD9a/gLn_0A_0DWBG1oYhRwy7Lhp/xnvzsbFei6/Xu	US	—	—	malicious
2448	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://foo.fulldin.at/webstore/O8Q2OaQY1peh_2Bufy0/yJGkXQg_2FR6TR7mk9cF08/rCL_2F6I8vr_2/FS_2FNHs/bvDLtOXEGdcRJas9dwjE_2F/ttd_2BTMOr/W3v1EPm8tatLGBuYB/2lBRct9vZjp9/AF6vuakrO_2/BeA8b8iAw_2F_2/BN81iBg0RgdhmV2Xct_2B/uds5rSGQjgsMCNRy/JEp_2BcNuEj0pyY/Y1tExxE2BQNYbtqOXg/_2Fs6rgoR/CKorw7J_2FblJehEFnVz/xRuzi2zKj7zaueC1wDF/bYVJZ_2F29XVl11_0A_0Dl/biNGu3dL2EnTX/RhfM6b9c/jp4c	US	—	—	malicious
2584	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://foo.fulldin.at/webstore/ZwTUp3FmAgu6uT/XvU0qAlV_2Ff9ERgYTjxZ/hYIUY145wUzLk0s9/bhzOUkYtmgxYDUQ/wVaw6ev8RTzZM_2FWj/IKP2kLJT6/UPOs0FmgyD5vwBSsz1mY/j0x8naGBPQmj1eayfDe/3lTZn6MPJcFknpfpYKDioW/IellS4rCAkZZn/uYPRroJX/6R53gT_2BYKtNq7rO0IHIu1/jKjx_2F8Mi/4WbSUCSM8YxjK898S/Rwei7i73PJot/20zlEc5X8lL/runRrzcdm5Bz_0/A_0DeUUZGKMDaqbJlnq8g/6QfG_2BD/TVe	US	—	—	malicious
3064	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://bat.fulldin.at/webstore/079daTeWWh3UPB/l5a_2FD6WKtx4f8cPUcXn/WG9xWEtVctefS9Vi/iwvjQ1R5ohiHM_2/Fxbjxov8lMepP_2FuW/k9PdVmmpi/syzod_2BTK7OR4SuENvN/mFiqgtF1MYkr_2FPvLb/ky8zvi0eCpNF0vfiXaWm0Z/H_2FI72Q0FLsD/ovHNuRwr/GWjQ9snx0H5xOCNYNxsdN2K/cCJ74gRWgg/f8Rx8BZCvwo3IURR4/m4XYSY6WzKTP/mUSTucXTFnS/_2FphIfjMTiDYk/_2BBAE_0A_0DHpUB5F5g6/bu0niu1ubF4/iIt0To	US	—	—	malicious
1748	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://bat.fulldin.at/webstore/PEOn_2Bbpe/bye5ImGoRVobd7S1D/MoKmNdEf_2Fx/jxmmqVWTlPt/hX15ugakog2pCP/OjVZ6dEpC6Y1O9PEWzNrU/K5buxYZN7q5TPhmF/oph1PH4oaVb0ktt/IIc5o0CD1j1CotcCWr/g9j4gddtp/9zzpOt_2Bbf4oFqr44Ms/uCEgR_2Bvb2mm6_2Bei/w9E03_2FrMqKrKXohC_2B1/kc3EXLy81rOfz/zAAJ9QVF/sUfe2jj_2Fw1FwuQs8EgA_2/FhE5FYwBL4/tYUWg71bo_2FH4_0A/_0DST6sw0RML/3o9LDxBLYbZIxAzT/h	US	—	—	malicious
592	IEXPLORE.EXE	GET	—	8.208.24.139:80	http://bat.fulldin.at/webstore/sOX8yawm1J_2FVZ3/2VS2i9yTVsEOylX/dp8ayZ_2FwiO_2BYQc/_2FUqRL2h/D8wN5Tdm_2Fy6Z0BvlgQ/GkRsGgEVh_2BL2nYvET/x_2B6eYILEoRIKg_2Fvrsl/AePypvQcsQuhZ/893Vbhed/ao9c6C_2F57HtDvCkRFpNAb/6L2wZXn8Z4/MiWewpsZ8lk_2BUQI/sr5D8X6kL9jD/Q0Ns0TuhW2D/RZMk7T_2BELHP0/VNeWnAszzc0e8NbYCD52S/_2BLdMzEvz9IYjls/hyi3KrRz_2FV7w_/0A_0DE4Y4dWi01p128/sxaFUgoBD/bnfD	US	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
2304	svchost.exe	23.23.83.153:80	api.ipify.org	Amazon.com, Inc.	US	malicious
2304	svchost.exe	178.170.248.82:80	laticivue.com	Electrics Ltd	RU	malicious
2304	svchost.exe	2.57.89.115:80	www.laadlifashionworld.com	—	—	malicious
—	—	8.8.8.8:53	—	Google Inc.	US	whitelisted
328	iexplore.exe	8.208.24.139:80	foo.fulldin.at	Level 3 Communications, Inc.	US	malicious
2924	IEXPLORE.EXE	8.208.24.139:80	foo.fulldin.at	Level 3 Communications, Inc.	US	malicious
2376	BNBA83.tmp	8.8.8.8:53	—	Google Inc.	US	whitelisted
1084	IEXPLORE.EXE	8.208.24.139:80	foo.fulldin.at	Level 3 Communications, Inc.	US	malicious
1748	IEXPLORE.EXE	8.208.24.139:80	foo.fulldin.at	Level 3 Communications, Inc.	US	malicious
328	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted

Domain	IP	Reputation
api.ipify.org	23.23.83.153 23.21.72.212 23.23.229.94 50.19.218.16 54.225.243.96 54.225.92.64 107.22.249.177 54.243.147.226	shared
laticivue.com	178.170.248.82	malicious
www.laadlifashionworld.com	2.57.89.115	malicious
foo.fulldin.at	8.208.24.139	malicious
bat.fulldin.at	8.208.24.139	malicious
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
ctldl.windowsupdate.com	8.253.95.121 67.27.159.254 67.27.158.254 8.241.121.126 8.241.123.254	whitelisted
crl.microsoft.com	2.16.186.74 2.16.186.120	whitelisted

PID	Process	Class	Message
2304	svchost.exe	Potential Corporate Privacy Violation	ET POLICY External IP Lookup api.ipify.org
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send
2304	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Hancitor POST Data send

General Info

G9996757243586095_5678.zip

AB8C2A1C3CEB5D3674C055CF7D644B8F

909AB631E9303D805C5F28C19BA0BBBF77F6880B

0A87EB9834F49DE095DF87CE3BE314772D34C95C7DA1A1846A313D58B430FB71

3072:hbqGgI895rrRpgCpRSWeOp2wLw5B6+Rsb/UekJxCZ6Eeby7vI:hbqi8/rrRpvTeOp2w6B6c0/UdJxCgtUQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Uses SVCHOST.EXE for hidden code execution

Connects to CnC server

Application was dropped or rewritten from another process

HANCITOR was detected

URSNIF was detected

SUSPICIOUS

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Executed via WMI

Starts application with an unusual extension

Checks for external IP

Executed via COM

INFO

Manual execution by user

Changes internet zones settings

Reads Internet Cache Settings

Reads the machine GUID from the registry

Reads the hosts file

Reads settings of System Certificates

Reads internet explorer settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings