analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://films.amishbrand.com/oeiwtodybu

Full analysis: https://app.any.run/tasks/0fe17ba2-1eb5-490c-81ec-5ea689666140
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: March 31, 2020, 09:28:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
gozi
ursnif
dreambot
Indicators:
MD5:

4AB50256A16A3415B8481056481A5DF7

SHA1:

0956D33772946ADBD4249CEEEAFD21D2B09FD203

SHA256:

216D331B37A84E9CE88B569D0B6E45B3B0EE455D35F002287EB1CAFEF5E1DA54

SSDEEP:

3:N1KYaC8cw:CYaH3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • player.exe (PID: 2924)
    • DREAMBOT was detected

      • IEXPLORE.EXE (PID: 2552)
    • URSNIF was detected

      • IEXPLORE.EXE (PID: 2552)
    • Connects to CnC server

      • IEXPLORE.EXE (PID: 2552)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2700)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2128)
    • Creates files in the user directory

      • IEXPLORE.EXE (PID: 2552)
      • iexplore.exe (PID: 2128)
    • Manual execution by user

      • player.exe (PID: 2924)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2128)
    • Changes internet zones settings

      • iexplore.exe (PID: 2128)
    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2128)
    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe #URSNIF iexplore.exe winrar.exe no specs player.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2128"C:\Program Files\Internet Explorer\iexplore.exe" "http://films.amishbrand.com/oeiwtodybu"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2552"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2700"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\video_83.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2924"C:\Users\admin\Desktop\player.exe" C:\Users\admin\Desktop\player.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 845
Read events
1 679
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
2128iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6499B34295633970.TMP
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\Downloads\video_83.zip.d6z172t.partial:Zone.Identifier
MD5:
SHA256:
2700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2700.30333\player.exe
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5CUWPEZ2.txt
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HJTR5SYY.txt
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9D44E53ED0365316.TMP
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPYGA0NYRN27EGNCNQ1A.temp
MD5:
SHA256:
2128iexplore.exeC:\Users\admin\Downloads\video_83.zipbinary
MD5:E499527B08F6E9DB1D542F5844E4847A
SHA256:2A29A9B540B99353B75F32B4C0FF0F150EB936C4D3F05DC6C8784BCF700808AB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2552
IEXPLORE.EXE
GET
200
62.109.31.180:80
http://link.philippeschellekens.com/images/K8aoX6ZiJc/hwwebna3VJFThXLoW/APhP5EgU6jG0/_2FVNTjUWS_/2BbaudIWRY5VQu/DkjnvHTEbd_2Bkgn19GGa/NZC6xOZn0iWWP70O/V96ZWVSFOTpcZc_/2FZSx0Cf11xugcnARp/j7QDzCvXq/WTIJH_2F42pq9UU5c7_2/FycwhEnObq6TzeIT1KL/P.avi
RU
html
925 b
malicious
2552
IEXPLORE.EXE
GET
200
31.148.99.73:80
http://films.amishbrand.com/oeiwtodybu
RU
binary
113 Kb
suspicious
2552
IEXPLORE.EXE
GET
200
62.109.31.180:80
http://link.philippeschellekens.com/images/fvyL8x_2Fbnuc/qj88njXs/pdiYskNj5REwY7wKsZ0LOYZ/1OXzHMDJFr/1zKGMrKK7NyPbTDef/HNorTktUcCPK/Btnb4mCjttl/BrJzFPsSh63xxI/jQ_2Fpz5tVstWERw_2Bcm/wEpAgGaFAo4Egd0E/ZckkF1VCT/9F.avi
RU
html
925 b
malicious
2128
iexplore.exe
GET
200
62.109.31.180:80
http://link.philippeschellekens.com/favicon.ico
RU
image
5.30 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted
2128
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted
2128
iexplore.exe
13.92.246.37:443
query.prod.cms.msn.com
Microsoft Corporation
US
whitelisted
2128
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2128
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted
2552
IEXPLORE.EXE
31.148.99.73:80
films.amishbrand.com
MAROSNET Telecommunication Company LLC
RU
suspicious
2128
iexplore.exe
23.13.51.44:443
go.microsoft.com
Akamai Technologies, Inc.
US
unknown
2552
IEXPLORE.EXE
62.109.31.180:80
link.philippeschellekens.com
JSC ISPsystem
RU
malicious
2128
iexplore.exe
62.109.31.180:80
link.philippeschellekens.com
JSC ISPsystem
RU
malicious

DNS requests

Domain
IP
Reputation
films.amishbrand.com
  • 31.148.99.73
unknown
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 23.13.51.44
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
query.prod.cms.msn.com
  • 13.92.246.37
whitelisted
mcc.avast.com
whitelisted
www.bing.com
  • 204.79.197.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
2552
IEXPLORE.EXE
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
2552
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2552
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2552
IEXPLORE.EXE
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
2552
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2552
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
4 ETPRO signatures available at the full report
No debug info