URL: | http://ptyptossen.com/LYW/quines.php?l=klyc9.bod |
Full analysis: | https://app.any.run/tasks/da3a0114-42b8-4ab2-999b-4cce76b3934a |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | December 15, 2018, 01:56:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | B23671B80ED3CAB2BA96EA8CF9FEFC97 |
SHA1: | 6B8A250947A3E5E904EE48631A4D37959EF32C8E |
SHA256: | 33C164DA39EC736D6D8EC578E5991D41D9CB11B383471F28A34DFD18F0BAD373 |
SSDEEP: | 3:N1KORnmOKISZ0MVHaJ1qHKB:CORmOKI/MC1qHKB |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2684 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2828 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2684 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4072 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2684 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2684 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2828 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\error[1].htm | html | |
MD5:EE30541574BE25FEEDD624D388562189 | SHA256:9D28EB9C2F882F37B4A2C9AB017892BEB86B28ADA2BD3A3BEFFFA3CD7567FFF6 | |||
2828 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt | text | |
MD5:62B0138D822DC8CAA7CC488F430E1851 | SHA256:1ECCC7F9BDD91BFF0DA957F5FC2515F0CD625649C6708EA447B33D8FA988D15C | |||
2828 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018121520181216\index.dat | dat | |
MD5:DCF43E6A69AD459B1E387DEB68B678C5 | SHA256:ED86CDFA4371BDFA89324D7767856999D2F56711F5A3ED1CCEE6AC1DFF217334 | |||
2828 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\quines[1].htm | html | |
MD5:0996F9F17EB6C6803D35C767E30BF7EE | SHA256:9632B9DA25F281B43C41F1A2A98EFD102D608723E1E163C5D7624F69D9E5CDB0 | |||
2828 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat | dat | |
MD5:EC1D4C75962300C8B08DEB5D652D1F89 | SHA256:0773697F00139A2C711268927E32B91073052E2650DC784AAF136774B1FD505F | |||
2828 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\105[1].js | text | |
MD5:8D4327D81B54C307807AFB7781B91025 | SHA256:438AD9AC43C3785C9577BAFFDAD0E442B772B3A7126EB54216A6B9E788B68087 | |||
2828 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@ptyptossen[1].txt | text | |
MD5:CE341B03DF3FFDFBD6B8BA162B65B7E7 | SHA256:6D8D839E20F6D5FBDFCADE5638EBE12F7FA9181A939E130469345BBE4DBABC46 | |||
2828 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@baidu[1].txt | text | |
MD5:48537204C0B3F6F1E47EE8466FD454D0 | SHA256:DCD8B4ADC9D311169D2BCF693EEDCFA64AACBBE5A2AD16C27E1E4E8A0E13F5BE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2828 | iexplore.exe | GET | 200 | 104.201.20.75:80 | http://ptyptossen.com/LYW/quines.php?l=klyc9.bod | US | html | 2.39 Kb | malicious |
2684 | iexplore.exe | GET | 200 | 104.201.20.75:80 | http://ptyptossen.com/favicon.ico | US | — | — | malicious |
2828 | iexplore.exe | GET | 302 | 111.206.37.189:80 | http://api.share.baidu.com/s.gif?l=http://ptyptossen.com/LYW/quines.php?l=klyc9.bod | CN | — | — | whitelisted |
2828 | iexplore.exe | GET | 200 | 183.131.207.78:80 | http://ia.51.la/go1?id=19703923&rt=1544839039615&rl=1280*720&lang=en-us&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=32&ds=&ing=1&ekc=&sid=1544839039615&tt=404%2520Not%2520Found&kw=&cu=http%253A%252F%252Fptyptossen.com%252FLYW%252Fquines.php%253Fl%253Dklyc9.bod&pu= | CN | — | — | whitelisted |
2828 | iexplore.exe | GET | 200 | 222.186.57.120:88 | http://web.xixigmail.com:88/a/105.js | CN | text | 1.27 Kb | unknown |
2828 | iexplore.exe | GET | 200 | 104.201.20.75:80 | http://ptyptossen.com/tj.js | US | html | 102 b | malicious |
2828 | iexplore.exe | GET | 200 | 103.235.46.39:80 | http://www.baidu.com/search/error.html | HK | html | 4.75 Kb | whitelisted |
2828 | iexplore.exe | GET | 200 | 111.206.37.189:80 | http://push.zhanzhang.baidu.com/push.js | CN | text | 227 b | whitelisted |
2684 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2684 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2828 | iexplore.exe | 103.235.46.39:80 | www.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | unknown |
2828 | iexplore.exe | 183.131.207.78:80 | ia.51.la | DaLi | CN | suspicious |
2828 | iexplore.exe | 220.243.212.50:443 | js.users.51.la | QUANTIL, INC | CN | unknown |
2828 | iexplore.exe | 104.201.20.75:80 | ptyptossen.com | eSited Solutions | US | malicious |
2684 | iexplore.exe | 104.201.20.75:80 | ptyptossen.com | eSited Solutions | US | malicious |
2828 | iexplore.exe | 222.186.57.120:88 | web.xixigmail.com | AS Number for CHINANET jiangsu province backbone | CN | unknown |
2828 | iexplore.exe | 111.206.37.189:80 | push.zhanzhang.baidu.com | China Unicom Beijing Province Network | CN | malicious |
2828 | iexplore.exe | 103.235.46.191:443 | hm.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
ptyptossen.com |
| malicious |
push.zhanzhang.baidu.com |
| whitelisted |
hm.baidu.com |
| whitelisted |
js.users.51.la |
| whitelisted |
ia.51.la |
| whitelisted |
web.xixigmail.com |
| unknown |
api.share.baidu.com |
| whitelisted |
www.baidu.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2828 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader MacroLoader MSOffice |
2828 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader MacroLoader MSOffice |