analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

my_attach.vbs

Full analysis: https://app.any.run/tasks/2e06f1c6-ccf3-477b-846e-8315984c8c93
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: December 06, 2019, 19:19:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

B2FA349DB7D42A0AA2FAD4FAF5E9B758

SHA1:

4B91CD990F5FE83C68C3859D2C9675EAEA71A845

SHA256:

3E37181D622725EA89A449F574D7AA680913B7D03CF1F3881C14AFF7DBCE0DA5

SSDEEP:

6144:bXuCOyk/8kohMCXvsqzpUiKMuwT1r4igOiTpSzcCOIVcyTYujPzYWGlbi6x3GGLm:bXuCX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2912)
      • SearchProtocolHost.exe (PID: 3416)
    • URSNIF was detected

      • iexplore.exe (PID: 3016)
    • Connects to CnC server

      • iexplore.exe (PID: 3016)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 1796)
    • Uses RUNDLL32.EXE to load library

      • WScript.exe (PID: 1796)
    • Executed via COM

      • iexplore.exe (PID: 2392)
  • INFO

    • Reads the hosts file

      • rundll32.exe (PID: 2912)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3016)
    • Application launched itself

      • iexplore.exe (PID: 2392)
    • Changes internet zones settings

      • iexplore.exe (PID: 2392)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.flm | Adobe FilmStrip (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe rundll32.exe searchprotocolhost.exe no specs iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1796"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\my_attach.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2912"C:\Windows\System32\rundll32.exe" "C:\Users\admin\Music\\3395.dll",DllRegisterServerC:\Windows\System32\rundll32.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3416"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2392"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3016"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2392 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
425
Read events
384
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
2392iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2392iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2392iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF166DE12BDA2996CD.TMP
MD5:
SHA256:
2392iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF7128C1CF61DFDDCB.TMP
MD5:
SHA256:
2392iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{769EDF93-185D-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
3016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:E7C71CF4CAC08EB27A14197157E428D7
SHA256:D3326FC4EC3E56A3A3031BA3B551160F11762B70E086819A6D79A01BEC66E154
3016iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:29959CF634CEFA26E2A8FF14D7FBF0EF
SHA256:06624B69C8C5F7556245B49A14DA6CF01F0B036C8322614168B95CE90A70BB6D
2392iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{769EDF94-185D-11EA-AB41-5254004A04AF}.datbinary
MD5:CB3CD981F74798B6B3F04F24E0FFB5F8
SHA256:4712E0E8EB86E3C1EFB72A199D6623E683E8C7CBB08955803D36AC6CBEE7E5C9
1796WScript.exeC:\Users\admin\Music\3395.dllexecutable
MD5:3B909C7ECC2A5C0ACC3145A367FAD176
SHA256:ADE4CE954BEB2B77CD53561E972DA77BF28F53903A2D8E62F48B10E0A0ABB53D
3016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3JCMQ9RZ\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3016
iexplore.exe
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/N4PHWMkUSFXt8/CwSoT_2F/y7mkdjHs_2B149KylRmspez/_2FxrEHABK/pUyRpsveMzRf1CwTj/n1JnZI_2Bkp9/f8OFtKmY7Wl/I2ExsMmuiDaf2W/VT_2BR_2FyAS8k0C5DBCm/j1FYMhFZFaVG2jBL/cjWnk1RHC9xUxTy/VDZ4mHAj2Te0j9WDRH/acJlrxlHF/4DqScxw6CpwLbDHSbZxO/8PykuRgdQAPqw1YeTv7/a8IBpjpebTjxBcZybmqgU_/2B0jXhxmByWf_/2BPCrzR_/0A_0DHGYLoeqmISLwupMGrH/PoZfd0af
US
html
180 b
malicious
2392
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2392
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3016
iexplore.exe
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious
2912
rundll32.exe
193.183.98.66:53
Prometeus di Daniela Agro
IT
malicious

DNS requests

Domain
IP
Reputation
w8.wensa.at
  • 8.208.24.139
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info