URL: | http://ljeffery54ae.top/skoex/po2.php?l=cupk9.fgs |
Full analysis: | https://app.any.run/tasks/5581f889-3521-4af6-9ab6-62fbe7eed596 |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | April 15, 2019, 15:05:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | E0A91266B382E9515CBA24F2594D503E |
SHA1: | 059726B1482555DBCC2C73C0055C918B805A63AC |
SHA256: | 5A198A276D9FA2AED277345FE6C5762FDDE955A9F4E875799CC0F3F817419488 |
SSDEEP: | 3:N1KSPjjOqXhHCEhJ:CSPjjOsxCG |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2268 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1704 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2268 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2268 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2268 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9KLM01A5\http_404[1] | html | |
MD5:4CD84A1B063BF6DEA53E06755EF9E24D | SHA256:988CC4B451673F847D823C9D9BA14AD50D3CA1141BC1E17C6415B8F64B6E1C22 | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:166BCA01F99F47DAED0B05EEBD0B40C6 | SHA256:4135E840CBC4DF4269FA108D5317D86B6706F1F34D44D3A6B8710758D72D63FD | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:9A287D9B4A3BE46F2E144DF457943B5A | SHA256:B0B8CBCDEB90BEE8530177E34233D128770A284C4A54D50A9B7CF547230929B9 | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT | smt | |
MD5:66D20D9CF2322C4B662EA6E754325CD7 | SHA256:D6A4C1DF6554CDC6D56F1D92FD09F3D7991E3620151F00DB51D55C8EE260C3CC | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9KLM01A5\info_48[1] | image | |
MD5:49E0EF03E74704089A60C437085DB89E | SHA256:CAA140523BA00994536B33618654E379216261BABAAE726164A0F74157BB11FF | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T5R14HGF\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZU2P0U9N\errorPageStrings[1] | text | |
MD5:1A0563F7FB85A678771450B131ED66FD | SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C | |||
1704 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZU2P0U9N\bullet[1] | image | |
MD5:0C4C086DD852704E8EEB8FF83E3B73D1 | SHA256:1CB3B6EA56C5B5DECF5E1D487AD51DBB2F62E6A6C78F23C1C81FDA1B64F8DB16 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1704 | iexplore.exe | GET | 404 | 91.240.87.19:80 | http://ljeffery54ae.top/skoex/po2.php?l=cupk9.fgs | RU | — | — | malicious |
2268 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2268 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1704 | iexplore.exe | 91.240.87.19:80 | ljeffery54ae.top | JSC ISPsystem | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
ljeffery54ae.top |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
1704 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload |
1704 | iexplore.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |