File name: | Заполнить договор 18.02.2019.msg |
Full analysis: | https://app.any.run/tasks/ff1995ce-9eb1-4c41-89d8-ea028880a923 |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | February 18, 2019, 14:39:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 527F08E3E4B9B5E578758CC7AC2DEDFE |
SHA1: | 785F6A7C5A6BAF52E45DCA7043BEE0B578CE8666 |
SHA256: | 657B9FE398D411AFC789637DFE0F27F653D028E063EC579F3F0BDC3718A4B250 |
SSDEEP: | 6144:1b0Vb/Fg01XYflKxGU7cZ/z4kVzhPG8ha0PpLObAsjwHaxOI0:0b/m01KlKxyZ/EkVzZRha4LRN/I |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3096 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\Заполнить договор 18.02.2019.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Заполнить договор 18.02.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3328 | "C:\Users\admin\Desktop\Заполнить договор 18.02.exe" | C:\Users\admin\Desktop\Заполнить договор 18.02.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2956 | rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject root | C:\Windows\system32\rundll32.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3096 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6821.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2564.33647\Заполнить договор 18.02.exe | — | |
MD5:— | SHA256:— | |||
2956 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\1D0.tmp | — | |
MD5:— | SHA256:— | |||
2956 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\amnibdaadnffjjnd | — | |
MD5:— | SHA256:— | |||
2956 | rundll32.exe | C:\Users\admin\Desktop\Заполнить договор 18.02.exe | — | |
MD5:— | SHA256:— | |||
2956 | rundll32.exe | C:\Users\admin\Desktop\gokdfgnlodhoodic | — | |
MD5:— | SHA256:— | |||
3096 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:B4271ACC6C644AC2E06CD51248FE5863 | SHA256:002A114B80AFFD55920BAC7D2F24C736D039AA2973C9668015E54B369F8D21FB | |||
3328 | Заполнить договор 18.02.exe | C:\Users\admin\AppData\Local\Temp\1D0.tmp | executable | |
MD5:637299B765F5790DCA95B1BF5092948C | SHA256:923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3 | |||
3328 | Заполнить договор 18.02.exe | C:\ProgramData\2401bf603c90\2702bc633f93.dat | executable | |
MD5:637299B765F5790DCA95B1BF5092948C | SHA256:923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3 | |||
3096 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{193BA88D-A647-4D3F-9651-5154D1B3728D}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3096 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2956 | rundll32.exe | GET | 200 | 178.62.9.171:80 | http://myip.ru/index_small.php | GB | html | 325 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2956 | rundll32.exe | 217.31.161.55:8443 | — | Bahnhof Internet AB | SE | suspicious |
3096 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2956 | rundll32.exe | 145.239.1.97:443 | — | OVH SAS | DE | suspicious |
2956 | rundll32.exe | 81.84.174.240:19001 | — | Nos Comunicacoes, S.A. | PT | suspicious |
2956 | rundll32.exe | 178.62.9.171:80 | myip.ru | Digital Ocean, Inc. | GB | malicious |
2956 | rundll32.exe | 192.155.83.101:9001 | — | Linode, LLC | US | suspicious |
2956 | rundll32.exe | 178.62.52.233:9001 | — | Digital Ocean, Inc. | GB | suspicious |
2956 | rundll32.exe | 159.69.2.239:443 | — | — | US | suspicious |
2956 | rundll32.exe | 212.8.243.229:9001 | — | Sivin Consult Ltd | RU | suspicious |
2956 | rundll32.exe | 81.17.31.210:3516 | — | Private Layer INC | CH | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
myip.ru |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2956 | rundll32.exe | Potential Corporate Privacy Violation | ET POLICY myip.ru IP lookup |
2956 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354 |
2956 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143 |
2956 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 600 |
2956 | rundll32.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
2956 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 208 |
2956 | rundll32.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
2956 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258 |
2956 | rundll32.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
2956 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 163 |