analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

pofex1.jad

Full analysis: https://app.any.run/tasks/f41a0b55-1465-4711-84fd-aace644259a0
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: March 21, 2019, 10:58:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
dreambot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

866A7A5D993FC385F01A3FE0C5B5F126

SHA1:

425B66D6C86808A5FDF5DDA0E021735C3A463C91

SHA256:

78ED9149EF7B0FDD3C3F64D98E9556A7833E810DFA2C61DAD509E503D08B450B

SSDEEP:

49152:xBAHhU3IxyokABHMiAAjPuRZJG9pBu5e5i70nWz135spCQ:7whU3IxytABVAA6RZJeAeU70nWz135s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • URSNIF was detected

      • iexplore.exe (PID: 1968)
      • iexplore.exe (PID: 3596)
    • Connects to CnC server

      • iexplore.exe (PID: 1968)
      • iexplore.exe (PID: 3596)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 1968)
      • iexplore.exe (PID: 3596)
    • Changes internet zones settings

      • iexplore.exe (PID: 3788)
      • iexplore.exe (PID: 3864)
    • Creates files in the user directory

      • iexplore.exe (PID: 1968)
      • iexplore.exe (PID: 3596)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3596)
      • iexplore.exe (PID: 1968)
      • iexplore.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:03:20 17:46:35+01:00
PEType: PE32
LinkerVersion: 12
CodeSize: 1368064
InitializedDataSize: 736256
UninitializedDataSize: -
EntryPoint: 0x128dd1
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.27.45
ProductVersionNumber: 0.0.27.45
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Netcom3 Global
FileDescription: Largesteam
FileVersion: 0.0.27.45
InternalName: steadparent.exe
LegalCopyright: Copyright© 2017-2016 Netcom3 Global, Inc.
OriginalFileName: steadparent.exe
ProductName: Largesteam

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2014 16:46:35
Detected languages:
  • English - United States
Debug artifacts:
  • c:\light\Kind\Card\UnderStraight.pdb
CompanyName: Netcom3 Global
FileDescription: Largesteam
FileVersion: 0.0.27.45
InternalName: steadparent.exe
LegalCopyright: Copyright© 2017-2016 Netcom3 Global, Inc.
OriginalFilename: steadparent.exe
ProductName: Largesteam

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 20-Mar-2014 16:46:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0014DE97
0x0014E000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59206
.rdata
0x0014F000
0x0004F9D8
0x0004FA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.09208
.data
0x0019F000
0x0001F900
0x00007E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.38156
.rsrc
0x001BF000
0x00027F00
0x00028000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.88334
.reloc
0x001E7000
0x0001C720
0x0001C800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.48131

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST
2
5.96559
38056
UNKNOWN
English - United States
RT_ICON
3
5.91372
21640
UNKNOWN
English - United States
RT_ICON
4
5.91612
16936
UNKNOWN
English - United States
RT_ICON
5
6.01753
9640
UNKNOWN
English - United States
RT_ICON
6
5.51784
4264
UNKNOWN
English - United States
RT_ICON
7
6.12875
2440
UNKNOWN
English - United States
RT_ICON
8
4.96487
1128
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
GDI32.dll
IMM32.dll
KERNEL32.dll
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start pofex1.jad.exe no specs taskmgr.exe no specs cmd.exe no specs ping.exe no specs iexplore.exe #URSNIF iexplore.exe iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2408"C:\Users\admin\AppData\Local\Temp\pofex1.jad.exe" C:\Users\admin\AppData\Local\Temp\pofex1.jad.exeexplorer.exe
User:
admin
Company:
Netcom3 Global
Integrity Level:
MEDIUM
Description:
Largesteam
Exit code:
575
Version:
0.0.27.45
728"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1444"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2200ping 8.8.8.8C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3788"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1968"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3788 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3864"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3596"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3864 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
716
Read events
625
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
21
Unknown types
7

Dropped files

PID
Process
Filename
Type
3788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3788iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3788iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF27816A979A29AF4B.TMP
MD5:
SHA256:
3788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{67B7BB70-4BC8-11E9-A302-5254004A04AF}.dat
MD5:
SHA256:
1968iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A4657071F23BEE67D6E1D237C5BF3FBC
SHA256:DD87561704D529A9CFF683780EB2C337F7415284B056E0EC594C5436F71F9734
1968iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
1968iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QZ3DVNC8\info_48[1]image
MD5:49E0EF03E74704089A60C437085DB89E
SHA256:CAA140523BA00994536B33618654E379216261BABAAE726164A0F74157BB11FF
1968iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VC2699GW\bullet[1]image
MD5:0C4C086DD852704E8EEB8FF83E3B73D1
SHA256:1CB3B6EA56C5B5DECF5E1D487AD51DBB2F62E6A6C78F23C1C81FDA1B64F8DB16
1968iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R3DAH3B0\background_gradient[1]image
MD5:20F0110ED5E4E0D5384A496E4880139B
SHA256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
3788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1968
iexplore.exe
GET
50.63.202.39:80
http://n48lxj5097.email/images/iAeH8A0uSb9hJCcdUjfql/aUYPvxs2N8Bo2iS0/Q3_2BfjR9XWeATn/bANlaKROiGs4GRsFDW/DzxLOIiUB/tg6HH9Ochpza0IwqWlTu/_2FEW49lSfB5c6GXuJl/06_2FC91YjllDHqKf_2Fk_/2BnBngO7PHO_2FrMwE44b/0.avi
US
malicious
1968
iexplore.exe
GET
50.63.202.39:80
http://n48lxj5097.email/POXQZ/images/iAeH8A0uSb9hJCcdUjfql/aUYPvxs2N8Bo2iS0/Q3_2BfjR9XWeATn/bANlaKROiGs4GRsFDW/DzxLOIiUB/tg6HH9Ochpza0IwqWlTu/_2FEW49lSfB5c6GXuJl/06_2FC91YjllDHqKf_2Fk_/2BnBngO7PHO_2FrMwE44b/0.avi
US
malicious
3864
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3788
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1968
iexplore.exe
GET
404
50.63.202.39:80
http://n48lxj5097.email/images/iAeH8A0uSb9hJCcdUjfql/aUYPvxs2N8Bo2iS0/Q3_2BfjR9XWeATn/bANlaKROiGs4GRsFDW/DzxLOIiUB/tg6HH9Ochpza0IwqWlTu/_2FEW49lSfB5c6GXuJl/06_2FC91YjllDHqKf_2Fk_/2BnBngO7PHO_2FrMwE44b/0.avi
US
text
103 b
malicious
3864
iexplore.exe
GET
200
94.103.83.217:80
http://wyideegb.city/favicon.ico
RU
image
5.30 Kb
malicious
3596
iexplore.exe
GET
200
94.103.83.217:80
http://wyideegb.city/images/4XyRPvHNY2k9/rWerMGtEDZ_/2Fi_2Fjrz_2Fbh/k3618H0OLzBU8p9FJAikk/dKgwvp6bdRzFwLzU/aiWMgX1roupyK6_/2FnbS5CU_2Fs1lXoiD/GW4D4LNP6/9X_2FfKHblU7QcjAJt_2/Bp6lmXh65QLVl_2FqsU/61JnO7Jiky/J.avi
RU
binary
20 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3596
iexplore.exe
94.103.83.217:80
wyideegb.city
RU
malicious
3864
iexplore.exe
94.103.83.217:80
wyideegb.city
RU
malicious
3788
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1968
iexplore.exe
50.63.202.39:80
n48lxj5097.email
GoDaddy.com, LLC
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
n48lxj5097.email
  • 50.63.202.39
malicious
wyideegb.city
  • 94.103.83.217
malicious

Threats

PID
Process
Class
Message
1968
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
1968
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
1968
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3596
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
7 ETPRO signatures available at the full report
No debug info