Malware analysis 2019-07-22-Ursnif-4.exe-from-neu.x-sait.de.exe Malicious activity

Add for printing

File name:	2019-07-22-Ursnif-4.exe-from-neu.x-sait.de.exe
Full analysis:	https://app.any.run/tasks/75062b2f-4938-40fe-b410-7bbaca7cd09f
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. Malware Trends Tracker >>>
Analysis date:	March 25, 2025, 04:21:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	gozi ursnif dreambot banker stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	A7CBF4937C36B65D7AF6AEB54E8B63F0
SHA1:	C1BFF59350A7117762E34817F2A0F2EDBDEC11BF
SHA256:	7AA84B4CE4FBF937632D3008981C3EF8FF63E1FF846FDBB55060F3973D2507A9
SSDEEP:	6144:nRTMHFHXHvEcNYtrWvtjZhnhqf0Kt7r2/:nOHccWetj9qf0OQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- URSNIF has been detected (SURICATA)
  - iexplore.exe (PID: 6808)
  - iexplore.exe (PID: 3300)
  - iexplore.exe (PID: 4200)
  - iexplore.exe (PID: 6820)
  - iexplore.exe (PID: 1188)
  - iexplore.exe (PID: 6640)
  - iexplore.exe (PID: 1348)
  - iexplore.exe (PID: 2392)
  - iexplore.exe (PID: 6388)
  - iexplore.exe (PID: 5508)
  - iexplore.exe (PID: 6192)
  - iexplore.exe (PID: 5436)
- Connects to the CnC server
  - iexplore.exe (PID: 6808)
  - iexplore.exe (PID: 3300)
  - iexplore.exe (PID: 6820)
  - iexplore.exe (PID: 4200)
  - iexplore.exe (PID: 1188)
  - iexplore.exe (PID: 6640)
  - iexplore.exe (PID: 1348)
  - iexplore.exe (PID: 5508)
  - iexplore.exe (PID: 6388)
  - iexplore.exe (PID: 2392)
  - iexplore.exe (PID: 6192)
  - iexplore.exe (PID: 5436)
SUSPICIOUS
- Contacting a server suspected of hosting an CnC
  - iexplore.exe (PID: 6808)
  - iexplore.exe (PID: 3300)
  - iexplore.exe (PID: 6820)
  - iexplore.exe (PID: 4200)
  - iexplore.exe (PID: 1188)
  - iexplore.exe (PID: 6640)
  - iexplore.exe (PID: 1348)
  - iexplore.exe (PID: 5508)
  - iexplore.exe (PID: 6388)
  - iexplore.exe (PID: 2392)
  - iexplore.exe (PID: 6192)
  - iexplore.exe (PID: 5436)
INFO
- The sample compiled with chinese language support
  - 2019-07-22-Ursnif-4.exe-from-neu.x-sait.de.exe (PID: 4996)
- Checks supported languages
  - 2019-07-22-Ursnif-4.exe-from-neu.x-sait.de.exe (PID: 4996)
  - ielowutil.exe (PID: 2148)
- Reads the computer name
  - ielowutil.exe (PID: 2148)
  - 2019-07-22-Ursnif-4.exe-from-neu.x-sait.de.exe (PID: 4996)
- Local mutex for internet shortcut management
  - iexplore.exe (PID: 5048)
- Reads the software policy settings
  - SIHClient.exe (PID: 1096)
  - slui.exe (PID: 300)
  - slui.exe (PID: 4812)
- Checks proxy server information
  - slui.exe (PID: 4812)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Clipper DOS Executable (2.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:09:25 05:45:07+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	96256
InitializedDataSize:	184832
UninitializedDataSize:	-
EntryPoint:	0x84bd
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.0.5.1
ProductVersionNumber:	1.1.0.1
FileFlagsMask:	0x006f
FileFlags:	Pre-release, Patched
FileOS:	Unknown (0x40304)
ObjectFileType:	Static library
FileSubtype:	81
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.5.4
InternalName:	fghfhjkngfk.exe
LegalCopyright:	Copyright (C) 2019, ghjhfkh
ProductVersion:	1.9.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

186

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

300

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

660

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

680

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

864

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1096

C:\WINDOWS\System32\sihclient.exe /cv GoSHFONmVk65ATpTQfHilg.0.2

C:\Windows\System32\SIHClient.exe

upfc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

SIH Client

Exit code:

2379777

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sihclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll

1188

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:864 CREDAT:9474 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1228

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1300

"C:\WINDOWS\system32\UCPDMgr.exe"

C:\Windows\System32\UCPDMgr.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

User Choice Protection Manager

Exit code:

Version:

1.0.0.414301

Modules

Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1348

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1348

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1228 CREDAT:9474 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

47 630

Read events

47 328

Write events

252

Delete events

Modification events


(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:	write	Name:	Version
Value: WS not running
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	FullScreen
Value: no
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(5048) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MAO Settings
Operation:	write	Name:	DiscardLoadTimes
Value: DB847CA30259DA01
(PID) Process:	(6808) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6808	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT		binary
		MD5:0392ADA071EB68355BED625D8F9695F3	SHA256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
6068	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DFF9FB32E38C2C3439.TMP		binary
		MD5:9606E462026CF83C8AC40DEFBB79EC5A	SHA256:2DE2EDCFCFCEB3C806E58B3B4958F4FD69DF97EF833EDFCC42D1B1666A686372
3900	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D94B3B3A-0930-11F0-B4ED-18F7786F96EE}.dat		binary
		MD5:2F77622C4CAD5F0EE12734F6C46686F4	SHA256:98C5794386B9569D22F9EE15B521A60C581ACC5C30FEF8C43A21DD6D157BAA47
1348	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF1DBC5D03000FB386.TMP		binary
		MD5:A5843277410FC097F32BC296F4EDCF8E	SHA256:586A757005013367412BA8D102A7FD4D68C15C1D7A1E7DA27EB7E5BBDBB19108
3900	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF19706ADC11D431EA.TMP		binary
		MD5:231DD01AC1192ABA846F8A9DF513D7ED	SHA256:ABF33156F4A78B683F67E5DB1B408D1309406BBF9E7C108993AE2E190BE149BD
3900	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D94B3B38-0930-11F0-B4ED-18F7786F96EE}.dat		binary
		MD5:BA9C75CA0385D5F8F32FF87C00E88A39	SHA256:F6F1A57D5BDC0870EF246C494A4BF2CE8D328DA29B38DF2912ED794046C6DD76
3900	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF0A6F61F26DEFADA1.TMP		binary
		MD5:D0467C4FC145DB005147E448EC0C9CB7	SHA256:ACA5D6B15344E7267A40786DF7E4E64DF3A8D456BB04FD5C14A0E5701E7AFB6C
6068	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E6314DA4-0930-11F0-B4ED-18F7786F96EE}.dat		binary
		MD5:ECFAF21A6F9FE494817EA9719844BCB8	SHA256:098F0313F3D95E8085C59941826240AE624EAF1C10B742CB94076881A5137089
5048	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B00AC106-0930-11F0-B4ED-18F7786F96EE}.dat		binary
		MD5:D1C44AD8A2A22B99F682155A83054999	SHA256:670CEC03E342A854A50965BB672C9F1EF41E714FC2D6902DCECCDF449D38750E
6068	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF814D997FD01CE2B7.TMP		binary
		MD5:9B7380DAB0FC5EA6878809FDAC1B42EF	SHA256:68999FDFAF15ED43C678D41906D52C54A2953376F98DB2030B2D33A2CFF3C6BC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

114

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6808	iexplore.exe	GET	404	49.13.77.253:80	http://x1.narutik.at/webstore/_2B7QgTUymqjmm/5_2F0EC_2BAdFWmnCzc8i/bL6nlqREYR6XGRgn/KaAYvZsYAtmgeet/Nqz54UlrS9zEHPOTYT/JBqZ2fENm/4oO7P6PpBjUnCq7psQ_2/BGuGBnd3MBPDraykgYz/L7rxy82OmWc95YukGLDL0q/jNEn12PjY9y_2/BUsqXfAF/xw_2BMjSO5OLPkNJWHssJBi/vujDyHpz1l/KDqYJ08kdEGRefW9n/jjOad2b5/zuaXAlhXPBL/EPN	unknown	—	—	malicious
3300	iexplore.exe	GET	404	49.13.77.253:80	http://cd.pranahat.at/webstore/NpP41H6Lsq1swK1_2B2/H3B8i0dF1kjORa2SMGvdTc/l_2FgeNX50JXV/iP_2FFv8/oCG4ZP6i3IM1MEt9ZFB_2B8/LtuqjkFG2k/Uu4fK5S5GP2kk1_2F/0OxXMk_2BP7x/H8Ilmm2_2Fr/hnNop6xyGFcXPh/2w8b2o53msWoFxc15AYvE/g4JiMDfYN5K8u8gu/u_2Bl2Q_2FzfLu2/WUH8S1kX0sMkWyt_2F/UM70sFoXu/H5pEtFRdu18vLLMgZM1F/rcQZs2I	unknown	—	—	malicious
6820	iexplore.exe	GET	404	49.13.77.253:80	http://x1.narutik.at/webstore/2HVtyC3GyXwV/BS0LBVBmgGx/Vm6S7OyUxklyGG/vY_2B0INWQfHuo2vjbSbD/UmKpOOziZJoMT25G/7D70lu6VS13RFsj/FMnJO8OX_2FvC6OcRT/S9_2B0RB4/LuMXR8ZHTsfTLJBW1IDH/VKhqiU1G90AMfIyel65/P47xY6zzK5jdPLzokIu5T9/dIuokAXeT1qE3/t_2FMpfk/uUfu9_2Ber4Wd9RwuF27xlK/5IFfGozhu1/_2FNX9csl/VHcLpSw	unknown	—	—	malicious
4200	iexplore.exe	GET	404	49.13.77.253:80	http://cdn5.narutik.at/webstore/_2F8vY5zn/65LWxaefPC2XZTq5L717/vjJvMUdIBAU2e26GmAc/dq0oMR_2Behnknl56otHek/MEj2J5ArMvD3i/cnJskpxx/QKW0vkCCx_2FX1Q4Tl5esfS/hIm9XJBIJk/YSZcRYuhgbCYw8HU5/GfAb45Gh21JC/jmp78YFfdra/9Xp_2BsrOyqVjB/2H3F06jPouohccRgcKdbx/sEMEG_2F4IhfwnNO/6i7l3WVA/n	unknown	—	—	malicious
1188	iexplore.exe	GET	404	49.13.77.253:80	http://cd.pranahat.at/webstore/lSbxPDZorL7n/fALD_2BAatH/J0krnqQt_2BmXr/e9w6vZcfpVCypr87DSwK_/2FqroeplUU_2BjyI/viIOzxCGs54lleT/jSXHZ0WmO2Z_2FNH4a/STLGwJbR9/huoURGn4LgF7MvzQ7p_2/BBlPcuUBXW3tdEgORJT/z4padarO5yPi9pTmms0b0x/gNUtiBPFCH5JN/qxyA1kp1/wj0RVwnincRb8xvtsShD6hN/OEW_2Fu	unknown	—	—	malicious
1348	iexplore.exe	GET	404	49.13.77.253:80	http://cdn5.narutik.at/webstore/j8FfvPthRYJ1Z_2BE/SPbf6hmpWywZ/HiIeeL5Qyyj/LwK0dTUiWFVSUB/TAkinlC2SN079Lf41IGjL/6x3JT8zmNzn7MkRg/O75wwezwYKx_2BG/tFrlnZG98J5cxP218f/6AqPJNgLw/_2FFME6poeV9gMhdsAdl/wG_2B4d85m79qc5lToh/P5xV3zvhHNm3nAx3HTToje/FhFDlvtKOJORN/nFfVN_2BuAU/krLIy7	unknown	—	—	malicious
6640	iexplore.exe	GET	404	49.13.77.253:80	http://x1.narutik.at/webstore/3L8O7D1KSmh/90D8E_2F1zXUEx/1v0wOeX2YFQ4sl9RZYkMA/H5yb7w_2Fw3Uotj8/oShH8V0K8Nv1RNz/feF_2Bm8U2iqpil6xz/NAepP9GqN/FhQLRQ49l7KflTvN1mxT/iBl31L0XkVxIpbpCzGP/sm1SvuvaGVteLA6yyPQQXG/off1hIOuI7p_2/BR0Jziyh/2_2BE0wyGoIHu6eEmjUkvpP/XOhAJZ5cHaNN/Wf9	unknown	—	—	malicious
6388	iexplore.exe	GET	404	49.13.77.253:80	http://x1.narutik.at/webstore/QywAXLhJd15kIDyFbMK/Z4X6XuCf69NK2WCKePflsx/2HkydaK3R_2FB/HTa_2BlS/eK4zThN_2B7sZEqOE7fyxJu/Q7HhsURUKc/VzLSqQQia0XFZZ3ZU/zWEH0sCAFrXv/sgXOI57Pulq/Iy7Yluta8_2FTh/bXJNJfCovwktwR3adlM7V/X7jhWYuIk1se8OZE/cqovR_2FRlHJuCl/fE8fCTBbsiS9py/3MsldLIy/N	unknown	—	—	malicious
5436	iexplore.exe	GET	404	49.13.77.253:80	http://cd.pranahat.at/webstore/qN9MuHBriA1enAn/nR7d4ubsLx_2FORenH/U5CW_2FAu/wCYZ_2FZ5V7wQ5gy6lRJ/f5ic_2FxUA2lGxpIbSp/09Pxl_2BAX6ubiEr6H_2BC/6IEsoZpDSxCB_/2F6pVRgb/U7v_2Bw5AYzEhSYMsdd_2Fn/JktDgUJcpR/Mro1PZefKJ1jMmfXR/mt1hfe3gh6G4/X9P3aN33vMH/dH1HclCiEBbw0d/rzBBvuzVy0ALYCQt_2BPp/A_2B	unknown	—	—	malicious
2392	iexplore.exe	GET	404	49.13.77.253:80	http://cdn5.narutik.at/webstore/aSGHJ_2BGiFX0A/kmNIMbBViDAXlgHh9tXmV/_2FlnfeHFxnz8_2F/6UCDSwMhssE9QEa/uD4poRRA_2FVACTVEw/83DwZbw9j/_2BlzzvTp9jT9uO8y0sv/0owlS1sSZgzfchq9hoZ/t0ekHxbucfBgCpfi4E0k2g/dz_2FXTnz4IHX/pdlsL6VI/RHNnq6JvNwhgHdMmudN8L1J/rM_2BBLBNN/y0vhqCJ5N5OwUjWzW/t0D	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2432	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2112	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4756	backgroundTaskHost.exe	20.223.36.55:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
google.com	142.250.184.238	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
login.live.com	40.126.32.76 40.126.32.74 20.190.160.131 40.126.32.138 20.190.160.17 40.126.32.133 20.190.160.130 20.190.160.22	whitelisted
arc.msn.com	20.223.36.55	whitelisted
x1.narutik.at	49.13.77.253	malicious
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15 2a01:111:f100:9001::1761:914d	whitelisted
15.164.165.52.in-addr.arpa	—	unknown
d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa	—	unknown

Threats

PID	Process	Class	Message
6808	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
3300	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
3300	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
6820	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
6820	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
4200	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
4200	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
1188	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
6640	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
1348	iexplore.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)

Add for printing

No debug info

General Info

2019-07-22-Ursnif-4.exe-from-neu.x-sait.de.exe

A7CBF4937C36B65D7AF6AEB54E8B63F0

C1BFF59350A7117762E34817F2A0F2EDBDEC11BF

7AA84B4CE4FBF937632D3008981C3EF8FF63E1FF846FDBB55060F3973D2507A9

6144:nRTMHFHXHvEcNYtrWvtjZhnhqf0Kt7r2/:nOHccWetj9qf0OQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

URSNIF has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Contacting a server suspected of hosting an CnC

INFO

The sample compiled with chinese language support

Checks supported languages

Reads the computer name

Local mutex for internet shortcut management

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings