analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://devmiike.com/

Full analysis: https://app.any.run/tasks/7b0f920d-fa7c-4a3d-a38e-85a1a18da59a
Verdict: Malicious activity
Threats:

Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world.

Malware Trends Tracker     >>>
Analysis date: December 18, 2018, 16:43:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
gozi
ursnif
phishing
opendir
Indicators:
MD5:

7A71FC0C92CDC331F3D7C5D36EECFC42

SHA1:

2B5804FD2AAC479FB09C5FD2D4255261C446798A

SHA256:

7C42CC61E74B4839E634D77E170AFA5E6ACD9EA55323472E8BF596EEE121B721

SSDEEP:

3:N1KaATxMTR:CaFR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URSNIF was detected

      • iexplore.exe (PID: 3104)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2808)

    • Changes internet zones settings

      • iexplore.exe (PID: 2808)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3104)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3104"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2808 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
409
Read events
347
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
20
Unknown types
2

Dropped files

PID
Process
Filename
Type
2808iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\login[1].php
MD5:
SHA256:
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\surf2[1].php
MD5:
SHA256:
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\surf3[1].php
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018121820181219\index.datdat
MD5:BE3913032F1C97CBD431D3AF5EF3F570
SHA256:00196EF89BDAF6CEF2E0CC5E2E27C1F6DAA1335417683A1E0BCA669AD748457E
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\p3[1].pngimage
MD5:12333F4F57E4369557DFA9CCA265D3EE
SHA256:DC203536538391DD17F71D379226229BCA1CA893137BF4C0CF65FE123A12AE05
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\p5[1].pngimage
MD5:371FADA3832E3C91B7298AA06DFA7472
SHA256:2D97C5DB86A02BE48032B7C8769CD0B8BC86F932055E60E0A26F8B04777A8989
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018121820181219\index.datdat
MD5:186DC0985E4043411CE17D97D1D2A856
SHA256:75E5BB63D51352B152A51ED9E1428A9C821B42A0A7BB4B6E31191CBCE59379B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
11
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3104
iexplore.exe
GET
302
143.95.238.91:80
http://devmiike.com/
US
malicious
3104
iexplore.exe
GET
200
143.95.238.91:80
http://devmiike.com/images/p1.png
US
image
46.8 Kb
malicious
3104
iexplore.exe
GET
200
143.95.238.91:80
http://devmiike.com/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-email&email=
US
html
1.31 Kb
malicious
3104
iexplore.exe
GET
200
143.95.238.91:80
http://devmiike.com/surf2.php?cmd=login_submit&id=3e3ad4a00b27cf30b1541beed51c3aae3e3ad4a00b27cf30b1541beed51c3aae&session=3e3ad4a00b27cf30b1541beed51c3aae3e3ad4a00b27cf30b1541beed51c3aae
US
html
1.02 Kb
malicious
2808
iexplore.exe
GET
200
143.95.238.91:80
http://devmiike.com/images/favicon.ico
US
image
6.37 Kb
malicious
3104
iexplore.exe
POST
302
143.95.238.91:80
http://devmiike.com/need1.php
US
image
4.34 Kb
malicious
2808
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3104
iexplore.exe
GET
200
143.95.238.91:80
http://devmiike.com/images/p3.png
US
image
4.34 Kb
malicious
3104
iexplore.exe
POST
302
143.95.238.91:80
http://devmiike.com/need2.php
US
image
3.14 Kb
malicious
3104
iexplore.exe
GET
200
143.95.238.91:80
http://devmiike.com/images/p6.png
US
image
3.14 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2808
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3104
iexplore.exe
172.217.168.10:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2808
iexplore.exe
143.95.238.91:80
devmiike.com
Colo4, LLC
US
suspicious
3104
iexplore.exe
69.89.31.230:443
smallenvelop.com
Unified Layer
US
suspicious
3104
iexplore.exe
143.95.238.91:80
devmiike.com
Colo4, LLC
US
suspicious
3104
iexplore.exe
54.218.100.183:443
stripe.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
devmiike.com
  • 143.95.238.91
malicious
ajax.googleapis.com
  • 172.217.168.10
  • 172.217.168.42
  • 216.58.215.234
whitelisted
smallenvelop.com
  • 69.89.31.230
whitelisted
stripe.com
  • 54.218.100.183
whitelisted

Threats

PID
Process
Class
Message
3104
iexplore.exe
A Network Trojan was detected
ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017
3104
iexplore.exe
A Network Trojan was detected
SC PHISHING PDF/Phishing - unknown malware
3104
iexplore.exe
A Network Trojan was detected
ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017
3104
iexplore.exe
A Network Trojan was detected
SC PHISHING PDF/Phishing - unknown malware
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://devmiike.com/