File name: | Сверить данные февраль.rar |
Full analysis: | https://app.any.run/tasks/53ee6083-7580-4da7-9079-2bda462c6ab6 |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | February 18, 2019, 15:07:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 38D6EAA0F4DBA8F5B935AF46266870D1 |
SHA1: | 07F7C3FD0575899328CFD0BA91E7D4DE72979778 |
SHA256: | 9072556EAFDF2C8838CCD3F8C1405F3A6F44915956835E92C363732F25B2B7AD |
SSDEEP: | 6144:nb/Fg01XYflKxGU7cZ/z4kVzhPG8ha0PpLObAsjwHaxOI0q:nb/m01KlKxyZ/EkVzZRha4LRN/Ib |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3072 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Сверить данные февраль.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4044 | "C:\Users\admin\Desktop\Сверить данные февраль.exe" | C:\Users\admin\Desktop\Сверить данные февраль.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3100 | rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject root | C:\Windows\system32\rundll32.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3100 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\C867.tmp | — | |
MD5:— | SHA256:— | |||
3100 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\bamianhhglknapgm | — | |
MD5:— | SHA256:— | |||
3100 | rundll32.exe | C:\Users\admin\Desktop\Сверить данные февраль.exe | — | |
MD5:— | SHA256:— | |||
3100 | rundll32.exe | C:\Users\admin\Desktop\behngdkgbffcehfd | — | |
MD5:— | SHA256:— | |||
116 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db | binary | |
MD5:CBE6DB144D0DB39D0895EEA949AE434D | SHA256:CEFD3ACB31A08A39D20DBD7FDF37244913D31011550B0062B7F3035F6D6CF9EA | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Сверить данные февраль.rar.lnk | lnk | |
MD5:9D74921FB89BA9703B4E2CA3CFA042A8 | SHA256:B0042FBECF72201DA5992175886FE6D854DD6FEA82CE5106264861AF586FF2EF | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:28430510581A3556FBA0C9DEFE0FB732 | SHA256:51FE1AAFECC03D0B7C4D514F5385265577B7FBE9C367318C14FB1DE1C6FFF5E9 | |||
4044 | Сверить данные февраль.exe | C:\Users\admin\AppData\Local\Temp\C867.tmp | executable | |
MD5:637299B765F5790DCA95B1BF5092948C | SHA256:923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3 | |||
116 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019021820190219\index.dat | dat | |
MD5:6173DC32FAA703B8FBC794A2CFCD8F51 | SHA256:3EB9648E9256E66CFBBE8A61626C4882A3C420727A1659EDDB61090610B45DEA | |||
3072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3072.49266\Сверить данные февраль.exe | executable | |
MD5:76C4249BAF2F212AF01E077EFB48E0D4 | SHA256:594246B1D38DB4949CB126C9049ABFDA6103C6CC1DD7BF0C0CAC4435842ABA95 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3100 | rundll32.exe | GET | 200 | 178.62.9.171:80 | http://myip.ru/index_small.php | GB | html | 319 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3100 | rundll32.exe | 193.81.216.170:9001 | — | A1 Telekom Austria AG | AT | unknown |
3100 | rundll32.exe | 178.62.9.171:80 | myip.ru | Digital Ocean, Inc. | GB | malicious |
3100 | rundll32.exe | 145.239.1.97:443 | — | OVH SAS | DE | suspicious |
3100 | rundll32.exe | 37.48.120.47:2195 | — | LeaseWeb Netherlands B.V. | NL | suspicious |
3100 | rundll32.exe | 94.23.247.42:443 | — | OVH SAS | FR | suspicious |
3100 | rundll32.exe | 217.31.161.55:8443 | — | Bahnhof Internet AB | SE | suspicious |
3100 | rundll32.exe | 37.187.118.34:9001 | — | OVH SAS | FR | suspicious |
3100 | rundll32.exe | 198.74.57.57:443 | — | Linode, LLC | US | suspicious |
3100 | rundll32.exe | 185.80.222.105:9001 | — | UK-2 Limited | NL | suspicious |
3100 | rundll32.exe | 172.245.24.228:9001 | — | ColoCrossing | US | suspicious |
Domain | IP | Reputation |
---|---|---|
myip.ru |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3100 | rundll32.exe | Potential Corporate Privacy Violation | ET POLICY myip.ru IP lookup |
3100 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 446 |
3100 | rundll32.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
3100 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 707 |
3100 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143 |
3100 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354 |
3100 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 627 |
3100 | rundll32.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
3100 | rundll32.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 |
3100 | rundll32.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |