analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

presentation_a7h.js

Full analysis: https://app.any.run/tasks/9a19a48a-733d-4903-b0ee-4a47103016e8
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 30, 2020, 20:07:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

0311F049BFA8CC21457677C4C2F46324

SHA1:

CA844EDD616A4B2E10819DB9076CE49A9D0E038A

SHA256:

C6F5AAB1EC2F0DD6B44002D6D462C0B49E98AF597061DBE71667AEAABF9AA714

SSDEEP:

12288:7dtxOCb+3xOCb+0xOCb+ixOCb+JxOCb+XxOCb+zxOCb+2xOC0U:0CbBCbsCb6CbbCblCbDCbICr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2192)

    • URSNIF was detected

      • iexplore.exe (PID: 1440)

    • Connects to CnC server

      • iexplore.exe (PID: 1440)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2192)

    • Executed via COM

      • iexplore.exe (PID: 4068)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4068)
      • iexplore.exe (PID: 1440)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1440)

    • Changes internet zones settings

      • iexplore.exe (PID: 4068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe regsvr32.exe no specs iexplore.exe no specs #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\presentation_a7h.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3768"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\wGJ.txtC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4068"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1440"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4068 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
313
Read events
273
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
4068iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF81CD49A52B34FC59.TMP
MD5:
SHA256:
2192WScript.exeC:\Users\admin\AppData\Local\Temp\ibAnR.udmPulotext
MD5:336C52BF61E90D8E210DAC19210D2E73
SHA256:554413BC0A825EFF35077C59F4EBE6C64A5CA3261676B00693BA7515FD3878E6
1440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
1440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:9C79052CD4702AB47E3269B42E873AC7
SHA256:27174FF21A72F50A2731A7454133B29C2397AA53ABD8848C6FED36A36F0E25EE
4068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{271BF24D-72C2-11EA-972D-5254004A04AF}.datbinary
MD5:7B8E18530A20A1D4B3B149ED21AB10E4
SHA256:16864E2E95183B6EB1AF6461E0759B4A8EB753B3676078ABC8D8676DDA252959
1440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\bullet[1]image
MD5:26F971D87CA00E23BD2D064524AEF838
SHA256:1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
1440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\info_48[1]image
MD5:5565250FCC163AA3A79F0B746416CE69
SHA256:51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
1440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\httpErrorPagesScripts[1]text
MD5:3F57B781CB3EF114DD0B665151571B7B
SHA256:46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD
1440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\down[1]image
MD5:C4F558C4C8B56858F15C09037CD6625A
SHA256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
1440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\http_404[1]html
MD5:F65C729DC2D457B7A1093813F1253192
SHA256:B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1440
iexplore.exe
GET
404
84.38.180.166:80
http://f1.pipen.at/api1/33h7WsMwrA13uOB3fRqX2/vv7cz0eeFZEdP03j/mIuaLh_2BHyKAa7/3E_2B3Yf6ENXMn10WF/oQoxtPpdM/acfk9wtXtUbqIcZfrzKM/iYb5GqI17jE8IustaKw/cUZVs4la7tCE9uFtZFhz4K/ws55ErvsqlTEh/U6kQaQlc/K75IWcUPvGBEkxdCnV6orRR/ka6F1QDgaR/NqDoeSGSlE2dbKezc/EPQDkoxPlihY/iBtNLLXYV0W/h12SoU3taEPXdt/vRcnPqNO_0A_0D1Zj_2B7/BTYz1gLNExxvt6TEV/JzZV
RU
html
106 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1440
iexplore.exe
84.38.180.166:80
f1.pipen.at
Private higher education institution autonomous nonprofit organisation 'Regional Finance and
RU
malicious

DNS requests

Domain
IP
Reputation
f1.pipen.at
  • 84.38.180.166
unknown

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
presentation_a7h.js