Overview

overview

10

Static

static

CaseExport35869.xls

windows7_x64

10

CaseExport35869.xls

windows10_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CaseExport35869.xls

  • Size

    720KB

  • Sample

    200526-ngd29jpchn

  • MD5

    4e01760bab19474560ebc97b9fa1c651

  • SHA1

    379f02d85cf7ec50decc934d61cb8140789ddfe6

  • SHA256

    128503f4b0e1174d03d89fcac4cf6991dda494f10d748157daa90ed0a032fd4e

  • SHA512

    680d9f1c2d26000a3a8702312248ba9d725ff6f3044af188462cc48ae8489175a685814d3f04f163049c537984d2c19703ef13c70be9f0fa0338f69d43b2692d

Score
10/10
ursnif_rm3bankerevasionspywaretrojan

Malware Config

Targets

    • Target

      CaseExport35869.xls

    • Size

      720KB

    • MD5

      4e01760bab19474560ebc97b9fa1c651

    • SHA1

      379f02d85cf7ec50decc934d61cb8140789ddfe6

    • SHA256

      128503f4b0e1174d03d89fcac4cf6991dda494f10d748157daa90ed0a032fd4e

    • SHA512

      680d9f1c2d26000a3a8702312248ba9d725ff6f3044af188462cc48ae8489175a685814d3f04f163049c537984d2c19703ef13c70be9f0fa0338f69d43b2692d

    Score
    10/10
    evasionspywaretrojanbankerursnif_rm3

    • Ursnif RM3

      A heavily modified version of Ursnif discovered in the wild.

      bankertrojanursnif_rm3

    • Executes dropped EXE

    • Modifies system certificate store

      evasionspywaretrojan

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks