ursnif | 2b6fcb1b4cfb00114d2a79ae86e3406585df4ae8616e3d235c987a5100ae0ded | Triage

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7
submitted
11-08-2020 09:03

Sharing

Report Analysis Logs

General

Target

100000.dll
Size

50KB
MD5

15c83c1ea197eb1889921fc281bf10c3
SHA1

ef95a71fdca5820529d3dcb986ef1170e2a9fdd1
SHA256

2b6fcb1b4cfb00114d2a79ae86e3406585df4ae8616e3d235c987a5100ae0ded
SHA512

4ab0c1075246a9cb188d1e1c932df1c2b12f30032d1f6159a93bba0abea2714975916c57549a1fb2c90597c53420c09855626cbb27551364d49ef68fadd9e43e

Score

10^/10

banker trojan ursnif

Malware Config

Extracted

Family

ursnif

Botnet

4779

C2

37.10.71.42

loaidifds.club

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
1.320669898e+09
dga_season
10
dga_tlds
com

ru

org
dns_servers

rsa_pubkey.base64

serpent.plain

Signatures

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1124 wrote to memory of 1072	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 1072	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 1072	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 1072	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 1072	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 1072	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 1072	1124	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\100000.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\100000.dll,#1
  2⤵
  PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-0-0x0000000000000000-mapping.dmp

Download
memory/1072-1-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download