ursnif_rm3 | b8594ea62b588184f05048607c66ee5ea865673f0cf7e49af7a01c10480c09b9 | Triage

Submit
Reports

Overview

overview

Static

static

SATURN_RANSOM.bin.exe

windows7_x64

SATURN_RANSOM.bin.exe

windows10_x64

9

Sharing

General

Target

SATURN_RANSOM.bin.zip
Size

182KB
Sample

201104-vr68hlnnma
MD5

07541d47dce37ec062ee611e8c3e8a53
SHA1

2142e5b6192527ad9ea89e6b1f7c3487849f05c4
SHA256

b8594ea62b588184f05048607c66ee5ea865673f0cf7e49af7a01c10480c09b9
SHA512

aba7f0195a3878526b581f0b70fdb17c38c1c762c114ff6be0cdcc2d7e0d567be13c7d836b6983d1d3fe445a1b0307a1f0dcee6293c923758a8f2cc819bab54d

Score

10^/10

ursnif_rm3 banker evasion persistence ransomware spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

SATURN_RANSOM.bin.exe

Resource

win7v20201028

ursnif_rm3 banker evasion persistence ransomware spyware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SATURN_RANSOM.bin.exe

Resource

win10v20201028

evasion persistence ransomware spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  SATURN_RANSOM.bin
- Size
  
  338KB
- MD5
  
  bbd4c2d2c72648c8f871b36261be23fd
- SHA1
  
  77c525e6b8a5760823ad6036e60b3fa244db8e42
- SHA256
  
  9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021
- SHA512
  
  38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a
Score

10^/10

ursnif_rm3 banker evasion persistence ransomware spyware trojan
- Ursnif RM3
  A heavily modified version of Ursnif discovered in the wild.
  banker trojan ursnif_rm3
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Enumerates VirtualBox registry keys
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

File Deletion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Defacement

Tasks

static1

behavioral1

ursnif_rm3bankerevasionpersistenceransomwarespywaretrojan

behavioral2

evasionpersistenceransomwarespyware

© 2018-2024

Terms | Privacy