ursnif | 1963d310983cb5e188c7e293f1beb638d035a0abef3aea105885d280c0a65090

Analysis

Target

Cherokee.dll
Size

556KB
MD5

51303064fdcc6f69898e9f20ed0dde74
SHA1

456fead88c60451a31fc8b6345842a18c5b9fbc8
SHA256

1963d310983cb5e188c7e293f1beb638d035a0abef3aea105885d280c0a65090
SHA512

6f0cfd7c77a0b3f9f660465ffec4b928a14fa0e0e66a2d27f73592ee8f78ab73336f0173f4670a97abf39b83812ea9dddee5c332fb9ae28c09dd84cd9f8c161c

Score

10^/10

Family

ursnif

Attributes

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2192	1076	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1076	912	rundll32.exe	69
PID 912 wrote to memory of 1076	912	rundll32.exe	69
PID 912 wrote to memory of 1076	912	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cherokee.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cherokee.dll,#1
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 624
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192

memory/1076-1-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/2192-2-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2192-7-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download