ursnif | e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420

Analysis

Target

0pz1on1.dll
Size

539KB
MD5

3bd94cd9d5af80967956a0c2789bf180
SHA1

7d0b946bfa133ec9c10cb1cca0007139597b2011
SHA256

e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
SHA512

610e44c03c8a7ec8a59825a32ec349576474abd4888aed3efcf89799c020b53d89d4ab0309aa78452bbdf9f7b2fe463c312d8c18e2901d8335c4df02df73cddc

Score

10^/10

Family

ursnif

Attributes

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Program crash 1 IoCs

pid	pid_target	Process	procid_target
200	3880	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 15 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3880	2868	rundll32.exe	69
PID 2868 wrote to memory of 3880	2868	rundll32.exe	69
PID 2868 wrote to memory of 3880	2868	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0pz1on1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0pz1on1.dll,#1
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 612
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:200

memory/200-1-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/200-6-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download