Categories: Malware

What is “Ursnif.15”?

The Ursnif.15 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Ursnif.15 virus can do?

Behavioural detection: Executable code extraction – unpacking
At least one process apparently crashed during execution
Yara rule detections observed from a process memory dump/dropped files/CAPE
Creates RWX memory
CAPE extracted potentially suspicious content
The binary likely contains encrypted or compressed data.
Authenticode signature is invalid

How to determine Ursnif.15?


File Info:
name: 6D53D4E8E461F40E5C53.mlwpath: /opt/CAPEv2/storage/binaries/7596c87021a1dbf2239483bf2b5a2d819ccd68925df5c83753dc8a4555c1355acrc32: 7BE8F128md5: 6d53d4e8e461f40e5c53b10d8305e31asha1: 4b215729752a84bd2282285857e861c9b3da0e5bsha256: 7596c87021a1dbf2239483bf2b5a2d819ccd68925df5c83753dc8a4555c1355asha512: d933cd5cdb24b62920f6b337ba282f8c6fd4e75412b5d386e4c8ac1d367f62b07fcb346a6faf58c1e963f8d289b45557db00c0f2f108cfe23cf31cb7f25e7988ssdeep: 12288:5mDN+kMvxoIXdEQaPqF8a7tkwUcgZiL9444qM5:3kMv2IXB5F2wU7ZiLlM5type: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T192C423777194AD86F7EB85702EABD762B6A52E2F7BEF580DD0580D0042A2D7F0503B21sha3_384: dd3f28a8e197f42fafb9d02ccc7c2badf4169ce45f72acc10a3c3adb98093207521f34cd5a7aedbcc43c955401aa4036ep_bytes: 550ff6c98bec0ff6c881ec700200000ftimestamp: 1970-01-01 00:00:00
Version Info:
CompanyName: Heaventools SoftwareFileDescription: PE ExplorerFileVersion: 1.99.5.1333InternalName: PE ExplorerLegalCopyright: Copyright © 2000-2008 Heaventools SoftwareLegalTrademarks: PE Explorer is a trademark of Heaventools SoftwareOriginalFilename: pexplorer.exeProductName: PE ExplorerProductVersion: 1.99.5.1333Comments: Translation: 0x0000 0x04e3

Ursnif.15 also known as:

Bkav	W32.AIDetect.malware1
Lionic	Hacktool.Win32.Krap.x!c
MicroWorld-eScan	Gen:Variant.Ursnif.15
ALYac	Gen:Variant.Ursnif.15
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0056ebad1 )
Alibaba	TrojanSpy:Win32/FakeAV.2a24d852
K7GW	Trojan ( 0056ebad1 )
Cybereason	malicious.8e461f
VirIT	Trojan.Win32.Zbot.ZJE
Cyren	W32/Trojan.UQMX-1002
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Spy.Zbot.UN
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Zbot-29628
Kaspersky	Packed.Win32.Krap.ao
BitDefender	Gen:Variant.Ursnif.15
NANO-Antivirus	Trojan.Win32.MLW.bciaeh
Tencent	Win32.Packed.Krap.Wqnb
Ad-Aware	Gen:Variant.Ursnif.15
Emsisoft	Gen:Variant.Ursnif.15 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.PWS.Panda.122
Zillya	Trojan.Zbot.Win32.4466
TrendMicro	TROJ_BREDLAB.SMI
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.6d53d4e8e461f40e
Sophos	Mal/Generic-R + Mal/FakeAV-AX
Ikarus	Trojan.Win32.Crypt
Jiangmin	TrojanSpy.Zbot.obu
Avira	TR/Dropper.Gen
Microsoft	Trojan:Win32/Zbot.UR!MTB
Arcabit	Trojan.Ursnif.15
ZoneAlarm	Packed.Win32.Krap.ao
GData	Gen:Variant.Ursnif.15
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Bredolab.R7538
Acronis	suspicious
McAfee	GenericRXIZ-SP!6D53D4E8E461
MAX	malware (ai score=82)
VBA32	Packed.Krap
Malwarebytes	Trojan.Injector
TrendMicro-HouseCall	TROJ_BREDLAB.SMI
Rising	Trojan.Generic@AI.100 (RDML:XRyNEtVUJRiej9s1xqlsUQ)
Yandex	TrojanSpy.Zbot!104is0/Cebw
SentinelOne	Static AI – Malicious PE
Fortinet	W32/Zbot.UN!tr
BitDefenderTheta	Gen:NN.ZexaF.34712.Jq3@aSovPrei
AVG	Win32:Zbot-LWC [Trj]
Avast	Win32:Zbot-LWC [Trj]
CrowdStrike	win/malicious_confidence_100% (W)