烏爾蘇木馬
威脅評分卡
EnigmaSoft 威胁记分卡
EnigmaSoft 威脅記分卡是我們的研究團隊收集和分析的不同惡意軟件威脅的評估報告。 EnigmaSoft 威脅記分卡使用多種指標對威脅進行評估和排名,包括現實世界和潛在的風險因素、趨勢、頻率、普遍性和持續性。 EnigmaSoft 威脅記分卡根據我們的研究數據和指標定期更新,對范圍廣泛的計算機用戶非常有用,從尋求解決方案以從其係統中刪除惡意軟件的最終用戶到分析威脅的安全專家。
EnigmaSoft 威脅記分卡顯示各種有用的信息,包括:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
嚴重級別:根據我們的風險建模過程和研究確定的對象嚴重級別,以數字表示,如我們的威脅評估標準中所述。
受感染的計算機:根據 SpyHunter 的報告,在受感染的計算機上檢測到的特定威脅的已確認和疑似案例的數量。
另請參閱威脅評估標準。
| Popularity Rank: | 14,588 |
| 威胁级别: | 90 % (高的) |
| 受感染的计算机: | 105,065 |
| 初见: | September 15, 2015 |
| 最后一次露面: | November 8, 2025 |
| 受影响的操作系统: | Windows |
Ursu 是一種具有威脅性的特洛伊木馬程序,它會在您不知情或未同意的情況下侵入您的計算機,通常是利用系統漏洞和安全漏洞。它可以從損壞的網站或來自不受信任來源的電子郵件附件下載。武器化文件可以來自各種不同的類型,例如 .exe、.pif、.avi 甚至 .jpg 文件。
安裝後,Ursu 會隱藏在後台,並可能執行各種有害功能,使威脅行為者能夠完全控制受害者的系統。 Ursu 特洛伊木馬的威脅功能可能包括刪除文件、安裝其他惡意軟件、收集密碼、更改系統設置和監控計算機活動。由於 Ursu 沒有自我複制的能力,計算機用戶需要採取措施保護他們的機器免受它的侵害,以防止它在他們的計算機上安裝。
目錄
Ursu 特洛伊木馬之類的威脅有多有害
特洛伊木馬威脅是可以注入或偽裝成合法軟件或文件的惡意軟件,通常通過文件共享、下載或電子郵件傳播。一旦進入您的計算機,它可能會通過禁用系統功能、劫持個人信息、訪問連接到網絡的其他設備或為其操作員提供對被破壞設備的遠程訪問來造成損害。
通常,特洛伊木馬用於讓黑客訪問用戶的設備,控制其資源並為進一步攻擊(例如勒索軟件和數據盜竊)創造機會。在某些情況下,它們被黑客部署以對網絡和網站發起分佈式拒絕服務 (DDoS) 攻擊。或者,它們可用於在 PC 上安裝其他威脅軟件,例如鍵盤記錄器、加密礦工等。
如何避免Ursu木馬攻擊?
使所有已安裝的程序保持最新有助於防止攻擊者瞄準安全漏洞。這不僅適用於您的操作系統,也適用於您可能擁有的任何應用程序,例如瀏覽器或電子郵件客戶端。定期備份基本數據可以提供一種簡單的方法來恢復丟失的數據,以防由於有害工具滲入您的機器的影響而發生某些事情。
在點擊通過未經請求的電子郵件發送的鏈接時始終要小心,這一點也很重要——這種策略經常被攻擊者用來試圖誘騙用戶下載損壞的文件。如果您收到來自未知發件人的包含附件的可疑電子郵件,請在設法驗證其發件人的合法性之前盡量不要與他們互動。
註冊表詳情
烏爾蘇木馬 可能會創建以下註冊表項或註冊表項:
Regexp file mask
%LOCALAPPDATA%\petgame.exe
%UserProfile%\Local Settings\Application Data\petgame.exe
%windir%\branding\[RANDOM CHARACTERS].png
分析报告
一般信息
| Family Name: | Trojan.Ursu.A |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
05028cb6c42afa3c0f88162fa4ed96cd
SHA1:
f89be7fece20f436fd5552e904f971b0bcde99e3
SHA256:
4505DFE008D464402C753E1C1FCF1E4EB5D1B486E52BF67FFBE525148383E6E2
文件大小:
740.86 KB, 740864 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| 姓名 | 价值 |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- .NET
- x86
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\ixp000.tmp\rmm41wz.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ixp000.tmp\rmm41wz.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\ixp000.tmp\sgt41kb.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ixp000.tmp\sgt41kb.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\ixp000.tmp\tmp4351$.tmp | Generic Write,Read Attributes,Delete |
| c:\users\user\appdata\local\temp\ixp001.tmp\noi55bm.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ixp001.tmp\noi55bm.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\ixp001.tmp\seb00mz.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ixp001.tmp\seb00mz.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\ixp001.tmp\tmp4351$.tmp | Generic Write,Read Attributes,Delete |
Show More
| c:\users\user\appdata\local\temp\ixp002.tmp\kyo67cp.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ixp002.tmp\kyo67cp.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\ixp002.tmp\mti66.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ixp002.tmp\mti66.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\ixp002.tmp\tmp4351$.tmp | Generic Write,Read Attributes,Delete |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | 数据 | API Name |
|---|---|---|
| HKLM\software\wow6432node\microsoft\windows\currentversion\runonce::wextract_cleanup0 | rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Ygrbwppu\AppData\Local\Temp\IXP000.TMP\" | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\runonce::wextract_cleanup1 | rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Ygrbwppu\AppData\Local\Temp\IXP001.TMP\" | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\runonce::wextract_cleanup2 | rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Ygrbwppu\AppData\Local\Temp\IXP002.TMP\" | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| User Data Access |
|
| Encryption Used |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\Users\Ygrbwppu\AppData\Local\Temp\IXP000.TMP\sgt41Kb.exe
|
C:\Users\Ygrbwppu\AppData\Local\Temp\IXP001.TMP\sEB00mZ.exe
|
C:\Users\Ygrbwppu\AppData\Local\Temp\IXP002.TMP\kYo67Cp.exe
|
