Loading ...

Play interactive tourEdit tour

Analysis Report fattura.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:228091
Start date:06.05.2020
Start time:22:04:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:fattura.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@13/49@11/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 6.7% (good quality ratio 6.5%)
  • Quality average: 88.4%
  • Quality standard deviation: 19.3%
HCA Information:
  • Successful, ratio: 60%
  • Number of executed functions: 34
  • Number of non-executed functions: 34
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 92.122.253.206, 23.61.218.119, 205.185.216.42, 205.185.216.10, 152.199.19.161
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation2Winlogon Helper DLLProcess Injection2Masquerading1Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API2Port MonitorsAccessibility FeaturesSoftware Packing21Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection2Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery23Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: fattura.exeAvira: detection malicious, Label: HEUR/AGEN.1046879
Multi AV Scanner detection for domain / URLShow sources
Source: line.starlightgroupllc.comVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: fattura.exeVirustotal: Detection: 29%Perma Link
Machine Learning detection for sampleShow sources
Source: fattura.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.3.fattura.exe.2030000.0.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.fattura.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_02044D7F memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02044D7F

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x296bd97d,0x01d6242d</date><accdate>0x296bd97d,0x01d6242d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x296bd97d,0x01d6242d</date><accdate>0x296bd97d,0x01d6242d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2970ea74,0x01d6242d</date><accdate>0x2970ea74,0x01d6242d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2970ea74,0x01d6242d</date><accdate>0x297372eb,0x01d6242d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x297372eb,0x01d6242d</date><accdate>0x297372eb,0x01d6242d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x297372eb,0x01d6242d</date><accdate>0x297372eb,0x01d6242d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mcc.avast.com
Urls found in memory or binary dataShow sources
Source: ~DF54253916E05EE8EB.TMP.10.dr, {7AD13535-9020-11EA-AADD-C25F135D3C65}.dat.10.drString found in binary or memory: http://line.starlightgroupllc.com/images/rzvZk_2BUv_2BjvegAmlTpb/eXWjnD_2FE/V2dRn8da6wi9uP0qe/SkJSh6
Source: {6D8F8B84-9020-11EA-AADD-C25F135D3C65}.dat.8.drString found in binary or memory: http://mcc.avast.com/images/2r_2FEVijCauP_2F/ieXutwxUlAFFQCa/UmMTi72E38GgcN9FU1/lurm1YwsG/m6d73jZ_2B
Source: ~DFFCD4C88AA4AAB19E.TMP.5.dr, {5409C181-9020-11EA-AADD-C25F135D3C65}.dat.5.drString found in binary or memory: http://mcc.avast.com/images/jxl5rUegf3f_/2BPQ_2FGZZZ/Hgx4dMEw1QlEXm/foZaEZMrcVMhMm2Lsov0Y/6NYkHf5mt7
Source: {91E4FF48-9020-11EA-AADD-C25F135D3C65}.dat.12.drString found in binary or memory: http://mcc.avast.com/images/mPZN5rckjm4gYkmkPnZ/BTE_2BnjVYCd954lTjQqSp/dTb57ZlGmZm91/GJLP_2Fm/QEXhtT
Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.861323914.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861065653.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861490466.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861521209.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861429210.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.860922064.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861164680.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861371346.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: fattura.exe PID: 2284, type: MEMORY

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.861323914.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861065653.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861490466.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861521209.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861429210.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.860922064.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861164680.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861371346.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: fattura.exe PID: 2284, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Users\user\Desktop\fattura.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\fattura.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\fattura.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\fattura.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Users\user\Desktop\fattura.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\fattura.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\fattura.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_00401778 GetProcAddress,NtCreateSection,memset,0_2_00401778
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_00401FA7 NtMapViewOfSection,0_2_00401FA7
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_02041721 LdrInitializeThunk,NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_02041721
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_004124650_2_00412465
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0041686B0_2_0041686B
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_004114780_2_00411478
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0041207D0_2_0041207D
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_00411CAB0_2_00411CAB
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_004183410_2_00418341
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0041190D0_2_0041190D
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0041631A0_2_0041631A
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_00415DC90_2_00415DC9
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_004137EA0_2_004137EA
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_020453930_2_02045393
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0204A99C0_2_0204A99C
PE file contains strange resourcesShow sources
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fattura.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@13/49@11/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4FE0EF58019C60EA.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: fattura.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\fattura.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: fattura.exeVirustotal: Detection: 29%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\fattura.exe 'C:\Users\user\Desktop\fattura.exe'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3980 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4444 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2896 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3980 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3480 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4444 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2896 CREDAT:17410 /prefetch:2Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\fattura.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\fattura.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\fattura.exeUnpacked PE file: 0.2.fattura.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\fattura.exeUnpacked PE file: 0.2.fattura.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0204A98B push ecx; ret 0_2_0204A99B
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0204A5D0 push ecx; ret 0_2_0204A5D9

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.861323914.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861065653.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861490466.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861521209.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861429210.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.860922064.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861164680.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861371346.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: fattura.exe PID: 2284, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\fattura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fattura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\fattura.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\fattura.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\fattura.exe TID: 4740Thread sleep count: 40 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\fattura.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\fattura.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_02044D7F memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02044D7F
Program exit pointsShow sources
Source: C:\Users\user\Desktop\fattura.exeAPI call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0040136B LdrInitializeThunk,lstrlenW,memcpy,KiUserExceptionDispatcher,ExitThread,0_2_0040136B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0202092B mov eax, dword ptr fs:[00000030h]0_2_0202092B
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_02020D90 mov eax, dword ptr fs:[00000030h]0_2_02020D90
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_00401B9A InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,0_2_00401B9A
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_02021DEA RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,0_2_02021DEA

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: fattura.exe, 00000000.00000002.1218328729.0000000000C10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: fattura.exe, 00000000.00000002.1218328729.0000000000C10000.00000002.00000001.sdmpBinary or memory string: Progman
Source: fattura.exe, 00000000.00000002.1218328729.0000000000C10000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: fattura.exe, 00000000.00000002.1218328729.0000000000C10000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\fattura.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,0_2_0041124B
Source: C:\Users\user\Desktop\fattura.exeCode function: _LcidFromHexString,GetLocaleInfoA,0_2_00410E51
Source: C:\Users\user\Desktop\fattura.exeCode function: __crtGetLocaleInfoA_stat,0_2_004158C9
Source: C:\Users\user\Desktop\fattura.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_00410EF8
Source: C:\Users\user\Desktop\fattura.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,__itow_s,0_2_00411287
Source: C:\Users\user\Desktop\fattura.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,0_2_0040F6B8
Source: C:\Users\user\Desktop\fattura.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00410D5C
Source: C:\Users\user\Desktop\fattura.exeCode function: LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,0_2_00410314
Source: C:\Users\user\Desktop\fattura.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_00411124
Source: C:\Users\user\Desktop\fattura.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,0_2_004111E4
Source: C:\Users\user\Desktop\fattura.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,GetLocaleInfoW,0_2_0040F39B
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_02046794 cpuid 0_2_02046794
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_0040147D GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_0040147D
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_02046794 GetUserNameW,GetUserNameW,HeapFree,HeapFree,0_2_02046794
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\fattura.exeCode function: 0_2_00401820 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401820

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.861323914.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861065653.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861490466.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861521209.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861429210.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.860922064.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861164680.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861371346.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: fattura.exe PID: 2284, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.861323914.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861065653.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861490466.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861521209.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861429210.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.860922064.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861164680.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.861371346.0000000002C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: fattura.exe PID: 2284, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 228091 Sample: fattura.exe Startdate: 06/05/2020 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Antivirus detection for sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 2 other signatures 2->40 6 fattura.exe 2->6         started        9 iexplore.exe 1 50 2->9         started        11 iexplore.exe 2 83 2->11         started        13 2 other processes 2->13 process3 signatures4 42 Detected unpacking (changes PE section rights) 6->42 44 Detected unpacking (overwrites its own PE header) 6->44 46 Writes or reads registry keys via WMI 6->46 48 2 other signatures 6->48 15 iexplore.exe 31 9->15         started        18 iexplore.exe 36 11->18         started        20 iexplore.exe 31 13->20         started        22 iexplore.exe 31 13->22         started        process5 dnsIp6 24 line.starlightgroupllc.com 5.34.183.182, 80 unknown Ukraine 15->24 26 176.123.7.112, 49751, 49752, 49755 unknown Moldova Republic of 15->26 28 mcc.avast.com 18->28 30 mcc.avast.com 20->30 32 mcc.avast.com 22->32

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fattura.exe29%VirustotalBrowse
fattura.exe100%AviraHEUR/AGEN.1046879
fattura.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.3.fattura.exe.2030000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
0.2.fattura.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
0.1.fattura.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.fattura.exe.400000.0.unpack100%AviraHEUR/AGEN.1046879Download File

Domains

SourceDetectionScannerLabelLink
line.starlightgroupllc.com6%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
http://line.starlightgroupllc.com/images/rzvZk_2BUv_2BjvegAmlTpb/eXWjnD_2FE/V2dRn8da6wi9uP0qe/SkJSh60%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.861323914.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.861065653.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.861490466.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.861521209.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.861429210.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000000.00000003.860922064.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              00000000.00000003.861164680.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                00000000.00000003.861371346.0000000002C38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  Process Memory Space: fattura.exe PID: 2284JoeSecurity_UrsnifYara detected UrsnifJoe Security

                    Unpacked PEs

                    No yara matches

                    Sigma Overview

                    No Sigma rule has matched

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    unknown397 83342{DIGIT[5]).xlsGet hashmaliciousBrowse
                    • 38.88.126.131
                    397 83342{DIGIT[5]).xlsGet hashmaliciousBrowse
                    • 80.249.147.185
                    Case.exeGet hashmaliciousBrowse
                    • 5.9.145.244
                    http://internetslang.comGet hashmaliciousBrowse
                    • 64.74.236.127
                    #U260e#Ufe0fVM4 May, 2020_6446-172.htmGet hashmaliciousBrowse
                    • 5.160.139.86
                    https://docs.google.com/uc?export=download&id=18WkaU3uqJjGddX0C7rySxkEUcexcKAGdGet hashmaliciousBrowse
                    • 216.58.215.225
                    1vInNmZSuC.exeGet hashmaliciousBrowse
                    • 99.80.110.198
                    #Ud83d#Udd0a#Ud83d#Udcde +44 7912-392561 audio.htmGet hashmaliciousBrowse
                    • 172.94.114.82
                    Doc-7988.xlsGet hashmaliciousBrowse
                    • 52.114.77.33
                    http://govermentbids.com/Get hashmaliciousBrowse
                    • 162.247.242.18
                    https://disadent.com/#safety@vueling.comGet hashmaliciousBrowse
                    • 95.216.33.133
                    Your JLR_v2.1.1_apkpure.com.apkGet hashmaliciousBrowse
                    • 35.190.88.7
                    com Audio_46834.htmGet hashmaliciousBrowse
                    • 13.224.197.30
                    https://enlacegc.com/workmonde/ab/Get hashmaliciousBrowse
                    • 192.185.87.173
                    https://centralvalleyfiredistrict-my.sharepoint.com/:o:/g/personal/cdahlhauser_centralvalleyfire_com/ErfN3NtAi9JIpOFG7kMZJAoBTifDzDUf4sQxD8R-E8l-yw?e=j0vdYsGet hashmaliciousBrowse
                    • 52.114.132.20
                    https://t.co/KyP7ybSwPVGet hashmaliciousBrowse
                    • 18.195.128.171
                    https://insights.vertrax.com/-temporary-slug-278e561b-20b5-4b0a-be9c-c148d0c330edGet hashmaliciousBrowse
                    • 69.39.238.8
                    EmploymentVerification_177011840_05052020.vbsGet hashmaliciousBrowse
                    • 195.154.61.18
                    Nuovo Server - Servizi (172.16.0.64) - collegamento.exeGet hashmaliciousBrowse
                    • 172.16.0.64
                    http://complainceskey.comGet hashmaliciousBrowse
                    • 104.16.132.229
                    unknown397 83342{DIGIT[5]).xlsGet hashmaliciousBrowse
                    • 38.88.126.131
                    397 83342{DIGIT[5]).xlsGet hashmaliciousBrowse
                    • 80.249.147.185
                    Case.exeGet hashmaliciousBrowse
                    • 5.9.145.244
                    http://internetslang.comGet hashmaliciousBrowse
                    • 64.74.236.127
                    #U260e#Ufe0fVM4 May, 2020_6446-172.htmGet hashmaliciousBrowse
                    • 5.160.139.86
                    https://docs.google.com/uc?export=download&id=18WkaU3uqJjGddX0C7rySxkEUcexcKAGdGet hashmaliciousBrowse
                    • 216.58.215.225
                    1vInNmZSuC.exeGet hashmaliciousBrowse
                    • 99.80.110.198
                    #Ud83d#Udd0a#Ud83d#Udcde +44 7912-392561 audio.htmGet hashmaliciousBrowse
                    • 172.94.114.82
                    Doc-7988.xlsGet hashmaliciousBrowse
                    • 52.114.77.33
                    http://govermentbids.com/Get hashmaliciousBrowse
                    • 162.247.242.18
                    https://disadent.com/#safety@vueling.comGet hashmaliciousBrowse
                    • 95.216.33.133
                    Your JLR_v2.1.1_apkpure.com.apkGet hashmaliciousBrowse
                    • 35.190.88.7
                    com Audio_46834.htmGet hashmaliciousBrowse
                    • 13.224.197.30
                    https://enlacegc.com/workmonde/ab/Get hashmaliciousBrowse
                    • 192.185.87.173
                    https://centralvalleyfiredistrict-my.sharepoint.com/:o:/g/personal/cdahlhauser_centralvalleyfire_com/ErfN3NtAi9JIpOFG7kMZJAoBTifDzDUf4sQxD8R-E8l-yw?e=j0vdYsGet hashmaliciousBrowse
                    • 52.114.132.20
                    https://t.co/KyP7ybSwPVGet hashmaliciousBrowse
                    • 18.195.128.171
                    https://insights.vertrax.com/-temporary-slug-278e561b-20b5-4b0a-be9c-c148d0c330edGet hashmaliciousBrowse
                    • 69.39.238.8
                    EmploymentVerification_177011840_05052020.vbsGet hashmaliciousBrowse
                    • 195.154.61.18
                    Nuovo Server - Servizi (172.16.0.64) - collegamento.exeGet hashmaliciousBrowse
                    • 172.16.0.64
                    http://complainceskey.comGet hashmaliciousBrowse
                    • 104.16.132.229

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.