Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d2ef5.exe

Overview

General Information

Sample Name:d2ef5.exe
Analysis ID:730728
MD5:1d8a445bef0c0d4a7ec519f06c23224a
SHA1:7dd349b8664ec7dbe769da64e1b324ae091a29e2
SHA256:e807c46ba7cd53bf6900d1a8f32baba9a118410483faa68d51b233de738483e3
Tags:exe
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware

Classification

  • System is w10x64
  • d2ef5.exe (PID: 4684 cmdline: C:\Users\user\Desktop\d2ef5.exe MD5: 1D8A445BEF0C0D4A7EC519F06C23224A)
  • cleanup
{"RSA Public Key": "GM4Kf/Z6rOnx7ZeOHNCGqGU1EYR+rHVcPFJfnB66sRxq8TdAtJ8I/FA73jILYN/O7GBQZXfAayteZ+p+Oku4j4TsVhRTMO69ts5LXnUBL3YpRQLuom+BvNzXjhoKt16kcxpwisrVl8sSl78o2iV+WuT7m9YMZQozEdttRTBIHJpzQtPr0h5BHHk+OiA9EQSDmlX7UvBgY8bViZ8LVgRE2j8GEgfNQW2WNlu1n810ZdnxshlFew+L2+9Be0oR+u+GXheI+qCLyYBkG5dNS0/RoFfmz5khmlLokQND0e2gq8+13HHHxrou4IGiYjMoDNLBLxynxiy1GeKRmyNpR0hR7RNZZpmu8ADCXrY93ygL4yQ=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "siwdmfkshsgw.com", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com", "ijduwhsbvk.com"], "botnet": "10103", "server": "50", "serpent_key": "9wGFk6w5pVKRz0Hz", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0xff0:$a1: /C ping localhost -n %u && del "%s"
      • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xca8:$a5: filename="%.4u.%lu"
      • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe72:$a9: &whoami=%s
      • 0xe5a:$a10: %u.%u_%u_%u_x%u
      • 0xc22:$a11: size=%u&hash=0x%08x
      • 0xc13:$a12: &uptime=%u
      • 0xda7:$a13: %systemroot%\system32\c_1252.nls
      • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 26 entries
      SourceRuleDescriptionAuthorStrings
      0.2.d2ef5.exe.420000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        0.2.d2ef5.exe.10194a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          No Sigma rule has matched
          Timestamp:192.168.2.4194.58.112.17449695802033203 10/26/22-08:31:08.563638
          SID:2033203
          Source Port:49695
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.4194.58.112.17449695802033204 10/26/22-08:31:08.563638
          SID:2033204
          Source Port:49695
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: d2ef5.exeAvira: detected
          Source: d2ef5.exeReversingLabs: Detection: 88%
          Source: d2ef5.exeJoe Sandbox ML: detected
          Source: 0.2.d2ef5.exe.400000.0.unpackAvira: Label: TR/Crypt