Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:	server.exe
Analysis ID:	826072
MD5:	7936264575923f443302a9bb14688ab7
SHA1:	ea7a8b4d250529b84bfdfb80785603cee4d07bf9
SHA256:	7efe8c83ab4ba8773421d7f897a1c490214118f7924d5a45868b070cae6899dd
Tags:	agenziaentrateexegoziisfbITAmefmiseursnif
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Snort IDS alert for network traffic

Yara detected Ursnif

Found evasive API chain (may stop execution after checking system information)

Writes or reads registry keys via WMI

Writes registry values via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Classification

Process Tree

System is w10x64

server.exe (PID: 5184 cmdline: C:\Users\user\Desktop\server.exe MD5: 7936264575923F443302A9BB14688AB7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.513562635.00000000004D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.398058433.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.398058433.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398058433.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.398160949.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.398160949.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398160949.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.398146053.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.398146053.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398146053.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.398126979.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.398126979.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398126979.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.398008466.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.398008466.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398008466.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.398107803.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.398107803.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398107803.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.513904816.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.513904816.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.513904816.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.398084556.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.513699269.00000000005B0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x4c3c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.398084556.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398084556.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.398172472.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.398172472.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.398172472.0000000002D28000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: server.exe PID: 5184	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server.exe PID: 5184	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x54c:$a5: filename="%.4u.%lu" 0x702:$a5: filename="%.4u.%lu" 0x80a0:$a5: filename="%.4u.%lu" 0x8256:$a5: filename="%.4u.%lu" 0xff:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x7c53:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x273:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x64c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x804:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x757b:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x765c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x78c0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7dc7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x81a0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x8358:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1425c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1433d:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x144e0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa64:$a9: &whoami=%s 0x85b8:$a9: &whoami=%s 0xa4d:$a10: %u.%u_%u_%u_x%u
Process Memory Space: server.exe PID: 5184	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5f3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x7ab:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8147:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x82ff:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xff:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x15c:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x7c53:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x7cb0:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x518:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x6ce:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x806c:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x8222:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x8fe:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xbd7:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x8452:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x872b:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9a0:$a9: Software\AppDataLow\Software\Microsoft\ 0xc74:$a9: Software\AppDataLow\Software\Microsoft\ 0x17b6:$a9: Software\AppDataLow\Software\Microsoft\ 0x1803:$a9: Software\AppDataLow\Software\Microsoft\ 0x84f4:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 27 entries

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.3 - Destination IP: 62.173.142.51

Timestamp:	192.168.2.362.173.142.5149702802033203 03/14/23-10:06:33.670823
SID:	2033203
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.3 - Destination IP: 94.103.183.153

Timestamp:	192.168.2.394.103.183.15349703802033204 03/14/23-10:06:53.891804
SID:	2033204
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.3 - Destination IP: 94.103.183.153

Timestamp:	192.168.2.394.103.183.15349703802033203 03/14/23-10:06:53.891804
SID:	2033203
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: server.exe	ReversingLabs: Detection: 35%
Source: server.exe	Virustotal: Detection: 50%			Perma Link

Machine Learning detection for sample

Source: server.exe

Joe Sandbox ML: detected

Source: 0.2.server.exe.400000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen7

Source: 00000000.00000002.513562635.00000000004D0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\server.exe

Unpacked PE file: 0.2.server.exe.400000.0.unpack

Source: server.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\server.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
server.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report server.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Windows Analysis Report
server.exe