Source: server.exe |
ReversingLabs: Detection: 12% |
Source: 0.2.server.exe.2190174.1.unpack |
Avira: Label: TR/Kazy.4159236 |
Source: 0.2.server.exe.400000.0.unpack |
Avira: Label: TR/Crypt.XPACK.Gen7 |
Source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"} |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
0_2_02BD1508 |
Source: C:\Users\user\Desktop\server.exe |
Unpacked PE file: 0.2.server.exe.400000.0.unpack |
Source: server.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: Traffic |
Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49685 -> 62.173.142.51:80 |
Source: global traffic |
HTTP traffic detected: GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache |
Source: Joe Sandbox View |
ASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU |
Source: unknown |
DNS traffic detected: query: checklist.skype.com replaycode: Name error (3) |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.173.142.51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.173.142.51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.173.142.51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.173.142.51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.173.142.51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.103.183.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.103.183.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.103.183.153 |
Source: server.exe, 00000000.00000002.569377745.00000000027FC000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://94.103 |
Source: unknown |
DNS traffic detected: queries for: checklist.skype.com |
Source: global traffic |
HTTP traffic detected: GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache |
Source: Yara match |
File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, |
0_2_02BD1508 |
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: C:\Users\user\Desktop\server.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Users\user\Desktop\server.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Users\user\Desktop\server.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Users\user\Desktop\server.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Users\user\Desktop\server.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Users\user\Desktop\server.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Users\user\Desktop\server.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: server.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD16DF |
0_2_02BD16DF |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD1D8A |
0_2_02BD1D8A |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD832C |
0_2_02BD832C |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_0040110B GetProcAddress,NtCreateSection,memset, |
0_2_0040110B |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_00401459 NtMapViewOfSection, |
0_2_00401459 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
0_2_004019F1 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
0_2_02BD421F |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD8551 NtQueryVirtualMemory, |
0_2_02BD8551 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02190F65 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError, |
0_2_02190F65 |
Source: server.exe |
ReversingLabs: Detection: 12% |
Source: C:\Users\user\Desktop\server.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD30D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
0_2_02BD30D5 |
Source: C:\Users\user\Desktop\server.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/0@1/2 |
Source: C:\Users\user\Desktop\server.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
Unpacked PE file: 0.2.server.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R; |
Source: C:\Users\user\Desktop\server.exe |
Unpacked PE file: 0.2.server.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD7F30 push ecx; ret |
0_2_02BD7F39 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD831B push ecx; ret |
0_2_02BD832B |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_0219A3E0 push edx; ret |
0_2_0219A558 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_0219A290 push edx; ret |
0_2_0219A29B |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_00401000 LoadLibraryA,GetProcAddress, |
0_2_00401000 |
Source: initial sample |
Icon embedded in binary file: icon matches a legit application icon: icon.png |
Source: Yara match |
File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Source: C:\Users\user\Desktop\server.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep |
Source: C:\Users\user\Desktop\server.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\server.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\server.exe |
Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_00401000 LoadLibraryA,GetProcAddress, |
0_2_00401000 |
Source: C:\Users\user\Desktop\server.exe |
Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
0_2_004019F1 |
Source: C:\Users\user\Desktop\server.exe |
Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError, |
0_2_02190F65 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD3BD3 cpuid |
0_2_02BD3BD3 |
Source: C:\Users\user\Desktop\server.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, |
0_2_00401D68 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, |
0_2_004015B0 |
Source: C:\Users\user\Desktop\server.exe |
Code function: 0_2_02BD3BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
0_2_02BD3BD3 |
Source: Yara match |
File source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR |