Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:server.exe
Analysis ID:826138
MD5:43cfce2e126b1bf5230e51edd205f6bd
SHA1:9ca60bfc3cb13b40f02810869ce9531cb0ab76d4
SHA256:47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
Tags:agenziaentrateexegoziisfbITAmefmiseursnif
Infos:

Detection

Ursnif, CryptOne
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • server.exe (PID: 5596 cmdline: C:\Users\user\Desktop\server.exe MD5: 43CFCE2E126B1BF5230E51EDD205F6BD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
    00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0x1228:$a1: /C ping localhost -n %u && del "%s"
      • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xa9c:$a5: filename="%.4u.%lu"
      • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe6d:$a9: &whoami=%s
      • 0xe56:$a10: %u.%u_%u_%u_x%u
      • 0xd63:$a11: size=%u&hash=0x%08x
      • 0xb1d:$a12: &uptime=%u
      • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
      • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
      00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
      • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
      • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
      • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
      • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
      • 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
      00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        Click to see the 5 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.462.173.142.5149685802033203 03/14/23-12:27:29.882824
        SID:2033203
        Source Port:49685
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: server.exeReversingLabs: Detection: 12%
        Source: 0.2.server.exe.2190174.1.unpackAvira: Label: TR/Kazy.4159236
        Source: 0.2.server.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
        Source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
        Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02BD1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_02BD1508

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
        Source: server.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49685 -> 62.173.142.51:80
        Source: global trafficHTTP traffic detected: GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache
        Source: Joe Sandbox ViewASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
        Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
        Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
        Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
        Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
        Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
        Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.183.153
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.183.153
        Source: unknownTCP traffic detected without corresponding DNS query: 94.103.183.153
        Source: server.exe, 00000000.00000002.569377745.00000000027FC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://94.103
        Source: unknownDNS traffic detected: queries for: checklist.skype.com
        Source: global trafficHTTP traffic detected: GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        bar