Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:server.exe
Analysis ID:826308
MD5:8f092511c91bfc1f2516e420739a7967
SHA1:dc67d8f55a6591d16c2709ea65ad143e3a216ec0
SHA256:9261b47b4fd67523f7afe640e55ccb95ec8b154b5dfa34a8564986ac3e97fe1a
Tags:agenziaentrateexegoziisfbmefmiseursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • server.exe (PID: 5540 cmdline: C:\Users\user\Desktop\server.exe MD5: 8F092511C91BFC1F2516E420739A7967)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0x1228:$a1: /C ping localhost -n %u && del "%s"
      • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xa9c:$a5: filename="%.4u.%lu"
      • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe6d:$a9: &whoami=%s
      • 0xe56:$a10: %u.%u_%u_%u_x%u
      • 0xd63:$a11: size=%u&hash=0x%08x
      • 0xb1d:$a12: &uptime=%u
      • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
      • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP