Edit tour

Windows Analysis Report
server_(3).exe

Overview

General Information

Sample Name:	server_(3).exe
Analysis ID:	830450
MD5:	aa37b36ea7ba39b6c00ae1b01bada3f7
SHA1:	90545746e5b23fcdf7db1fa5c30588df2f4c31bf
SHA256:	a6886a3566a1a98072d67f1aca4a04b5667f97f4df21b2f54d6108293d7c02b7
Tags:	agenziaentrateexegoziisfbITAmefmiseursnif
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Found evasive API chain (may stop execution after checking system information)

Writes registry values via WMI

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

server_(3).exe (PID: 1236 cmdline: C:\Users\user\Desktop\server_(3).exe MD5: AA37B36EA7BA39B6C00AE1B01BADA3F7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.580571515.00000000004D6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5b1b:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: server_(3).exe PID: 1236	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server_(3).exe PID: 1236	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x2db9:$a5: filename="%.4u.%lu" 0x2f6f:$a5: filename="%.4u.%lu" 0x9c1e:$a5: filename="%.4u.%lu" 0x9dd4:$a5: filename="%.4u.%lu" 0x296c:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x97d1:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2ae0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x2eb9:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3071:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x87f3:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x88d4:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x8a83:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9945:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9d1e:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x9ed6:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xda1b:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xdafc:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xdd60:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x32d1:$a9: &whoami=%s 0xa136:$a9: &whoami=%s 0x32ba:$a10: %u.%u_%u_%u_x%u
Process Memory Space: server_(3).exe PID: 1236	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x2e60:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x3018:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x9cc5:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x9e7d:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x296c:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x29c9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x97d1:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x982e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2d85:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x2f3b:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x9bea:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x9da0:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x316b:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x3444:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9fd0:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xa2a9:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x320d:$a9: Software\AppDataLow\Software\Microsoft\ 0x34e1:$a9: Software\AppDataLow\Software\Microsoft\ 0x3fcd:$a9: Software\AppDataLow\Software\Microsoft\ 0x401a:$a9: Software\AppDataLow\Software\Microsoft\ 0xa072:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 27 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 62.173.142.81

Timestamp:	192.168.2.462.173.142.8149695802033204 03/20/23-11:48:17.902010
SID:	2033204
Source Port:	49695
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 62.173.142.81

Timestamp:	192.168.2.462.173.142.8149695802033203 03/20/23-11:48:17.902010
SID:	2033203
Source Port:	49695
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: server_(3).exe	ReversingLabs: Detection: 38%
Source: server_(3).exe	Virustotal: Detection: 37%			Perma Link

Machine Learning detection for sample

Source: server_(3).exe

Joe Sandbox ML: detected

Source: 0.2.server_(3).exe.400000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen7

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
server_(3).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report server_(3).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Windows Analysis Report
server_(3).exe