Overview

overview

10

Static

static

37e185e2b0...28.exe

windows7_x64

10

37e185e2b0...28.exe

windows10_x64

1

Resubmissions

24-08-2021 14:41

210824-gbqdf47416 10

23-08-2021 18:15

210823-78r35g4gms 10

19-12-2020 05:48

201219-8fefrsq5f2 10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-12-2020 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe

  • Size

    539KB

  • MD5

    10fda777cc56f004e90a4037e1e2cdcc

  • SHA1

    2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

  • SHA256

    37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

  • SHA512

    9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Score
10/10
gozi_ifsbursnifbankerpersistencetrojan

Malware Config

Extracted

Family

ursnif

Attributes
  • dga_base_url

  • dga_crc

    0

  • dga_season

    0

  • dga_tlds

  • dns_servers

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe
      "C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\F50A\FA85.bat" "C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ""C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
            "C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE"
            5⤵
            • Executes dropped EXE
            • Deletes itself
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2016
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F50A\FA85.bat
    MD5

    0647e44683b1004764a64a37eff67e17

    SHA1

    1953540bcaaaf0613e71cd21c0c9a60e50be704a

    SHA256

    4905ee5cb09d7955e9be1d0a9e711c5fff17704451a0e41fa80ec7ed8f564e88

    SHA512

    e77ee6cca97e1f991a8665755e28468d6b6d76667a0be9eed64c1ac72abde9e6e2453e6d97582e5e814f6fdce3e10c52b5d5643b17b3c234690b0f6be6ae7e00

    Download Submit

  • C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
    MD5

    10fda777cc56f004e90a4037e1e2cdcc

    SHA1

    2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

    SHA256

    37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

    SHA512

    9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

    Download Submit

  • C:\Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
    MD5

    10fda777cc56f004e90a4037e1e2cdcc

    SHA1

    2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

    SHA256

    37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

    SHA512

    9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

    Download Submit

  • \Users\Admin\AppData\Roaming\apssclnt\chsbmifs.exe
    MD5

    10fda777cc56f004e90a4037e1e2cdcc

    SHA1

    2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

    SHA256

    37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

    SHA512

    9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

    Download Submit

  • memory/408-9-0x0000000000000000-mapping.dmp

    Download

  • memory/408-11-0x000007FFFFFDE000-mapping.dmp

    Download

  • memory/408-12-0x00000000003D0000-0x000000000040D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/408-13-0x00000000023C0000-0x0000000002465000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1664-2-0x0000000000000000-mapping.dmp

    Download

  • memory/2004-4-0x0000000000000000-mapping.dmp

    Download

  • memory/2016-7-0x0000000000000000-mapping.dmp

    Download

  • memory/2016-10-0x00000000004A0000-0x0000000000545000-memory.dmp

    Filesize

    660KB

    Download