MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
SHA3-384 hash: 3e760e1b70167902cfe8542b85a9e588692f39d56f2061ea110cad07e8b9dfe1d759af5da1cf7608be848c8f10d483e2
SHA1 hash: 1c06629fc0340a4c76060707cc2c0de425a55011
MD5 hash: 724f70d56215484778c96c265d2a2cd8
humanhash: mockingbird-robin-florida-item
File name:installazione.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:196'608 bytes
First seen:2020-10-14 05:12:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34b8b7b2bb33b3d0b9a0ca97e5d5034 (1 x Gozi)
ssdeep 3072:V1IqmwGIWnc84ksf6kJlShr4xnwLIF6RTCfBLm6ngRoAE5wOEJRomNWWnj7l:UjPIWnfXs9Kp4pUv2VAE5ZEJRHNWWnjB
Threatray 15 similar samples on MalwareBazaar
TLSH 8E145A7F3AE9B867DA1D31766CDC1797860B90F8421AC6537AD206DC71AB04DE13E3A0
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70660/
Detection(s):
SecuriteInfo.com.generic.ml.4158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Searching for the window
Deleting a recently created file
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/490578
Signature
Creates a COM Internet Explorer object
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 05:06:57 UTC
File Type:
PE (Dll)
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7uwd2n3pfyw25hw2tce4vfwqwqt2c7z3rfjyluxijixrmop2q7a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
1f489fc6703dd57a5d322a920c98c60b0a9be1168147e3ab1f0db8fa2ba03dae
Gozi
394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
74df1156c1fadae414aaa6a95f8ead8924ebce0c607df63860fad0546288aa30
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0
Gozi
d7c37dced460635f71add15aa5071cdd82d73ab250c7f3104387bcdceb7ddced
Gozi
ff84091bb6f0eee80d98d41baf3ea143b48502d3933c0d9097abdf99618ffcf8
Gozi
+ 5 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
banker trojan family:gozi_ifsb
Link:
https://tria.ge/reports/201014-abdeyltrla/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Blacklisted process makes network request
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
MD5 hash:
724f70d56215484778c96c265d2a2cd8
SHA1 hash:
1c06629fc0340a4c76060707cc2c0de425a55011
Link:
https://www.unpac.me/results/47eda6e1-2225-4945-841b-c12061a86656/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/70660/
  
URLhaus
https://urlhaus.abuse.ch/url/690578/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/690586/
  
URLhaus
https://urlhaus.abuse.ch/url/690587/

Comments