MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70
SHA3-384 hash: a6c76009918f7b29ed1c5c19f3fd3061db4804e95b871e587388fd3e8945866cfd1c93ebc2453c4c6f56d1f3c2f3fd98
SHA1 hash: e30d6e35df734828b241f604d2092f6c5336c41d
MD5 hash: 652cb9987ce27f1c044a8de7efebd73e
humanhash: high-bulldog-summer-juliet
File name:opzi0n1.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:127'320 bytes
First seen:2020-11-17 06:55:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 306f8b7ea0cfac90f674c56e80e2bfe7 (1 x Gozi)
ssdeep 3072:aZq6izmFD1xqDyhnsbAYAuRnod4D/KGmZU7owQEtfHMx12n/8QG:alizmFRxHnuc4jl7owb6120z
Threatray 26 similar samples on MalwareBazaar
TLSH 72C3E096747AEC3AF122867F1A862D6A4F3FC7504B7328EB7FF1154A81127015BA1C38
Reporter JAMESWT_WT
Tags:dll Gozi isfb MEF Ursnif

Code Signing Certificate

Organisation:GlobalSign Primary Object Publishing CA
Issuer:GlobalSign Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Jan 28 13:00:00 1999 GMT
Valid to:Jan 27 12:00:00 2017 GMT
Serial number: 040000000001239E0FACB3
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 23B01A2B16C7F868E828354490B5793637549ECDBAD486C1C9D6EAC9F893EE51
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.TrojanBanker.Gozi.20893.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Connection attempt
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/539030
Signature
Creates a COM Internet Explorer object
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318608 Sample: opzi0n1.dll Startdate: 17/11/2020 Architecture: WINDOWS Score: 80 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected  Ursnif 2->36 38 Machine Learning detection for sample 2->38 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        signatures5 40 Writes or reads registry keys via WMI 10->40 42 Writes registry values via WMI 10->42 44 Creates a COM Internet Explorer object 10->44 15 iexplore.exe 1 61 13->15         started        process6 process7 17 iexplore.exe 159 15->17         started        20 iexplore.exe 25 15->20         started        22 iexplore.exe 29 15->22         started        dnsIp8 24 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49744, 49745 YAHOO-DEBDE United Kingdom 17->24 26 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 17->26 30 9 other IPs or domains 17->30 28 ocsp.sca1b.amazontrust.com 13.224.89.175, 49755, 49756, 80 AMAZON-02US United States 20->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 06:56:06 UTC
File Type:
PE (Dll)
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qspdmocw2npzgspedbtr45maeihylhg5lj6lxahpoiksmei5xzya._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
Gozi
74df1156c1fadae414aaa6a95f8ead8924ebce0c607df63860fad0546288aa30
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
d5ba4c77ca4813a76ceb6be5203a3c3d713e043e82cf80a7aab0d92b28f71a64
Gozi
defd6d5bb8cd5cbd01d7e805d2b0ae7d36a12da501e3dafd9a46baded1fe402d
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
Gozi
+ 16 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201117-t82tmrsplj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70
MD5 hash:
652cb9987ce27f1c044a8de7efebd73e
SHA1 hash:
e30d6e35df734828b241f604d2092f6c5336c41d
Link:
https://www.unpac.me/results/abbf6d96-45e6-45f8-9af5-70d8717c804f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/825496/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/825498/
  
URLhaus
https://urlhaus.abuse.ch/url/825069/
  
URLhaus
https://urlhaus.abuse.ch/url/825070/
  
URLhaus
https://urlhaus.abuse.ch/url/825497/

Comments