MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363
SHA3-384 hash: 36dc422e2da72a0509222799efe7362cff724722619006023a67c9b995ccae969244f789bcf6f54cd2d5264d177ff05d
SHA1 hash: 24a64c88075907a3f01bfdc68ef3044c13f25296
MD5 hash: d800d8db5cb2ecc22899dcf7e1c2430d
humanhash: wolfram-missouri-video-july
File name:u271020tar
Download: download sample
Signature Gozi
Create hunting rule
File size:360'448 bytes
First seen:2020-10-27 15:34:36 UTC
Last seen:2020-11-10 10:52:21 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a4a970d65e10e28d69e0c08c450b28af (1 x Gozi)
ssdeep 6144:IV0fIvnNLBRG9TZlYCDegUbSUJGo2DdUEwK3o33oetc+5+p/apm6:I0MuZdCSIB2MPLLkp/ap
Threatray 79 similar samples on MalwareBazaar
TLSH A074DF1275A1D435C45E8279CC49DAFE6AAA7E05EFA8684372C83F8F3935EC10379712
Reporter JAMESWT_WT
Tags:Gozi

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79999/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34882076.2593.12737.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513956
Signature
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Malicious sample detected (through community Yara rule)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 306093 Sample: u271020tar Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 50 resolver1.opendns.com 2->50 52 8.8.8.8.in-addr.arpa 2->52 54 1.0.0.127.in-addr.arpa 2->54 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 9 other signatures 2->72 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 2->12         started        14 iexplore.exe 1 57 2->14         started        signatures3 process4 signatures5 74 Suspicious powershell command line found 9->74 16 powershell.exe 32 9->16         started        20 rundll32.exe 1 12->20         started        22 rundll32.exe 12->22         started        24 iexplore.exe 31 14->24         started        27 iexplore.exe 29 14->27         started        29 iexplore.exe 12 14->29         started        process6 dnsIp7 44 C:\Users\user\AppData\...\5noi2ber.cmdline, UTF-8 16->44 dropped 60 Compiles code for process injection (via .Net compiler) 16->60 31 csc.exe 16->31         started        34 csc.exe 16->34         started        36 conhost.exe 16->36         started        62 Writes registry values via WMI 20->62 64 Creates a COM Internet Explorer object 20->64 38 control.exe 20->38         started        56 willeam.net 162.0.237.177, 49735, 49736, 49749 NAMECHEAP-NETUS Canada 24->56 58 192.168.2.1 unknown unknown 29->58 file8 signatures9 process10 file11 46 C:\Users\user\AppData\Local\...\5noi2ber.dll, PE32 31->46 dropped 40 cvtres.exe 31->40         started        48 C:\Users\user\AppData\Local\...\pvbgghq5.dll, PE32 34->48 dropped 42 cvtres.exe 34->42         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 17:46:40 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
2e92d98fecb9edec0ef64d5441894b316f97755344e365460c463dd9dfebe775
Gozi
2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
Gozi
394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
74df1156c1fadae414aaa6a95f8ead8924ebce0c607df63860fad0546288aa30
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c
Gozi
d5ba4c77ca4813a76ceb6be5203a3c3d713e043e82cf80a7aab0d92b28f71a64
Gozi
+ 69 additional samples on MalwareBazaar
Result
Malware family:
ursnif
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:ursnif banker spyware trojan
Link:
https://tria.ge/reports/201027-32x25bvrzs/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
ServiceHost packer
Gozi, Gozi IFSB
Ursnif, Dreambot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Banker
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/79999/

Comments