MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c
SHA3-384 hash: d2dd9f1a0a3d07946f0094a9dcfe3798da496535dc1849f70b25c9f6bc465b544b80119d3c6d0bf8a174369d9342f59d
SHA1 hash: 9f27009de9b209e236c9f17992e4c2f5b3804d28
MD5 hash: 88f1f262f2a14c645e55862ddca65815
humanhash: uniform-foxtrot-sodium-wolfram
File name:installa.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:119'296 bytes
First seen:2020-10-20 04:52:45 UTC
Last seen:2020-10-25 18:07:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2dc63e88aeb15731c361449e523bd027 (1 x Gozi)
ssdeep 1536:4sGkhUammObUAfaptRgYGRU7nXdW223hd8udvJ+EWlZOIW15fj/02xlINc66Ms3+:Lm8tRDGYnN3Ghq2J+EW6jfXPHM6pY
Threatray 39 similar samples on MalwareBazaar
TLSH BCC37CB6D3F52FB3D467237D59FA60B00BB1DD5B0B0BA826A74322612F917C5A984C31
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73205/
Detection(s):
SecuriteInfo.com.BScope.TrojanBanker.Gozi.15362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/496963
Signature
Creates a COM Internet Explorer object
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300620 Sample: installa.dll Startdate: 20/10/2020 Architecture: WINDOWS Score: 84 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected  Ursnif 2->38 40 2 other signatures 2->40 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        signatures5 42 Writes or reads registry keys via WMI 10->42 44 Writes registry values via WMI 10->44 46 Creates a COM Internet Explorer object 10->46 15 iexplore.exe 2 78 13->15         started        process6 process7 17 iexplore.exe 5 95 15->17         started        20 iexplore.exe 29 15->20         started        22 iexplore.exe 30 15->22         started        24 3 other processes 15->24 dnsIp8 26 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49754, 49755 FASTLYUS United States 17->26 28 www.msn.com 17->28 32 8 other IPs or domains 17->32 30 windowclient.com 45.140.168.107, 49773, 49774, 49775 ASBAXETRU Russian Federation 20->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 04:54:05 UTC
File Type:
PE (Dll)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
1f489fc6703dd57a5d322a920c98c60b0a9be1168147e3ab1f0db8fa2ba03dae
Gozi
2e92d98fecb9edec0ef64d5441894b316f97755344e365460c463dd9dfebe775
Gozi
2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
74df1156c1fadae414aaa6a95f8ead8924ebce0c607df63860fad0546288aa30
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0
Gozi
d7c37dced460635f71add15aa5071cdd82d73ab250c7f3104387bcdceb7ddced
Gozi
ff84091bb6f0eee80d98d41baf3ea143b48502d3933c0d9097abdf99618ffcf8
Gozi
+ 29 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
banker trojan family:gozi_ifsb
Link:
https://tria.ge/reports/201020-78vlzz4nae/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Blacklisted process makes network request
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c
MD5 hash:
88f1f262f2a14c645e55862ddca65815
SHA1 hash:
9f27009de9b209e236c9f17992e4c2f5b3804d28
Link:
https://www.unpac.me/results/2632190e-8628-4e81-bf8b-ad7ff6a9549d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/73205/
  
URLhaus
https://urlhaus.abuse.ch/url/721495/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/690587/
  
URLhaus
https://urlhaus.abuse.ch/url/718499/
  
URLhaus
https://urlhaus.abuse.ch/url/690586/
  
URLhaus
https://urlhaus.abuse.ch/url/716124/
  
URLhaus
https://urlhaus.abuse.ch/url/715884/

Comments