MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3
SHA3-384 hash: 311b904ddd74d8fc53edb02af6b7993f63153579ed4066e8f4f50995302bb08dc2add4929c5575619c6bab790334a7d7
SHA1 hash: 5cba3c12fca72028c59976783fd2491aa81027b7
MD5 hash: e1dca134544906777f356b7d05218cc6
humanhash: finch-paris-fanta-snake
File name:960
Download: download sample
Signature Gozi
Create hunting rule
File size:137'712 bytes
First seen:2020-11-17 09:42:44 UTC
Last seen:2020-11-17 13:48:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1720177583c3f9299ae6f0131b82ba09 (1 x Gozi)
ssdeep 3072:5YeLkGlrdlvnLjI534p1zmmIpo/9p3JSrpXLhp:5xrlvwU1KmKoUrlD
Threatray 49 similar samples on MalwareBazaar
TLSH 9CD3D00264D2A0F6E4764DBCEBBB67E30959D2E81F18DA622FCC3CC949E31841096FD5
Reporter JAMESWT_WT
Tags:brt dll Gozi

Intelligence

File Origin
# of uploads :
3
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.TrojanBanker.Gozi.16155.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Result
Verdict:
0
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/539252
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318723 Sample: 960 Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 11 other signatures 2->88 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        process3 signatures4 104 Suspicious powershell command line found 9->104 14 powershell.exe 9->14         started        18 regsvr32.exe 1 12->18         started        20 cmd.exe 1 12->20         started        process5 file6 64 C:\Users\user\AppData\...\d0du53au.cmdline, UTF-8 14->64 dropped 66 C:\Users\user\AppData\Local\...\232c021r.0.cs, UTF-8 14->66 dropped 106 Injects code into the Windows Explorer (explorer.exe) 14->106 108 Writes to foreign memory regions 14->108 110 Modifies the context of a thread in another process (thread injection) 14->110 118 2 other signatures 14->118 22 explorer.exe 14->22 injected 26 csc.exe 14->26         started        29 csc.exe 14->29         started        31 conhost.exe 14->31         started        112 Allocates memory in foreign processes 18->112 114 Maps a DLL or memory area into another process 18->114 116 Writes or reads registry keys via WMI 18->116 120 2 other signatures 18->120 33 control.exe 18->33         started        35 WerFault.exe 18->35         started        37 iexplore.exe 2 65 20->37         started        signatures7 process8 dnsIp9 68 89.44.9.160 M247GB Romania 22->68 90 Tries to steal Mail credentials (via file access) 22->90 92 Changes memory attributes in foreign processes to executable or writable 22->92 94 Tries to harvest and steal browser information (history, passwords, etc) 22->94 102 4 other signatures 22->102 39 cmd.exe 22->39         started        54 2 other processes 22->54 60 C:\Users\user\AppData\Local\...\d0du53au.dll, PE32 26->60 dropped 41 cvtres.exe 26->41         started        62 C:\Users\user\AppData\Local\...\232c021r.dll, PE32 29->62 dropped 43 cvtres.exe 29->43         started        96 Injects code into the Windows Explorer (explorer.exe) 33->96 98 Writes to foreign memory regions 33->98 100 Allocates memory in foreign processes 33->100 45 rundll32.exe 33->45         started        47 iexplore.exe 165 37->47         started        50 iexplore.exe 26 37->50         started        52 iexplore.exe 30 37->52         started        56 2 other processes 37->56 file10 signatures11 process12 dnsIp13 58 conhost.exe 39->58         started        70 contextual.media.net 104.84.56.24, 443, 49712, 49713 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 47->70 72 151.101.1.44 FASTLYUS United States 47->72 80 2 other IPs or domains 47->80 74 172.217.168.42 GOOGLEUS United States 50->74 76 216.58.206.36 GOOGLEUS United States 50->76 78 63.250.33.60 NAMECHEAP-NETUS United States 52->78 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 09:43:04 UTC
File Type:
PE (Dll)
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
74df1156c1fadae414aaa6a95f8ead8924ebce0c607df63860fad0546288aa30
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c
Gozi
defd6d5bb8cd5cbd01d7e805d2b0ae7d36a12da501e3dafd9a46baded1fe402d
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
Gozi
+ 39 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201117-wyztfftx32/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3
MD5 hash:
e1dca134544906777f356b7d05218cc6
SHA1 hash:
5cba3c12fca72028c59976783fd2491aa81027b7
Link:
https://www.unpac.me/results/610d4cd0-eebc-43d4-8d27-00e6f924473d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/825986/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/825987/

Comments