MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae618e94c64b10307de3193efe693ba4cf0ea371a662038f705ba00779ad4f40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ae618e94c64b10307de3193efe693ba4cf0ea371a662038f705ba00779ad4f40
SHA3-384 hash:	c961af4020a053986e54f5e5822791228a4d9efba2c202bcaab96403ac013b91fb53260411cc0b740b251f2044f6201a
SHA1 hash:	62309679b02f05d42bc05cf6c1f522e4837f4f04
MD5 hash:	4549708f2a9c381890a5558b2036bc49
humanhash:	leopard-pluto-hawaii-grey
File name:	wellwishervcf
Download:	download sample
Signature	Gozi Create hunting rule
File size:	293'376 bytes
First seen:	2020-07-23 06:14:25 UTC
Last seen:	2020-07-23 06:49:26 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	56853e056ad41af2da4621864417592a (1 x Gozi)
ssdeep	6144:gkAvtCxezbbiRvWPH/zOpBOyVqoVUm/ocW:gkAvtCqiRAbaBlYoKmwcW
Threatray	679 similar samples on MalwareBazaar
TLSH	E9547C067F44A4BAF2DB1A3D4A60F1B80E567C319B1066F73BC41F5B7B626436C48A2D
Reporter	JAMESWT_WT
Tags:	Gozi isfb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

374

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ursnif3

Link:

https://www.capesandbox.com/analysis/31434/

Detection(s):

PUA.Win.Packer.PrivateExeProte-11

PUA.Win.Downloader.Aiis-6803892-0

Result

Verdict:

Clean

Maliciousness:

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/395521

Behaviour

Behavior Graph:

Download SVG

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/ae618e94c64b10307de3193efe693ba4cf0ea371a662038f705ba00779ad4f40/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2020-07-22 02:16:37 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Result

Malware family:

ursnif

Score:

10/10

Tags:

banker trojan family:gozi_ifsb family:ursnif spyware

Link:

https://tria.ge/reports/200723-a3xa7cy1q6/

Behaviour

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: MapViewOfSection

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks whether UAC is enabled

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops file in System32 directory

Deletes itself

Reads user/profile data of web browsers

Gozi, Gozi IFSB

Ursnif, Dreambot

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae618e94c64b10307de3193efe693ba4cf0ea371a662038f705ba00779ad4f40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/31434/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample