MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9127a38c105987631df3a245c009dc9519bb790e27e8fd6de682b89f76d7db8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9127a38c105987631df3a245c009dc9519bb790e27e8fd6de682b89f76d7db8
SHA3-384 hash: 2b5802e3f5ecfc183f2624a9140d8ccd37e0bd9099a5707142982bf6ced453621b677f18ef7fbac68dc7cbdca80a6621
SHA1 hash: 15d678fb01192792852aef1d96a2b915d75a1034
MD5 hash: 436098e705e0c18a156441ac979a4a9c
humanhash: seventeen-wisconsin-cola-football
File name:u03062020.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:590'680 bytes
First seen:2020-06-03 10:48:29 UTC
Last seen:2020-06-10 07:25:27 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3e9896a829e40446cf3dcb4d0c8237fd (1 x Gozi)
ssdeep 6144:+G/nMeCMDNS1wz3YpxG7Y2nwT6ES7ZkJTPd0v:LfM8DNS1wkb52UhJZS
Threatray 172 similar samples on MalwareBazaar
TLSH 4DC4B83A4A0F9A07DD7E4A749A4D0183B433029634DDCCBDCA63061DE9BEC7E8764A57
Reporter JAMESWT_WT
Tags:Gozi italy Ursnif

Code Signing Certificate

Organisation:BCJTJEJXDCZSKZPJGJ
Issuer:BCJTJEJXDCZSKZPJGJ
Algorithm:sha1WithRSA
Valid from:May 28 17:20:11 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: 753AAA57CAEA3484413AEA6797377472
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: D6A32E037403FC8A36A606D42D5638CC9C7D7A1FFF579731CB85B7B1F2AC1985
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Cerber
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 11:37:57 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 31 (61.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
346b977e05b99881c7ec168c2fa0b68f84ec633d764eb52dd9795e372f45b1b4
Gozi
34fd926b213a1c5726124dff74dbf69c731f8e823168d17cc1c9448501ed314f
Gozi
3ab79263ec3e73bdfb8ef6c93e33622b8529de1cf78d4e6f008368a16139aa18
Gozi
577423ddac7ca6f9b623e528452e4455015d71aa690d44a026c40c6dcaad9569
Gozi
6314b0e524291f6dd24410351d917e3069d041928e2d9a115a246f45794d3d91
Gozi
7398048e3cb424344def184f417b3cbfa1451bf0fa8219c875be0f195468c46d
Gozi
c85d0da5fe543408376ed6c916d5e498aadc0b5f75be0ddc59a4efe3da5fff07
Gozi
ceafed22728ab72aa4a74dc2fc96d54b85ec0432ef0c97a4497075cc802109d3
Gozi
e3b9e0c9c3637a620a1fd51cf8bcf63bfe988193fc18fa7eb7a4d19e3b9ee467
Gozi
f31917bd3aeaffb8de38f01fc96a3d9a0ca11ac5bc4ee9646908c53279833099
Gozi
+ 162 additional samples on MalwareBazaar
Result
Malware family:
ursnif
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:ursnif banker cryptone packer trojan
Link:
https://tria.ge/reports/201109-zqytl98xxj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Gozi, Gozi IFSB
Ursnif, Dreambot
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments