MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
SHA3-384 hash: 20cf404c49a319c3e13383ea3c644293f528641a2432fa8645e21edf9fb0d4871c38f2e318fb8195b51bd93aaf2e4a9b
SHA1 hash: 08d3d09430fed1a36d8f3bbdd3ac0af8a0c3c6ac
MD5 hash: 759eae931e4b45d49359c176de832628
humanhash: charlie-skylark-lake-montana
File name:opzionalla.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:185'840 bytes
First seen:2020-11-09 11:01:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94c254b67748a49336e6a09603de1973 (2 x Gozi)
ssdeep 3072:jNSX3nC/74Um1chviFDpwHmKsDojQsbQpPzkbduP9m:jNsC0ckDumkcpIbduP9m
Threatray 7 similar samples on MalwareBazaar
TLSH 4C04CF02ABEA74F5EDE7A17490FB37C32D1AD5250B1DD9B77B488AD4F812B418039274
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.TrojanBanker.Gozi.15986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/526345
Signature
Binary contains a suspicious time stamp
Creates a COM Internet Explorer object
Found malware configuration
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312257 Sample: opzionalla.dll Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8 6 8->10         started        14 cmd.exe 1 8->14         started        dnsIp5 37 141.136.36.252, 443, 49787 AS-HOSTINGERLT Lithuania 10->37 39 statwindows.com 10->39 49 System process connects to network (likely due to code injection or exploit) 10->49 51 Writes or reads registry keys via WMI 10->51 53 Writes registry values via WMI 10->53 55 Creates a COM Internet Explorer object 10->55 16 iexplore.exe 2 68 14->16         started        signatures6 process7 process8 18 iexplore.exe 29 16->18         started        21 iexplore.exe 32 16->21         started        23 iexplore.exe 159 16->23         started        25 3 other processes 16->25 dnsIp9 27 statwindows.com 31.41.44.83, 443, 49760, 49761 ASRELINKRU Russian Federation 18->27 29 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49753, 49754 YAHOO-DEBDE United Kingdom 23->29 31 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49747, 49748 FASTLYUS United States 23->31 35 9 other IPs or domains 23->35 33 192.168.2.1 unknown unknown 25->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 11:02:08 UTC
File Type:
PE (Dll)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4mvneqr72edzkbngljcntyfe5iwgbaqtg2zh4uutb7vpkobkgu3a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
Gozi
74df1156c1fadae414aaa6a95f8ead8924ebce0c607df63860fad0546288aa30
Gozi
84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c
Gozi
d5ba4c77ca4813a76ceb6be5203a3c3d713e043e82cf80a7aab0d92b28f71a64
Gozi
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201109-33ksb7egpe/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/798610/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/798621/
  
URLhaus
https://urlhaus.abuse.ch/url/798612/

Comments