MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657
SHA3-384 hash: 2654e56efd3073f28098a5a48d5a325a552b6282cc5930d670ad85568b1748b34ca49f76816c9750578221881493c00e
SHA1 hash: 9c676a87f45a729814803eba55afde7653f8f1d0
MD5 hash: 20a56ccc52baa83bb0dcf3ef56035f6e
humanhash: virginia-march-triple-xray
File name:c0nnect1on.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:208'368 bytes
First seen:2020-11-23 06:13:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e510a197248acc9c6e9a54148c21bfcc (1 x Gozi)
ssdeep 6144:D9XUUA9IHBLmpsHvkgFZEhKHKRL8HE3RO0:9UUA9IH5m6HsgFpWthO0
Threatray 20 similar samples on MalwareBazaar
TLSH 7414D051E896B470E1BBB139C7ED7BDE7B0AD6214A2FDD773B5909D4E8122000CB61B8
Reporter JAMESWT_WT
Tags:dll Gozi isfb tributaria Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/544937
Signature
Creates a COM Internet Explorer object
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 06:14:06 UTC
File Type:
PE (Dll)
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4myvpufvs473raetiadlcqt7llktvy7uohubvguemb3s2723gzlq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70
Gozi
907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3
Gozi
defd6d5bb8cd5cbd01d7e805d2b0ae7d36a12da501e3dafd9a46baded1fe402d
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
Gozi
+ 10 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201123-ypgbgatz42/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657
MD5 hash:
20a56ccc52baa83bb0dcf3ef56035f6e
SHA1 hash:
9c676a87f45a729814803eba55afde7653f8f1d0
Link:
https://www.unpac.me/results/6b03eab8-6f8e-48e6-9532-0faeb954aa38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/845368/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/845389/
  
URLhaus
https://urlhaus.abuse.ch/url/845371/
  
URLhaus
https://urlhaus.abuse.ch/url/845370/
  
URLhaus
https://urlhaus.abuse.ch/url/845369/
Cape
Cape
https://www.capesandbox.com/analysis/105178/

Comments