MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
SHA3-384 hash: 875a7d1b8f0360a387afa21b21aa095809e0392682e9f1975648db65c210a1d7b4447afae89b38d826936c05b7296411
SHA1 hash: e6812a663ec93619f8203dd05dc68358b8f1305f
MD5 hash: 067521fb17842073557f00807c5aa1d0
humanhash: lemon-autumn-nuts-fanta
File name:0pzional1a.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:164'352 bytes
First seen:2020-11-10 09:31:20 UTC
Last seen:2024-07-24 23:01:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash feb4d4380f0dac2e62b4f80f92af66cd (1 x Gozi)
ssdeep 3072:JAeRry3LsiBJGjJKaPxuHY5axVqUumom4iUY9/Yi86qep:ie47siBEka5uHh+xmfUe/YIqep
Threatray 34 similar samples on MalwareBazaar
TLSH 4DF3BE00F8D660B6D879E33D2D8DBFE74308AA3D352DEAD7374C8DD2D86118964297A4
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Searching for the window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/527990
Signature
Creates a COM Internet Explorer object
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 09:33:04 UTC
File Type:
PE (Dll)
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1cbe92dd308b0cff4055bf7ea98e91ca2d1d9160314518e3f09adc8def67bd81
Gozi
2fe961e9bb79716d74f6d4c44e54b685a13d0bf9dc4a9c2e97425178b1cfd43e
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
74df1156c1fadae414aaa6a95f8ead8924ebce0c607df63860fad0546288aa30
Gozi
84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363
Gozi
8c421ff35f676e2a886e33879a324da5660a9d94dd77edc1791f431c124402a4
Gozi
8d2e11c37f1d10e4dfd3f525ee70c5c9f157996b927d94e2c355a4107dbb617c
Gozi
d5ba4c77ca4813a76ceb6be5203a3c3d713e043e82cf80a7aab0d92b28f71a64
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
+ 24 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201110-tllb74m8zx/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
JavaScript code in executable
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
MD5 hash:
067521fb17842073557f00807c5aa1d0
SHA1 hash:
e6812a663ec93619f8203dd05dc68358b8f1305f
Link:
https://www.unpac.me/results/7ab6bb4e-e071-4b0f-a0d7-c3302e9b85a8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/803386/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/803385/
  
URLhaus
https://urlhaus.abuse.ch/url/803313/
  
URLhaus
https://urlhaus.abuse.ch/url/803424/
  
URLhaus
https://urlhaus.abuse.ch/url/803343/

Comments