MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00a6659355525272bce8845b6db89d2d9f89e6b96bd5379292ebfebf9cbbe68e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00a6659355525272bce8845b6db89d2d9f89e6b96bd5379292ebfebf9cbbe68e
SHA3-384 hash: 0839c1a5db361b43e4e1efb074b94be675a24835d6041aca8801ae13786d512924d6ca59972bccc8efc14716c9a1a749
SHA1 hash: 08f3b0f78e0c26898eca40792d499162b13a6036
MD5 hash: 08bd4c8bd321cb906c9275d0231f57b3
humanhash: lemon-video-gee-lemon
File name:image.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:502'264 bytes
First seen:2022-02-09 12:52:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bf6e48848f7b1b3ea203f2b14deb251 (1 x Gozi)
ssdeep 12288:HR2lg/gRebHUdOVFPlqv/nD9a9f6np9C1fxP3HC9/:HR2GYkbHUgVtlCA9ypyJs
Threatray 13 similar samples on MalwareBazaar
TLSH T13AB4BF72F9CCA51BDD85AA3D3B1453A92B33F812E37553E6D3861C0EC0F8E9A5518B81
Reporter JAMESWT_WT
Tags:agenziaentrate dll exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
image.exe
Verdict:
Malicious activity
Analysis date:
2022-02-09 10:44:32 UTC
Tags:
trojan gozi ursnif dreambot evasion stealer
Link:
https://app.any.run/tasks/e8eb26ec-62c4-443c-8cc0-83512c1d0d06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239525/
Detection(s):
SecuriteInfo.com.ML.PE-A.18083.11152.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6502/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger overlay packed shell32.dll update.exe virus
Link:
https://www.filescan.io/uploads/6203b8fac79b424d720aeb92/reports/a3ed61c0-2952-45b7-8885-5a20326be932/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86bf6376-661f-4122-958c-9d7c62138e3e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936889
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00a6659355525272bce8845b6db89d2d9f89e6b96bd5379292ebfebf9cbbe68e/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 12:53:10 UTC
File Type:
PE (Dll)
Extracted files:
16
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=actgle2vkjjhfphiqrnw3oe5fwpytzvznpktpeus5p7l7hf342ha._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
43c1845bb2ce2c59575a8a04bec910716232d59aa3022c1a489079fd46ce93ef
Gozi
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Gozi
5f5dd9783ee79a7097f47c023015c07c76d5b9e5562362fa54cc28b2f7d1744a
Gozi
71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
Gozi
ccfa8b97f8273be6e7fee1beb2330cc45ab8f152c5d1bfa8b04f7b3b0b603433
Gozi
d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
Gozi
d5b1a96dc7d4007a9228abee105cd77305827ed28aac77932e7c416c888c9d30
Gozi
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
Gozi
f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3
Gozi
+ 3 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7612 banker trojan
Link:
https://tria.ge/reports/220209-p35dfsada7/
Behaviour
Checks processor information in registry
Discovers systems in the same network
Enumerates processes with tasklist
Enumerates system info in registry
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Gozi, Gozi IFSB
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
securezzalink.top
securezzalink.space
linkspremium.ru
premiumlists.ru
premiumlines.top
premiumliner.top
premiumline.space
linespremium.ru
linespremium.pw
blogerslives.com
blogerslines.com
blogspoints.com
blogspoints.ru
filmspoints.com
Unpacked files
SH256 hash:
f623dce10758a05a0498d26967c46ab7816e00abf0d89442d69bf820fd1451df
MD5 hash:
e5fc97707f6fdeecee53283c05b71ae3
SHA1 hash:
f096b577299aae72e5ab65da9bae1a35ef8d7f24
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/001910dc-54d2-46fc-a464-7e0917b2a5de/
SH256 hash:
25099437b18ea0bf75fb90dbb88a5f855a82b575b9145b5acf4403c759725a1f
MD5 hash:
9a30b3d9a6136e6e62b6850ef0c2883f
SHA1 hash:
dd66e78b91ef31f896f34405b02c8aca8b00706b
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/001910dc-54d2-46fc-a464-7e0917b2a5de/
SH256 hash:
00a6659355525272bce8845b6db89d2d9f89e6b96bd5379292ebfebf9cbbe68e
MD5 hash:
08bd4c8bd321cb906c9275d0231f57b3
SHA1 hash:
08f3b0f78e0c26898eca40792d499162b13a6036
Link:
https://www.unpac.me/results/001910dc-54d2-46fc-a464-7e0917b2a5de/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/00a665935552/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 00a6659355525272bce8845b6db89d2d9f89e6b96bd5379292ebfebf9cbbe68e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2036798/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2036834/
  
URLhaus
https://urlhaus.abuse.ch/url/2038538/
  
URLhaus
https://urlhaus.abuse.ch/url/2038631/
Cape
Cape
https://www.capesandbox.com/analysis/239525/

Comments