MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d
SHA3-384 hash: 696da5be38ac1ed568747ff7b7092d12aa2dcc64f12b7b184ad3ceb874b17c6792b1d210da618fe8fc3bf1fe70796a0a
SHA1 hash: ad6ce1717870b37859094456b32c40f2682a6755
MD5 hash: dc8c09dcce354cf148b724e4b5210cc4
humanhash: california-apart-foxtrot-virginia
File name:pattern.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:668'672 bytes
First seen:2021-09-03 15:36:25 UTC
Last seen:2021-09-03 19:54:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f074115ebeb6621682ea6e2795fa238f (1 x Gozi)
ssdeep 12288:WqeAoQME4xL3Lq7ZAfsOU+1kGz9nHxUHmCrv+r:Wq1oldxTLoZcsOUaTzjumKv+r
Threatray 638 similar samples on MalwareBazaar
TLSH T1EDE49E26BA81C035C17252314D2AF61466BEBEA19B3246DF37D87B5E1F748C07A36633
dhash icon 44b268ccd4ccc8d4 (1 x Gozi)
Reporter abuse_ch
Tags:202108021 exe Gozi


Avatar
abuse_ch
Gozi payload URLs:
https://quickdrive.ae/js/JS000082510952000/dll/assistant.php
https://quickdrive.ae/js/JS000082510952000/pattern.exe

Gozi C2s:
https://hotroad.cyou/index.htm
https://monotep.xyz/index.htm

Intelligence

File Origin
# of uploads :
2
# of downloads :
970
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pattern.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-03 15:39:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9eb601d3-6b4e-4b6d-b9b8-960461782e4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185212/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Searching for the window
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cbd88dcf-b029-4a1d-8cdc-5bd3fbcfa877
Result
Threat name:
Ursnif Ursnif v3
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/844942
Signature
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477373 Sample: pattern.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 72 23 Yara detected Ursnif 2->23 25 Yara detected  Ursnif 2->25 6 pattern.exe 2->6         started        10 iexplore.exe 2 83 2->10         started        12 iexplore.exe 1 50 2->12         started        process3 dnsIp4 19 hotroad.cyou 6->19 27 Detected unpacking (changes PE section rights) 6->27 29 Writes or reads registry keys via WMI 6->29 31 Writes registry values via WMI 6->31 14 iexplore.exe 33 10->14         started        17 iexplore.exe 32 12->17         started        signatures5 process6 dnsIp7 21 hotroad.cyou 45.142.212.34, 443, 49704, 49705 ALEXHOSTMD Russian Federation 14->21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 15:37:05 UTC
AV detection:
7 of 27 (25.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=agircsq22uoqoo6sbbgsd5ynohzk45ekpecflrfhbcivvv2thuwq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
31b94c5a94aa8ce7e187360b0dc702b473d1c5d498d4de26f137b272ccbadaed
Gozi
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
Gozi
7bcf94551f01cde9cc82ea6c5b86929eb4ec341adf30af715af2bf0c2ecb6ed4
Gozi
8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264
Gozi
adef1e98019e2b2fcac75f287caf986ab16153cd40e45b803db0c2a3dd122559
Gozi
eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
Gozi
f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
Gozi
+ 628 additional samples on MalwareBazaar
Result
Malware family:
gozi_rm3
Create hunting rule
Score:
  10/10
Tags:
family:gozi_rm3 botnet:202108021 banker trojan
Link:
https://tria.ge/reports/210903-s2gsjsgeek/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi RM3
Malware Config
C2 Extraction:
https://hotroad.cyou
Unpacked files
SH256 hash:
e8df4e88bee4ad303674571c3fdeae9dacf5b985f4355e5fe736190573ea8590
MD5 hash:
7f9ee352dafe6734d76777c47719c61a
SHA1 hash:
940cfb8cd880d7863be75103556bd754241f790e
Link:
https://www.unpac.me/results/c1e0998d-ffed-4af9-ab74-726b35d1e78b/
SH256 hash:
0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d
MD5 hash:
dc8c09dcce354cf148b724e4b5210cc4
SHA1 hash:
ad6ce1717870b37859094456b32c40f2682a6755
Link:
https://www.unpac.me/results/c1e0998d-ffed-4af9-ab74-726b35d1e78b/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0191114a1ad5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Gozi

Java Script (JS) js 90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82

Gozi

Executable exe 0191114a1ad51d073bd2084d21f70d71f2ae748a790455c4a708915ad7533d2d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/host/quickdrive.ae/
  
Dropped by
MD5 ed8988f1433e30276b87384f16825116
  
Dropped by
SHA256 90663d341cc9a6e9d33df216882beea6dd451ab6a16e57f73392683018309b82
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1589197/
Cape
Cape
https://www.capesandbox.com/analysis/185212/

Comments