MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
SHA3-384 hash: 9dd61b9a271e27e3f86e9c09fb4041d2f484b61d4f81b558abc5f26e172414a3d72070f2674ff28d3a9eca47f95a754f
SHA1 hash: 6e2d76945861c48a2e4552d87583c1a70e6525a2
MD5 hash: 947fe47db34a2654fc7aa76ec2bebec0
humanhash: lima-white-mars-lion
File name:status.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'235'456 bytes
First seen:2022-01-19 10:49:06 UTC
Last seen:2022-01-19 11:11:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7790023abe9e706b7ca9941ca04b698c (1 x Gozi)
ssdeep 24576:a04Q1k7lRM3FymFIz5yfd/N04Q1k7lRM3FymFIz5yfd/N04Q1k7lRM3FymFIz5yE:fXu/MV/INrXu/MV/INrXu/MV/INN9Vz
Threatray 345 similar samples on MalwareBazaar
TLSH T12B45128AD3FD18A4F5F3ADB22D719983CC6B7D12A921A46D1B5A094E08744CCDEB1373
Reporter f3d__
Tags:agenziaentrate exe Gozi italy Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
444
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
947fe47db34a2654fc7aa76ec2bebec0.exe
Verdict:
Malicious activity
Analysis date:
2022-01-19 08:25:02 UTC
Tags:
trojan gozi ursnif dreambot
Link:
https://app.any.run/tasks/c49521f9-f7bf-4322-abba-fd877d93934c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/220591/
Detection(s):
SecuriteInfo.com.FileRepMalware.29484.2445.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
Searching for the window
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4726/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
ursnif
Link:
https://www.filescan.io/uploads/61e7ece0d32385db6307d863/reports/b3b8d7bf-92e4-4626-88ff-a50fc295e130/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0ca2c50-4bdd-4b9b-ae3c-35fd3caa8a90
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923329
Signature
Creates a thread in another existing process (thread injection)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious MSHTA Process Patterns
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 555803 Sample: status.dll Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 109 myip.opendns.com 2->109 111 222.222.67.208.in-addr.arpa 2->111 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Multi AV Scanner detection for submitted file 2->121 123 Yara detected  Ursnif 2->123 125 5 other signatures 2->125 12 loaddll32.exe 2 2->12         started        15 iexplore.exe 2 84 2->15         started        signatures3 process4 signatures5 141 Writes to foreign memory regions 12->141 143 Writes or reads registry keys via WMI 12->143 145 Writes registry values via WMI 12->145 17 regsvr32.exe 1 12->17         started        21 rundll32.exe 1 1 12->21         started        23 cmd.exe 1 12->23         started        31 2 other processes 12->31 25 iexplore.exe 15->25         started        27 iexplore.exe 15->27         started        29 iexplore.exe 15->29         started        33 2 other processes 15->33 process6 dnsIp7 105 192.168.2.1 unknown unknown 17->105 113 Writes or reads registry keys via WMI 17->113 115 Writes registry values via WMI 17->115 35 mshta.exe 17->35         started        117 Writes to foreign memory regions 21->117 37 mshta.exe 21->37         started        39 control.exe 21->39         started        41 rundll32.exe 1 23->41         started        107 museumistat.bar 31.41.44.3, 49748, 49749, 49750 ASRELINKRU Russian Federation 25->107 44 powershell.exe 31->44         started        signatures8 process9 signatures10 46 powershell.exe 35->46         started        49 powershell.exe 37->49         started        51 rundll32.exe 39->51         started        127 Writes registry values via WMI 41->127 53 mshta.exe 41->53         started        129 Modifies the context of a thread in another process (thread injection) 44->129 131 Maps a DLL or memory area into another process 44->131 133 Creates a thread in another existing process (thread injection) 44->133 55 csc.exe 44->55         started        58 csc.exe 44->58         started        60 conhost.exe 44->60         started        process11 file12 62 csc.exe 46->62         started        65 conhost.exe 46->65         started        147 Modifies the context of a thread in another process (thread injection) 49->147 149 Maps a DLL or memory area into another process 49->149 151 Creates a thread in another existing process (thread injection) 49->151 67 csc.exe 49->67         started        69 csc.exe 49->69         started        71 conhost.exe 49->71         started        73 powershell.exe 53->73         started        95 C:\Users\user\AppData\Local\...\eutk2hxp.dll, PE32 55->95 dropped 76 cvtres.exe 55->76         started        97 C:\Users\user\AppData\Local\...\babtdr3v.dll, PE32 58->97 dropped signatures13 process14 file15 99 C:\Users\user\AppData\Local\...\yycrjy0w.dll, PE32 62->99 dropped 78 cvtres.exe 62->78         started        101 C:\Users\user\AppData\Local\...\5nzflxas.dll, PE32 67->101 dropped 80 cvtres.exe 67->80         started        103 C:\Users\user\AppData\Local\...\11mxocay.dll, PE32 69->103 dropped 135 Modifies the context of a thread in another process (thread injection) 73->135 137 Maps a DLL or memory area into another process 73->137 139 Creates a thread in another existing process (thread injection) 73->139 82 csc.exe 73->82         started        85 csc.exe 73->85         started        87 conhost.exe 73->87         started        signatures16 process17 file18 91 C:\Users\user\AppData\Local\...\fyriofhk.dll, PE32 82->91 dropped 89 cvtres.exe 82->89         started        93 C:\Users\user\AppData\Local\...\mrf10rqm.dll, PE32 85->93 dropped process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 10:50:14 UTC
File Type:
PE (Dll)
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
29886509fe1c9628fa5227a052e98e5b7cd7bc04cab15f498eb884d588654b1f
Gozi
2da8961e57698bcd2dbe9c4311181352ccb1047dbbca9814bf2183a6fe0dd904
Gozi
35bef39478577d735b1c8104f5800e95d73487284c89b281283e4c117688bd92
Gozi
3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
523fdce885c5d2fa0dc8aed7812cc13c99aba7d1441ac70ddb6b928585cb3dd5
Gozi
6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
Gozi
7313c2675f4a3c247fc8fe50ed0d7cd4885454151de712f026e9830de0cd04e1
Gozi
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
Gozi
+ 335 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
da9e5bcff0ad496dd7a8be8f8aac3d3105cc27f66b439822b9068964121aee6f
MD5 hash:
b234a6165764650f7d1efebe8209f569
SHA1 hash:
d6760b7834899d69b575f7f4e8a404aa5c90c56f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7ff549b1-cc62-4890-9af9-b8307c14bb44/
Parent samples :
02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d
SH256 hash:
ba324de1866abaaef3893a76defa46ab60d2117d3cbda0f7f01d8580f662578e
MD5 hash:
3ac15ba3af8375a6b65ea629ca88eef2
SHA1 hash:
454980be0f3fc3d2e1fdd97e68c6e992ac6047c3
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7ff549b1-cc62-4890-9af9-b8307c14bb44/
SH256 hash:
02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
MD5 hash:
947fe47db34a2654fc7aa76ec2bebec0
SHA1 hash:
6e2d76945861c48a2e4552d87583c1a70e6525a2
Link:
https://www.unpac.me/results/7ff549b1-cc62-4890-9af9-b8307c14bb44/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/02bb7e5eda10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/220591/
  
URLhaus
https://urlhaus.abuse.ch/url/1989207/
  
Delivery method
Distributed via web download

Comments