MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf
SHA3-384 hash: 894d0e95b28771bed95f9d22a96e5929272b01345b26b702a926f3ff68660ac9a07d46dc0faa89f2aa0704d387223110
SHA1 hash: d3bda7e7be11da19cd3adf16a4c58548eb573f74
MD5 hash: 988f8a03ac893e41d4f9aaca5addafe1
humanhash: island-mike-football-chicken
File name:client_5.hta
Download: download sample
Signature Gozi
Create hunting rule
File size:23'475 bytes
First seen:2023-10-06 11:55:12 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 384:pA7lUDQMeK43MV0p6WUuJOJjmF9Koq5nZN851z9fwP3jXMeSnqIc6l:H2MWqwRwPDd6l
TLSH T138B25D5C074FA8F89673ACC88AD6AC53FB74862A4A7CDAC49F30FEE62410174A4F551D
Reporter JAMESWT_WT
Tags:agenziaentrate Gozi hta Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.155.1478.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf/results/dashboard
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Suspicious
Labled as:
TrojanDownloader/VBS.NetLoader
Link:
https://www.hybrid-analysis.com/sample/0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf
Result
Verdict:
MALICIOUS
Result
Threat name:
Cobalt Strike, Ursnif
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320868
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Detected Cobalt Strike Beacon
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables SPDY (HTTP compression, likely to perform web injects)
Encrypted powershell cmdline option found
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Overwrites Mozilla Firefox settings
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1320868 Sample: client_5.hta Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 70 mifrutty.com 2->70 72 communicalink.com 2->72 94 Snort IDS alert for network traffic 2->94 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 10 other signatures 2->100 10 mshta.exe 1 2->10         started        13 mshta.exe 1 2->13         started        signatures3 process4 signatures5 128 Detected Cobalt Strike Beacon 10->128 130 Suspicious powershell command line found 10->130 15 powershell.exe 1 19 10->15         started        132 PowerShell case anomaly found 13->132 19 cmd.exe 1 13->19         started        process6 file7 66 C:\Users\user\AppData\...\3wqn5e4z.cmdline, Unicode 15->66 dropped 78 Injects code into the Windows Explorer (explorer.exe) 15->78 80 Writes to foreign memory regions 15->80 82 Modifies the context of a thread in another process (thread injection) 15->82 90 2 other signatures 15->90 21 explorer.exe 6 4 15->21 injected 26 csc.exe 3 15->26         started        28 csc.exe 3 15->28         started        30 conhost.exe 15->30         started        84 Detected Cobalt Strike Beacon 19->84 86 Suspicious powershell command line found 19->86 88 Encrypted powershell cmdline option found 19->88 92 2 other signatures 19->92 32 powershell.exe 15 19 19->32         started        34 conhost.exe 19->34         started        signatures8 process9 dnsIp10 74 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->74 58 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 21->58 dropped 118 Changes memory attributes in foreign processes to executable or writable 21->118 120 Overwrites Mozilla Firefox settings 21->120 122 Tries to harvest and steal browser information (history, passwords, etc) 21->122 126 6 other signatures 21->126 36 cmd.exe 21->36         started        39 RuntimeBroker.exe 21->39 injected 41 RuntimeBroker.exe 21->41 injected 43 RuntimeBroker.exe 21->43 injected 60 C:\Users\user\AppData\Local\...\3wqn5e4z.dll, PE32 26->60 dropped 45 cvtres.exe 1 26->45         started        62 C:\Users\user\AppData\Local\...\b22tka1t.dll, PE32 28->62 dropped 47 cvtres.exe 1 28->47         started        76 communicalink.com 62.173.146.63, 49692, 80 SPACENET-ASInternetServiceProviderRU Russian Federation 32->76 64 C:\Users\user\AppData\Local\Temp\OeYPMR.exe, PE32 32->64 dropped 124 Powershell drops PE file 32->124 49 OeYPMR.exe 6 32->49         started        file11 signatures12 process13 dnsIp14 102 Uses ping.exe to sleep 36->102 104 Uses ping.exe to check the status of other devices and networks 36->104 106 Writes to foreign memory regions 36->106 114 2 other signatures 36->114 52 conhost.exe 36->52         started        54 PING.EXE 36->54         started        68 mifrutty.com 172.67.181.91, 49696, 80 CLOUDFLARENETUS United States 49->68 108 Antivirus detection for dropped file 49->108 110 Multi AV Scanner detection for dropped file 49->110 112 Detected unpacking (changes PE section rights) 49->112 116 4 other signatures 49->116 56 WerFault.exe 49->56         started        signatures15 process16
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-06 11:56:05 UTC
File Type:
Text (VBS)
AV detection:
3 of 38 (7.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aoerbcydelwlxlosdisfyg3v7e7drixfdkftri4flfxl4bodephq._file
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/231006-n31vlaba2x/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
mifrutty.com
systemcheck.top
Dropper Extraction:
http://communicalink.com/index.php
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0389108b0322/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0389108b0322ecbbadd21a245c1b75f93e38a2e51a8b38a385596ebe05c323cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments