MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301
SHA3-384 hash: 734dbf247e51ba08d1196deca093fe07345771cc1aaa7633ebf400057a8b2423caddc1e9f623f0bb7be1120fc295bbb7
SHA1 hash: f6c283ce609bdb0cafebfe061936f49cc9b9d012
MD5 hash: fe819a7507bb57e3d261cea83397297f
humanhash: burger-five-mockingbird-november
File name:test1.test
Download: download sample
Signature Gozi
Create hunting rule
File size:509'336 bytes
First seen:2021-09-30 11:11:31 UTC
Last seen:2021-09-30 12:04:17 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a5c5563698b993afe12710b24c3876fc (2 x Gozi)
ssdeep 12288:HQxILylJmL2BPb/b0HELx1H99vHHeE+EE1o45StxcoLO8E/0UqB7Vkk:HQuyXmLY7gaH7+EE1o487coLOD8l7Vt
TLSH T145B47C403A95E531E2BD2A359E69D1E807187D048FB5A8DFBBD02F0F2E798D2C631716
Reporter ffforward
Tags:dll Gozi test tr

Intelligence

File Origin
# of uploads :
2
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193491/
Detection(s):
SecuriteInfo.com.Variant.Babar.28762.28407.9752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/510155e8-fb29-4f99-a742-0d4489d9abf8
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861806
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: Encoded IEX
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell run code from registry
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494238 Sample: test1.test Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 72 8.8.8.8.in-addr.arpa 2->72 74 222.222.67.208.in-addr.arpa 2->74 76 3 other IPs or domains 2->76 124 Found malware configuration 2->124 126 Sigma detected: Powershell run code from registry 2->126 128 Yara detected  Ursnif 2->128 132 9 other signatures 2->132 9 loaddll32.exe 1 1 2->9         started        13 mshta.exe 19 2->13         started        15 mshta.exe 2->15         started        signatures3 130 May check the online IP address of the machine 72->130 process4 dnsIp5 78 fagorun.website 37.120.222.188, 443, 49764, 49768 M247GB Romania 9->78 80 outlook.com 40.97.153.146, 443, 49753, 49757 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->80 82 6 other IPs or domains 9->82 134 Writes to foreign memory regions 9->134 136 Allocates memory in foreign processes 9->136 138 Modifies the context of a thread in another process (thread injection) 9->138 142 3 other signatures 9->142 17 control.exe 9->17         started        20 cmd.exe 1 9->20         started        22 rundll32.exe 9->22         started        29 2 other processes 9->29 140 Suspicious powershell command line found 13->140 24 powershell.exe 32 13->24         started        27 powershell.exe 15->27         started        signatures6 process7 file8 104 Changes memory attributes in foreign processes to executable or writable 17->104 106 Allocates memory in foreign processes 17->106 108 Maps a DLL or memory area into another process 17->108 31 rundll32.exe 20->31         started        110 System process connects to network (likely due to code injection or exploit) 22->110 112 Writes registry values via WMI 22->112 68 C:\Users\user\AppData\...\bmwb4is5.cmdline, UTF-8 24->68 dropped 114 Injects code into the Windows Explorer (explorer.exe) 24->114 116 Writes to foreign memory regions 24->116 118 Modifies the context of a thread in another process (thread injection) 24->118 120 Compiles code for process injection (via .Net compiler) 24->120 35 explorer.exe 24->35 injected 37 csc.exe 24->37         started        40 csc.exe 24->40         started        42 conhost.exe 24->42         started        70 C:\Users\user\AppData\Local\...\fejsiuwi.0.cs, UTF-8 27->70 dropped 122 Creates a thread in another existing process (thread injection) 27->122 44 csc.exe 27->44         started        46 csc.exe 27->46         started        48 conhost.exe 27->48         started        signatures9 process10 dnsIp11 84 52.97.186.146, 443, 49758 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->84 86 52.97.232.210, 443, 49759 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->86 92 7 other IPs or domains 31->92 94 Writes to foreign memory regions 31->94 50 control.exe 31->50         started        88 37.120.222.178, 443, 49871, 49872 M247GB Romania 35->88 90 192.168.2.1 unknown unknown 35->90 96 System process connects to network (likely due to code injection or exploit) 35->96 98 Tries to steal Mail credentials (via file access) 35->98 100 Changes memory attributes in foreign processes to executable or writable 35->100 102 5 other signatures 35->102 60 C:\Users\user\AppData\Local\...\bmwb4is5.dll, PE32 37->60 dropped 52 cvtres.exe 37->52         started        62 C:\Users\user\AppData\Local\...\ezdvqzmw.dll, PE32 40->62 dropped 54 cvtres.exe 40->54         started        64 C:\Users\user\AppData\Local\...\mgmrhgwr.dll, PE32 44->64 dropped 56 cvtres.exe 44->56         started        66 C:\Users\user\AppData\Local\...\fejsiuwi.dll, PE32 46->66 dropped 58 cvtres.exe 46->58         started        file12 signatures13 process14
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 11:12:16 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=as6etwgtg3kairstv7tsvbbtq4gh3uknehldfobptuhvnfqa4maq._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:1515 banker trojan
Link:
https://tria.ge/reports/210930-nav4mshda3/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
fagorun.website
gagorun.website
Unpacked files
SH256 hash:
3e0f6aa79a41d3d8fe7beeb14bfbab75c1ed732f67cb6770f16900cfb16f106d
MD5 hash:
0461ba58ab3cff6b8a197c9dca64eb79
SHA1 hash:
97aa0050e7d86b1c201ec926039df232f3a598ea
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/1a7432fd-e32a-4584-bfc4-2eb8ceba0bba/
Parent samples :
04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301
f9fd7b6794b5579f64c034d1cfd0adbc5c4c5ef433d0e9f2b6ff95d58d3d7201
SH256 hash:
5afdac4d931c26761925b8d1c6e6d9942676e3dda7ac751c4eff88fc3c91e04a
MD5 hash:
b1ccc94f6d3c1a274d241f0ed44121c6
SHA1 hash:
b8a0c46a8a1ec1f0de6151690e58fd5e1915f48f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/1a7432fd-e32a-4584-bfc4-2eb8ceba0bba/
SH256 hash:
04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301
MD5 hash:
fe819a7507bb57e3d261cea83397297f
SHA1 hash:
f6c283ce609bdb0cafebfe061936f49cc9b9d012
Link:
https://www.unpac.me/results/1a7432fd-e32a-4584-bfc4-2eb8ceba0bba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 04bc49d8d336d4044653afe72a8433870c7dd14d21d632b82f9d0f569600e301

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193491/

Comments