MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c
SHA3-384 hash: 39ae8d7c46e4049f1a0a7e34b253c339452849c8c9e949540a922a6c8e2e36f4f9d98d9ea0897597553ddd6b6e625134
SHA1 hash: 6499cffa7ffdd633390c99f5c41df3c96d62f34e
MD5 hash: 6bddc7ac5daf41b61eb3641d804f49eb
humanhash: magazine-carpet-social-hotel
File name:last_payload.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:45'056 bytes
First seen:2023-07-18 09:00:16 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash ef075d26b728b78a932306e24062e80c (7 x Gozi)
ssdeep 768:qIlgbBqM1JAVPsLHOORtxUKtjpdRP4zXmZSxCqO7gp/N7FqEj:qBTJAlsLusaKtldMXmZKO7AN7Zj
Threatray 567 similar samples on MalwareBazaar
TLSH T11A137D01F6F94CF2D3A25EB02621FBF5A7FD8632227960419F13A9C91D60953E63D24B
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Viuleeenz
Tags:dll Gozi ITA old_sample unpacked


Avatar
viuleeenz
This is an old sample that refers to a campaign started in 2023-01-23.

C2 List
checklist.skype.com
62.173.149.10
31.41.44.27
193.0.178.235

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/423292/
Detection(s):
Win.Malware.Ursnif-9975502-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto greyware lolbin masquerade packed razy shell32 ursnif
Link:
https://www.filescan.io/uploads/64b654cef52c3e1a014a10f0/reports/49242cd4-7a83-4cdc-bcbf-cb0201581744/overview
Verdict:
Malicious
Labled as:
Trojan.Ursnif
Link:
https://www.hybrid-analysis.com/sample/05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97676bdc-1b23-4e6e-bad9-fd1279b4f7b0
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1275003
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275003 Sample: last_payload.bin.dll Startdate: 18/07/2023 Architecture: WINDOWS Score: 76 15 Found malware configuration 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c/
Threat name:
Win32.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2023-01-24 07:27:36 UTC
File Type:
PE (Dll)
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axi6ixdfzrj6snivhzrhqce4wiumz373zxdfaz6dajzsmw6cz2oa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
4f38f1e0e4d1a7b0ee3e98bf9eb766bad6bddbe0ff43af23d28728f6195f109f
Gozi
4fddc495d84c3b30397b2e3de7cdad79d322de9df03fa00bf792f6106a06a06f
Gozi
737bff8488486744c65118caaadaa03cc43981ec3c5b6c6bea544f3366f0873a
Gozi
8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf
Gozi
b8064ab579a131ca3d0147d30c36ac7008af615b8cb3c34bac7f857028317fb4
Gozi
cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
Gozi
f3def25cecb7042e0ac3eb120b4434af8fddb2d3996203ac64a1e2dc15d48ab2
Gozi
+ 557 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7707 isfb
Link:
https://tria.ge/reports/230718-kyvw1aaa5v/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
checklist.skype.com
62.173.149.10
31.41.44.27
193.0.178.235
Unpacked files
SH256 hash:
05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c
MD5 hash:
6bddc7ac5daf41b61eb3641d804f49eb
SHA1 hash:
6499cffa7ffdd633390c99f5c41df3c96d62f34e
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/3ed125bd-0cf2-4204-9d3f-d8bf5625286a/
Parent samples :
7796075f1ef6325830eed5369b7e5930ca514b6f32d304d51434873fcb5031e0
6a85735e5412ab19cfcfbe329566e17ae6678dc52ddea44b74e873a6d3f82561
8b154b06cc094eb22a4aae98f2bc60e4759f6258aa5bfb364f44b665bf65ff1e
a0582f1620e556673fb326be7c5861dc418a91877db39699c62d56edf0066296
8f97d27f6865a095851353708666db5b68d831cc4e6251089d236a58f89a2aaf
7795986ba1469a24229fa4677c86267d2ea81f7309bf2b037f41986f9de33e95
43c74657d446c3b7867dde69f79b4839927c9cc10a421798969c433dd8dde174
05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05d1e45c65cc53e935153e6278089cb228cceffbcdc65067c30273265bc2ce9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UrsnifV3
Create hunting rule
Author:kevoreilly
Description:UrsnifV3 Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/423292/

Comments