MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
SHA3-384 hash: 5f6b70ee5a484c7abae4f87f0ddbb8ae9819310ec56f6754464a9b75aa0940998165d9beceb8a9326df5ce30332477e2
SHA1 hash: 384ad1091f17650f149283a7003bde6aaebc9a6e
MD5 hash: 1948f937592d1037851d68b394bc35f1
humanhash: double-ceiling-snake-arkansas
File name:646f92430a0e9.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:672'768 bytes
First seen:2023-05-25 16:53:51 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 85827d535df1600f010d49acac67148b (1 x Gozi)
ssdeep 12288:tkAKewfuFjqAjaDY9Db/yy9vrkBxPRZ4ydCnXaCd:tLvak9DLyFxoI0d
Threatray 135 similar samples on MalwareBazaar
TLSH T19EE4BD00E65D8F32C2EA013C5869667A05AE6B2F837444C76368DFB9BC356ED0B35397
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:agenziaentrate dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391791/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.18196.14283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger lolbin packed ryuk shell32.dll
Link:
https://www.filescan.io/uploads/646f92ab835dc3f6e4a79071/reports/cd8548a4-f84b-4cda-b50b-a0af4c1f57fb/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e61435a-ad31-4f33-9edb-67a79ca12d07
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242647
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 875661 Sample: 646f92430a0e9.dll Startdate: 25/05/2023 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic 2->93 95 Multi AV Scanner detection for domain / URL 2->95 97 Found malware configuration 2->97 99 4 other signatures 2->99 11 loaddll32.exe 7 2->11         started        15 mshta.exe 19 2->15         started        process3 dnsIp4 89 swebbers.com 11->89 117 Found evasive API chain (may stop execution after checking system information) 11->117 119 Found API chain indicative of debugger detection 11->119 121 Writes or reads registry keys via WMI 11->121 123 Writes registry values via WMI 11->123 17 regsvr32.exe 6 11->17         started        21 cmd.exe 1 11->21         started        23 rundll32.exe 11->23         started        28 3 other processes 11->28 25 powershell.exe 1 30 15->25         started        signatures5 process6 dnsIp7 87 swebbers.com 91.215.85.164, 49707, 49708, 80 PINDC-ASRU Russian Federation 17->87 101 System process connects to network (likely due to code injection or exploit) 17->101 103 Writes to foreign memory regions 17->103 105 Allocates memory in foreign processes 17->105 115 2 other signatures 17->115 30 control.exe 17->30         started        34 rundll32.exe 21->34         started        85 C:\Users\user\AppData\...\ca1pt0jp.cmdline, Unicode 25->85 dropped 107 Injects code into the Windows Explorer (explorer.exe) 25->107 109 Modifies the context of a thread in another process (thread injection) 25->109 111 Maps a DLL or memory area into another process 25->111 113 Creates a thread in another existing process (thread injection) 25->113 36 explorer.exe 25->36 injected 38 csc.exe 25->38         started        41 csc.exe 25->41         started        43 conhost.exe 25->43         started        file8 signatures9 process10 dnsIp11 91 192.168.2.1 unknown unknown 30->91 133 Changes memory attributes in foreign processes to executable or writable 30->133 135 Injects code into the Windows Explorer (explorer.exe) 30->135 137 Writes to foreign memory regions 30->137 147 2 other signatures 30->147 45 rundll32.exe 30->45         started        48 WerFault.exe 30->48         started        139 Tries to steal Mail credentials (via file / registry access) 36->139 141 Allocates memory in foreign processes 36->141 143 Modifies the context of a thread in another process (thread injection) 36->143 145 Disables SPDY (HTTP compression, likely to perform web injects) 36->145 50 mshta.exe 36->50         started        52 cmd.exe 36->52         started        54 RuntimeBroker.exe 36->54 injected 60 3 other processes 36->60 81 C:\Users\user\AppData\Local\...\ca1pt0jp.dll, PE32 38->81 dropped 56 cvtres.exe 38->56         started        83 C:\Users\user\AppData\Local\...\1znocxhx.dll, PE32 41->83 dropped 58 cvtres.exe 41->58         started        file12 signatures13 process14 signatures15 125 Changes memory attributes in foreign processes to executable or writable 45->125 127 Injects code into the Windows Explorer (explorer.exe) 45->127 129 Writes to foreign memory regions 45->129 131 4 other signatures 45->131 62 powershell.exe 50->62         started        64 conhost.exe 52->64         started        process16 process17 66 csc.exe 62->66         started        69 csc.exe 62->69         started        71 conhost.exe 62->71         started        file18 77 C:\Users\user\AppData\Local\...\rlqgis3y.dll, PE32 66->77 dropped 73 cvtres.exe 66->73         started        79 C:\Users\user\AppData\Local\...\mm3pi5ss.dll, PE32 69->79 dropped 75 cvtres.exe 69->75         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 16:52:35 UTC
File Type:
PE (Dll)
Extracted files:
7
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2devhgzrehtygvnnpof3673pgpgr5pzbkm3mfdmu4efbufcjgqq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
54e1a7dc75b550786afcb0601020a2c50739347541cc8cb969acf76b90222458
Gozi
65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Gozi
7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce
Gozi
8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
Gozi
86a8a3bcc0a4753d4b21de458d5750af3e9e6301c58e6449404488ff873982a0
Gozi
b43477f47c385bafdba8ad86f3dc7f01b2ee6076bcc1eb53d3d5219e2952cc9d
Gozi
b56043cc20c91f39773e23f2e34612cf4453df9c650b8014b756dffa850b009e
Gozi
d42f53c75818af4aae281a0c3f760e20643852405d69134d03f6ba5c62efe316
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
+ 125 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/230525-veh37sca3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
https://fazz.bing.com/check
http://swebbers.com
https://fazzd.bing.com/check
http://mainertin.com
Unpacked files
SH256 hash:
6c97ff5644bd0155a9c291cb7a4e0ff2347609217da30bc9a5f129d1ff0fd92e
MD5 hash:
549593eb600352e4c9568b42c57835b1
SHA1 hash:
f2df87c49105d3aee7f06782a04bbeba93bba4ff
Link:
https://www.unpac.me/results/e478aaf0-574d-486c-a398-e29bb4491ac5/
SH256 hash:
1106716346d4e34ba14f24e922ec49e00dc1386c066f418e3fda768104681b96
MD5 hash:
21a39d0789650323cd14b08184a68c3d
SHA1 hash:
db7cc0b3cb778ea4422dbd131fce007c765fc519
Link:
https://www.unpac.me/results/e478aaf0-574d-486c-a398-e29bb4491ac5/
SH256 hash:
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
MD5 hash:
1948f937592d1037851d68b394bc35f1
SHA1 hash:
384ad1091f17650f149283a7003bde6aaebc9a6e
Link:
https://www.unpac.me/results/e478aaf0-574d-486c-a398-e29bb4491ac5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/391791/

Comments