MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c
SHA3-384 hash: 4cdb2e34193a46078be9e3d42d1491f111d4a22c2f5c23bda700878428c2409427022edc93b3742f370d73504b3a657e
SHA1 hash: 50f292391060ff4d772a4fd695f9eba8432a8fd8
MD5 hash: 454908e620c33ca3e631a6334e8b1ff1
humanhash: december-mockingbird-vegan-angel
File name:61238cfcc2441.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:557'056 bytes
First seen:2021-08-23 11:58:23 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 12994b2554048ef1e6f7b4dd1e874109 (3 x Gozi)
ssdeep 12288:rqru80paIRPWxvFzhzFIko/IcYrIAfDE0cb1Yklllll/lllll7K10QUNI0H:rs0IIFWx9zlFIko/DY8kcbHlllll/llH
Threatray 1'621 similar samples on MalwareBazaar
TLSH T185C49D12B791E024E9B952788F75D9D8AA2D38215B3850CF39E13B9F0E396E39D35343
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'817
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181493/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7e0de433-ce5b-447e-a36b-4ac2d7316de7
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/837501
Signature
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 11:59:09 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
f28c1c6e9c3c394739a6d79e4d748941b9c0a3576d084380485aa8d807a2266d
Gozi
+ 1'611 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210823-2mk5ahabbn/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
xaaorunokee.site
taaorunokee.site
Unpacked files
SH256 hash:
cc89669a3ca75594456e91595e249f02e41a5b66d1f256a2281804c10ea13c23
MD5 hash:
6eb6ef0ed1b8b345412f9545571042e2
SHA1 hash:
b9a1945c04610ae72265c5da6ccfe29ca1a4c52e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/aba162ae-3f6f-4d8f-a6a5-a1bfac31aff9/
Parent samples :
f28c1c6e9c3c394739a6d79e4d748941b9c0a3576d084380485aa8d807a2266d
0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
SH256 hash:
0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c
MD5 hash:
454908e620c33ca3e631a6334e8b1ff1
SHA1 hash:
50f292391060ff4d772a4fd695f9eba8432a8fd8
Link:
https://www.unpac.me/results/aba162ae-3f6f-4d8f-a6a5-a1bfac31aff9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a3bc15ceb80f700d80b7d651ff378cf407c239f3e513e3bc9bd854f82f7e22c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181493/

Comments