MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0be4ef602d0cf99bcda0b4011b0f83283ab0a9a4ac4d75bdbcb7c83bf464e66d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0be4ef602d0cf99bcda0b4011b0f83283ab0a9a4ac4d75bdbcb7c83bf464e66d
SHA3-384 hash: ad7619fd1470b9ba8230b89bb60a7f6ad741c59dfc8c09b16d9f0892cde0651a561d8eb51d346faafaa2b7b3d0db85fb
SHA1 hash: 3d4701817d75ed690b0de3b903a347a22dd4fac0
MD5 hash: 37ebaa87c26ae0ad610753d894ddad08
humanhash: cat-island-pennsylvania-twenty
File name:registr.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:512'000 bytes
First seen:2022-12-06 15:39:20 UTC
Last seen:2022-12-07 04:39:58 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e42fab3fd7f83aea3aea34a6aa7b84e9 (1 x Gozi)
ssdeep 6144:WiMXUN0KYxhW45uHkHZYblO0tY1YjjPyVKKMrAKjoIHF4vojQGvW6i7+n6dWg:WhUC7c45uH1blOo6u8xu3G7++
Threatray 670 similar samples on MalwareBazaar
TLSH T1A6B4E15610B88218DB4108F90D30EEB753654E9A03295DF7A38AF9C338566F46EF4CEB
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter VirITeXplorer
Tags:agenziaentrate agenziaonline-top dll Gozi Ursnif


Avatar
VirITeXplorer
Ursnif ITA AgenziadelleEntrate

Intelligence

File Origin
# of uploads :
3
# of downloads :
249
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343524/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.10527.16695.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Running batch commands
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638f6252a2c2485912c7a907/reports/383e5bff-d8dc-4e3a-ab0b-3e55d0cb7065/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f339ae19-337b-4915-9272-48d0d56b5625
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129066
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 761793 Sample: registr.dll Startdate: 06/12/2022 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 9 mshta.exe 19 2->9         started        11 loaddll32.exe 1 2->11         started        process3 process4 13 powershell.exe 28 9->13         started        16 cmd.exe 1 11->16         started        18 WerFault.exe 3 9 11->18         started        20 conhost.exe 11->20         started        file5 54 C:\Users\user\AppData\...\nfsip4hu.cmdline, Unicode 13->54 dropped 22 explorer.exe 13->22 injected 25 csc.exe 3 13->25         started        28 csc.exe 3 13->28         started        30 conhost.exe 13->30         started        32 rundll32.exe 1 6 16->32         started        process6 dnsIp7 72 Self deletion via cmd or bat file 22->72 35 cmd.exe 1 22->35         started        50 C:\Users\user\AppData\Local\...\nmsa3w5u.dll, PE32 25->50 dropped 38 cvtres.exe 1 25->38         started        52 C:\Users\user\AppData\Local\...\nfsip4hu.dll, PE32 28->52 dropped 40 cvtres.exe 1 28->40         started        56 informlines.top 31.41.46.120, 49695, 80 ASRELINKRU Russian Federation 32->56 58 192.168.2.1 unknown unknown 32->58 74 System process connects to network (likely due to code injection or exploit) 32->74 76 Writes to foreign memory regions 32->76 78 Writes registry values via WMI 32->78 42 control.exe 1 32->42         started        file8 signatures9 process10 signatures11 68 Uses ping.exe to sleep 35->68 70 Uses ping.exe to check the status of other devices and networks 35->70 44 conhost.exe 35->44         started        46 PING.EXE 35->46         started        48 rundll32.exe 42->48         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0be4ef602d0cf99bcda0b4011b0f83283ab0a9a4ac4d75bdbcb7c83bf464e66d/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 15:40:10 UTC
File Type:
PE (Dll)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpso6ybnbt4zxtnawqarwd4dfa5lbknevrgxlpn4w7edx5de4zwq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2db38485abff68002fced62495b105cf98ca3eda7bbd30249ed3cf8be23ff2e0
Gozi
43582c465af423b50c1743e4326a0830787f1f7f4c27c7fc3866fe546aeb3893
Gozi
7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
Gozi
7ca57c7d182c4c00ae2c86e0e2055734d6b6421a7c419b5bb9c69869b8dbec64
Gozi
8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de
Gozi
e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
Gozi
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
Gozi
+ 660 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7637 banker isfb trojan
Link:
https://tria.ge/reports/221206-s37qcsba89/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
informlines.top
factorline.top
mediumline.co
Unpacked files
SH256 hash:
fddd9683d2a7ae6c9e3d782adb3036759c2e0c5ee3374e8e73a2f5f9b7c5d5fa
MD5 hash:
726b5d82fa50b71d04eb8fb7e357adb4
SHA1 hash:
a8f27c546380bba949553926151a5d1eaae95fd1
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7562d87-b7f9-41f4-bed6-077aa980b326/
SH256 hash:
4a75143cbccdd1571a711a1b98bbda7f2254bda84f01b3a1e44c8277b212a078
MD5 hash:
ecfdc853b4b0d2bedd5052f6ca40bd57
SHA1 hash:
1048089a4fd4fb44e953ec4a72b9cab8272fb713
Link:
https://www.unpac.me/results/d7562d87-b7f9-41f4-bed6-077aa980b326/
SH256 hash:
0be4ef602d0cf99bcda0b4011b0f83283ab0a9a4ac4d75bdbcb7c83bf464e66d
MD5 hash:
37ebaa87c26ae0ad610753d894ddad08
SHA1 hash:
3d4701817d75ed690b0de3b903a347a22dd4fac0
Link:
https://www.unpac.me/results/d7562d87-b7f9-41f4-bed6-077aa980b326/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0be4ef602d0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0be4ef602d0cf99bcda0b4011b0f83283ab0a9a4ac4d75bdbcb7c83bf464e66d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/VirITeXplorer/status/1600150221387755520
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/343524/

Comments