MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c84acf6d63976812d17da46fc3b8bf1128bbfd5f717262f20e25f3598484a9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c84acf6d63976812d17da46fc3b8bf1128bbfd5f717262f20e25f3598484a9b
SHA3-384 hash: f47a3f7986829a5f26681aa57782e289eb437cdc74a88d8d9e606c935c1305df3bc518ec14ebc1aa486afc86d4994701
SHA1 hash: 2c0e36cbfa26fe159547a82c97c56de5ac66b67f
MD5 hash: 80a85c7dff0f7e92d9b820bd62e8c0fa
humanhash: skylark-bulldog-bravo-oven
File name:statis1c.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:151'552 bytes
First seen:2020-12-15 10:42:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 574e394c54eab82d4574ccb854474b08 (1 x Gozi)
ssdeep 3072:lXZfkg7uSYi5tR79rcpRvxaGkbei5u5/Oiv5d6gJLgXR:lug7uSfrq53f/naaLgX
Threatray 81 similar samples on MalwareBazaar
TLSH 87E3F8321441C1DFF20EEA3C11517D55BA79DBE23366B9636DDB0EB7A0DA2830316AB1
Reporter JAMESWT_WT
Tags:dll Gozi isfb saldoscaduto Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
452
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
statis1c.dll
Verdict:
Suspicious activity
Analysis date:
2020-12-15 10:42:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/823f3bc6-12af-4cf8-bd7e-ddba2d15ce81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108125/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending a UDP request
Searching for the window
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/563047
Signature
Binary contains a suspicious time stamp
Creates a COM Internet Explorer object
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330609 Sample: statis1c.dll Startdate: 15/12/2020 Architecture: WINDOWS Score: 80 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected  Ursnif 2->34 36 Machine Learning detection for sample 2->36 38 2 other signatures 2->38 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        signatures5 40 Writes or reads registry keys via WMI 10->40 42 Writes registry values via WMI 10->42 44 Creates a COM Internet Explorer object 10->44 15 iexplore.exe 1 61 13->15         started        process6 process7 17 iexplore.exe 151 15->17         started        20 iexplore.exe 25 15->20         started        22 iexplore.exe 29 15->22         started        dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49775, 49776 FASTLYUS United States 17->24 26 www.msn.com 17->26 30 7 other IPs or domains 17->30 28 ocsp.sca1b.amazontrust.com 65.9.94.80, 49789, 49790, 80 AMAZON-02US United States 20->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c84acf6d63976812d17da46fc3b8bf1128bbfd5f717262f20e25f3598484a9b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 10:43:04 UTC
File Type:
PE (Dll)
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsckz5wwhf3iclix3jdpyo4l6ejixp6v64lsmlza4jptlgcijknq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2
Gozi
0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70
Gozi
907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3
Gozi
9cabfa3e674b0274b3b802695b49d9634e027fb15aa827afaf793104f7317690
Gozi
d365d2272c6be7f3420d9083251496bfa2f48e4b2ac2f3563b65c3b246714a18
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657
Gozi
+ 71 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201215-3wcev28qa2/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
0c84acf6d63976812d17da46fc3b8bf1128bbfd5f717262f20e25f3598484a9b
MD5 hash:
80a85c7dff0f7e92d9b820bd62e8c0fa
SHA1 hash:
2c0e36cbfa26fe159547a82c97c56de5ac66b67f
Link:
https://www.unpac.me/results/1f800e91-c1ef-48b3-9d7c-20d863c59e26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c84acf6d63976812d17da46fc3b8bf1128bbfd5f717262f20e25f3598484a9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 0c84acf6d63976812d17da46fc3b8bf1128bbfd5f717262f20e25f3598484a9b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/919850/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108125/

Comments