MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e50c1ce3522fca4206c0ed3d4bd7ecebf821ba63da2bd7349e85e833083cee8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e50c1ce3522fca4206c0ed3d4bd7ecebf821ba63da2bd7349e85e833083cee8
SHA3-384 hash: 0ffa17bc9615be3ce507d4b6ec7bc29e0f0c083b8a5ad7c8bb24c5d1937680b759b5d7474fb21948ee3a7deb2afe7f12
SHA1 hash: 60e5fe882c800c90af192aefd83ffdffe15e89db
MD5 hash: 10f6d9c12ed5367fa071d080080da14c
humanhash: california-fix-speaker-utah
File name:15f6b5a0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:232'960 bytes
First seen:2022-09-08 13:08:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:Y5hinZgCo+NjJWSsznC2OCyzjFIz4V1T/JDR1v7kBB78C752cjmH5eM:Y+nZ1o+NJWbn2CMFIzSTRDR1vQR5qz
Threatray 74 similar samples on MalwareBazaar
TLSH T1E7344B6AA3E51995ED6BC6B9C953D227EBF334092B24D30F53B0CA966F17722B11C301
TrID 28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25)
28.3% (.EXE) Generic Win/DOS Executable (2002/3)
28.3% (.EXE) DOS Executable Generic (2000/1)
14.2% (.SCORE) Music Craft Score (1007/6)
0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter 0x746f6d6669
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15f6b5a0000.dll
Verdict:
No threats detected
Analysis date:
2022-09-08 13:10:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bddff2af-9b20-435f-a8ec-1868eab39f1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308785/
Detection(s):
Win.Malware.Ursnif-9884005-0
Create hunting rule

Win.Malware.Ursnif-9886559-0
Create hunting rule

Win.Malware.Ursnif-9892796-0
Create hunting rule

Win.Malware.Ursnif-9896448-0
Create hunting rule

Win.Malware.Ursnif-9917123-0
Create hunting rule

Win.Malware.Ursnif-9937854-0
Create hunting rule

Win.Malware.GoziISFB-9940853-1
Create hunting rule

SecuriteInfo.com.Generic.Ursnif.3.1.1CADF70D.17341.21393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed setupapi.dll shell32.dll ursnif
Link:
https://www.filescan.io/uploads/6319e98155480bd187d612f3/reports/4117c0e4-69d2-43c4-83bb-de4165bbe8fe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd31aed1-1d1f-4972-8c71-b50bfad95bac
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1067138
Signature
Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699670 Sample: 15f6b5a0000.dll.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 56 15 Antivirus / Scanner detection for submitted sample 2->15 17 Yara detected  Ursnif 2->17 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e50c1ce3522fca4206c0ed3d4bd7ecebf821ba63da2bd7349e85e833083cee8/
Threat name:
Win64.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 13:09:07 UTC
File Type:
PE+ (Dll)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzimdtrvel6kiidmb3j5jpl6z27yeg5ghwrl242j5bpigmedz3ua._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689
Gozi
488925a89527506e1e40d24e0599e758bcf44bdd788f9da852823c27898d164e
Gozi
54eed1d4eb8679e67541c1102e743a1d636b90860bdea3ace0e9fd7a2d4309ee
Gozi
59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549
Gozi
86b1f0e8e8d97005fb1d6671fbd424a8296762c4023f03365d04897b87b75cca
Gozi
8c37fb14f34e6633008e6ef4e3a37265c61c367783cb7f4a6666608011eeed3b
Gozi
daa3e551c98f62aa1a278205be361a4bf5b193f1540527ff2ceec0b1e3612f38
Gozi
+ 64 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:1900
Link:
https://tria.ge/reports/220908-qdr79sefd5/
Malware Config
C2 Extraction:
apnfy.msn.com
194.76.225.61
185.212.47.186
45.11.180.215
45.11.180.219
Unpacked files
SH256 hash:
0e50c1ce3522fca4206c0ed3d4bd7ecebf821ba63da2bd7349e85e833083cee8
MD5 hash:
10f6d9c12ed5367fa071d080080da14c
SHA1 hash:
60e5fe882c800c90af192aefd83ffdffe15e89db
Link:
https://www.unpac.me/results/d38267ea-7615-415d-a57e-e3cf95b3c67b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0e50c1ce3522fca4206c0ed3d4bd7ecebf821ba63da2bd7349e85e833083cee8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308785/

Comments