MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f24c819947ad410e0d85d41218f8a940317aeebbac32630fb29ac5917c4ca46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f24c819947ad410e0d85d41218f8a940317aeebbac32630fb29ac5917c4ca46
SHA3-384 hash: c8be9d9cacfe3958a4c8e10bdbace8bf6226f0ccad26bc7b972f41ff9bb986a7c843bb107d711c820594a6dc11614f0b
SHA1 hash: e8d8733502980550a6d067530b71a46a13a37ba9
MD5 hash: 1eed97b02e792dc7bee2949d26dc6d6a
humanhash: spaghetti-mountain-emma-leopard
File name:51f0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:232'960 bytes
First seen:2022-09-26 13:58:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:UlfGqwJTeTEom3lIkR2SCD6q9KgyItk78mV0dfgxT/cqAdw5VgCK5hcjxOxJFocW:UlDosEPR66q9KgylInd6oqAdD5DnFoc
Threatray 94 similar samples on MalwareBazaar
TLSH T11F346D5EA3E10995EDABD5B5C953D217EBF234492B64D30F53B0CAA66F17322B21C302
TrID 28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25)
28.3% (.EXE) Generic Win/DOS Executable (2002/3)
28.3% (.EXE) DOS Executable Generic (2000/1)
14.2% (.SCORE) Music Craft Score (1007/6)
0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter 0x746f6d6669
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313608/
Detection(s):
Win.Malware.Ursnif-9884005-0
Create hunting rule

Win.Malware.Ursnif-9886559-0
Create hunting rule

Win.Malware.Ursnif-9892796-0
Create hunting rule

Win.Malware.Ursnif-9896448-0
Create hunting rule

Win.Malware.Ursnif-9917123-0
Create hunting rule

Win.Malware.Ursnif-9937854-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6331b0275291e4a063ebf307/reports/796d5d82-21ba-4cf3-9aae-8e962a390cf9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b440a75d-25e3-4b04-8e34-1bbd45ae30a7
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1077379
Signature
Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 709924 Sample: 51f0000.dll.exe Startdate: 26/09/2022 Architecture: WINDOWS Score: 56 15 Antivirus / Scanner detection for submitted sample 2->15 17 Yara detected  Ursnif 2->17 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f24c819947ad410e0d85d41218f8a940317aeebbac32630fb29ac5917c4ca46/
Threat name:
Win64.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 13:59:07 UTC
File Type:
PE+ (Dll)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4smqgmuplkbbygylvasdd4ksqbrplxlxlbsmmh3fgwfsf6ezjda._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0e50c1ce3522fca4206c0ed3d4bd7ecebf821ba63da2bd7349e85e833083cee8
Gozi
154a3d6b6884c0ad1152f84d209053fc2dbabfadae47d22eb1486c83d001cfab
Gozi
459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689
Gozi
59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549
Gozi
64a12c3edb0332baaefcb370a775bf933d44603472a55070e9f43e03a4b2e56a
Gozi
857ea4a7ea0b6903992bc62853453e780b8e8e6af87daa574660be322473b9fc
Gozi
b8ede90d77745ec6121d2ce8e06e85710855df06fe192788081f2b6ef6abb1d9
Gozi
cf043012ad2be371b8f945ac4952f79d9484f74d8e5fe9a08970d0df748927ab
Gozi
dc641a85150af5ede0e9a4ab23144a578889bbee7163addf9e97b5fab7d09fc8
Gozi
e1885b84829f448f9d549144ea8221f422a9243a4693101a145c0836cc13fac1
Gozi
+ 84 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:10103
Link:
https://tria.ge/reports/220926-rad2xabac2/
Malware Config
C2 Extraction:
trackingg-protectioon.cdn1.mozilla.net
45.8.158.104
188.127.224.114
weiqeqwns.com
wdeiqeqwns.com
weiqeqwens.com
weiqewqwns.com
iujdhsndjfks.com
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6bb58171-8ae4-49cb-8369-7b9b4c99d79a
Unpacked files
SH256 hash:
0f24c819947ad410e0d85d41218f8a940317aeebbac32630fb29ac5917c4ca46
MD5 hash:
1eed97b02e792dc7bee2949d26dc6d6a
SHA1 hash:
e8d8733502980550a6d067530b71a46a13a37ba9
Link:
https://www.unpac.me/results/6e9429af-0e46-4355-bea6-9bec308d626f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0f24c819947ad410e0d85d41218f8a940317aeebbac32630fb29ac5917c4ca46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313608/

Comments