MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682
SHA3-384 hash:	c99055d8a9ed33d4fb18d1ed9969950255347cfa5a92ce016fb9ac08fbc31080ddd02bebc693468846ba2b1c24f6dcb7
SHA1 hash:	38ecc039edec7479d410301d0ddc4a7b97d24c62
MD5 hash:	bd8eb04c32d3cd91394c35f4e4188935
humanhash:	lima-william-magnesium-fanta
File name:	6135f2de69858.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	362'496 bytes
First seen:	2021-09-06 10:53:58 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	2d32739424ab2dbf219383aaf647cc56 (1 x Gozi)
ssdeep	6144:KXQ1bzEnW4fMKcsLAmbBOInsboVGWLqWc/5Xx7D4LxymbJqvPCV2b:Tlz6WGzBj7LqPRXp2Jpkb
Threatray	1'613 similar samples on MalwareBazaar
TLSH	T19474F1127392D071D42E8838AA64F8E2591E7C310D646C9FB7D56F3F1F73E918628E1A
Reporter	JAMESWT_WT
Tags:	dll enel EnelEnergia Gozi isfb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

1'230

Origin country :

n/a

Vendor Threat Intelligence

Detection:

UrsnifV3

Link:

https://www.capesandbox.com/analysis/185638/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.23768.321.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Deleting a recently created file

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/39fd91e8-80a4-4e40-8406-a2ff1721e887

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/845943

Signature

Found malware configuration

System process connects to network (likely due to code injection or exploit)

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b6wztx3ex5aanw6jdmfnni53halqkypmy5m5guvgsexezbwvy2ba._file

Verdict:

malicious

Label(s):

gozi

Gozi

5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3

Gozi

9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a

Gozi

a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750

Gozi

b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180

Gozi

bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1

Gozi

e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe

Gozi

f28c1c6e9c3c394739a6d79e4d748941b9c0a3576d084380485aa8d807a2266d

Gozi

+ 1'603 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:8877 banker trojan

Link:

https://tria.ge/reports/210906-mzjlgabaa2/

Behaviour

Suspicious use of WriteProcessMemory

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

outlook.com
lureborufer.store
dureborufer.store

Unpacked files

SH256 hash:

2889137d866cc4c5859a4372fc2e1de6a3c8e299839b20a6ea9aa9da2eac9195

MD5 hash:

2702857c552e001a49ea1b0e1604fc9e

SHA1 hash:

34bcd9532ccc4035e30a8d2be5e5a009b1fd0cf5

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/aef0acf4-3fd7-4510-a353-81bd87dde787/

Parent samples :

b7d73139f8758b04508d6873dd29011ab35b336b73ece0d4ea0710399c960180
0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682

SH256 hash:

0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682

MD5 hash:

bd8eb04c32d3cd91394c35f4e4188935

SHA1 hash:

38ecc039edec7479d410301d0ddc4a7b97d24c62

Link:

https://www.unpac.me/results/aef0acf4-3fd7-4510-a353-81bd87dde787/

Malware family:

Ursnif.IAP

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0fad99df64bf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0fad99df64bf4006dbc91b0ad6a3bb38170561ecc759d352a6912e4c86d5c682

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185638/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample