MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458
SHA3-384 hash: 4b46b116ad56ad9f8e8a9a9db39994dc9f068d12251e29a8d083aebc7efb4c0a5c336200da1578159f7aae2d0942c86b
SHA1 hash: a7d375672ae47f087185c78a444487aa656c8eb5
MD5 hash: dde0277221cabab1df0e1cccf6a125b2
humanhash: bulldog-vermont-lactose-lima
File name:5fd885c499439tar.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:147'456 bytes
First seen:2020-12-15 09:46:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e386d2174f5fb6ba64b3c981ccac306 (1 x Gozi)
ssdeep 3072:T9WfhwwO/4dJ6dyDI5wottTcRtUbe6QJ5LBm:0fhw14/6d+xoe5Q
Threatray 80 similar samples on MalwareBazaar
TLSH 29E3E5727E42A1D2FE14C03DA35DA9E70D5137E2F058F1E16A846FC482DB33656B2EA0
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
466
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5fd885c499439tar.dll
Verdict:
Malicious activity
Analysis date:
2020-12-15 09:47:06 UTC
Tags:
trojan gozi ursnif dreambot
Link:
https://app.any.run/tasks/64c67cfe-9ab3-4cd1-82c3-ec588021b528

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108110/
Detection(s):
SecuriteInfo.com.Generic.mg.dde0277221cabab1.9814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Sending a UDP request
Creating a file
Sending a custom TCP request
Deleting a recently created file
Connecting to a non-recommended domain
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/563011
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 330591 Sample: 5fd885c499439tar.dll Startdate: 15/12/2020 Architecture: WINDOWS Score: 100 66 8.8.8.8.in-addr.arpa 2->66 68 1.0.0.127.in-addr.arpa 2->68 70 2 other IPs or domains 2->70 86 Found malware configuration 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Yara detected  Ursnif 2->90 92 11 other signatures 2->92 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        signatures3 process4 signatures5 108 Suspicious powershell command line found 9->108 14 powershell.exe 9->14         started        18 regsvr32.exe 12->18         started        20 cmd.exe 1 12->20         started        process6 file7 62 C:\Users\user\AppData\Local\...\kpzypqek.0.cs, UTF-8 14->62 dropped 64 C:\Users\user\AppData\...\40soah3l.cmdline, UTF-8 14->64 dropped 110 Injects code into the Windows Explorer (explorer.exe) 14->110 112 Writes to foreign memory regions 14->112 114 Modifies the context of a thread in another process (thread injection) 14->114 124 2 other signatures 14->124 22 explorer.exe 14->22 injected 26 csc.exe 14->26         started        29 csc.exe 14->29         started        31 conhost.exe 14->31         started        116 Maps a DLL or memory area into another process 18->116 118 Writes or reads registry keys via WMI 18->118 120 Writes registry values via WMI 18->120 122 Creates a COM Internet Explorer object 18->122 33 control.exe 18->33         started        35 WerFault.exe 18->35         started        37 iexplore.exe 1 65 20->37         started        signatures8 process9 dnsIp10 72 185.156.172.54, 443, 49795, 49797 M247GB Romania 22->72 74 89.44.9.160, 80 M247GB Romania 22->74 76 pagead46.l.doubleclick.net 172.217.22.66, 443, 49794 GOOGLEUS United States 22->76 94 Tries to steal Mail credentials (via file access) 22->94 96 Changes memory attributes in foreign processes to executable or writable 22->96 98 Tries to harvest and steal browser information (history, passwords, etc) 22->98 106 3 other signatures 22->106 39 RuntimeBroker.exe 22->39 injected 54 2 other processes 22->54 58 C:\Users\user\AppData\Local\...\40soah3l.dll, PE32 26->58 dropped 41 cvtres.exe 26->41         started        60 C:\Users\user\AppData\Local\...\kpzypqek.dll, PE32 29->60 dropped 43 cvtres.exe 29->43         started        100 Writes to foreign memory regions 33->100 102 Allocates memory in foreign processes 33->102 104 Modifies the context of a thread in another process (thread injection) 33->104 45 rundll32.exe 33->45         started        47 iexplore.exe 152 37->47         started        50 iexplore.exe 37->50         started        52 iexplore.exe 37->52         started        56 2 other processes 37->56 file11 signatures12 process13 dnsIp14 78 img.img-taboola.com 47->78 80 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49755, 49756 FASTLYUS United States 47->80 84 8 other IPs or domains 47->84 82 loogerblog.xyz 193.239.86.173, 49762, 49763, 49764 MERITAPL Romania 50->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 09:47:05 UTC
File Type:
PE (Dll)
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2
Gozi
0819171ecacc60ce94d946b5f2d4939f4b27c2d9275feb439a40ef6e927473c2
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
849e363856d35f9349e418671e7580220f859cdd5a7cbb80ef721526111dbe70
Gozi
8a6d1c13983162c59ba681bcbad0b8c0b9cbf87fb06750125bb97172b7206605
Gozi
9cabfa3e674b0274b3b802695b49d9634e027fb15aa827afaf793104f7317690
Gozi
c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b
Gozi
d365d2272c6be7f3420d9083251496bfa2f48e4b2ac2f3563b65c3b246714a18
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
e33157d0b5973fb880934006b1427f5ad53ae3f471e81a9a8460772d7f5b3657
Gozi
+ 70 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201215-xt636wmxma/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
JavaScript code in executable
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458
MD5 hash:
dde0277221cabab1df0e1cccf6a125b2
SHA1 hash:
a7d375672ae47f087185c78a444487aa656c8eb5
Link:
https://www.unpac.me/results/7888ad8f-dd42-4c21-b644-0c2962cb6aa6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/920125/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108110/

Comments