MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1266fa18e0ae0fa01e2cf72e9055c62ccb1712ee52f94ec80d26ce27196e6897. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1266fa18e0ae0fa01e2cf72e9055c62ccb1712ee52f94ec80d26ce27196e6897
SHA3-384 hash: 9a54e72fd1c6c9848bf0462ff2cc3056b943e804b30d46b6839086225705c07b168ccaf5765b6e4ee2cb3afb575f913d
SHA1 hash: 5946bde6f834d7b1c88ea2577dcb6ae7690800c6
MD5 hash: 220d5cf09d0a75fc7fe2ea396e73fcb3
humanhash: lemon-shade-august-florida
File name:importante.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:153'088 bytes
First seen:2020-10-01 05:55:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95b6e697a05b24548ce75b04358bd898 (1 x Gozi)
ssdeep 3072:61LqeFZvWutUyGDPkiXl7Mye6yK7iq25wa0QpA7l7u83va9SYasm:61Lq0YvXl7rezCLQChy83vg/asm
TLSH 38E3BE1B645AA8E9E16892FC08776B678EDFD4B90F70F2036DD458C90097AC5CE3A84D
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67316/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.PWSOnlineGames.ch.14689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Searching for the window
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Deleting a recently created file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/479016
Signature
Creates a COM Internet Explorer object
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Writes or reads registry keys via WMI
Writes registry values via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 291952 Sample: importante.bin Startdate: 01/10/2020 Architecture: WINDOWS Score: 68 30 Multi AV Scanner detection for submitted file 2->30 32 Machine Learning detection for sample 2->32 34 PE file has nameless sections 2->34 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 1 8->10         started        13 cmd.exe 1 8->13         started        signatures5 36 Writes or reads registry keys via WMI 10->36 38 Writes registry values via WMI 10->38 40 Creates a COM Internet Explorer object 10->40 15 iexplore.exe 1 54 13->15         started        process6 process7 17 iexplore.exe 147 15->17         started        20 iexplore.exe 29 15->20         started        dnsIp8 22 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49770, 49771 FASTLYUS United States 17->22 24 geolocation.onetrust.com 104.20.184.68, 443, 49758, 49759 CLOUDFLARENETUS United States 17->24 28 8 other IPs or domains 17->28 26 porp53334.yahoo.com 20->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1266fa18e0ae0fa01e2cf72e9055c62ccb1712ee52f94ec80d26ce27196e6897/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 05:57:04 UTC
File Type:
PE (Dll)
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjtpughavyh2ahrm64xjavogftfroexokl4u5sane3hcoglonclq._file
Verdict:
unknown
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
banker trojan family:gozi_ifsb
Link:
https://tria.ge/reports/201001-eydck7yab6/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
1266fa18e0ae0fa01e2cf72e9055c62ccb1712ee52f94ec80d26ce27196e6897
MD5 hash:
220d5cf09d0a75fc7fe2ea396e73fcb3
SHA1 hash:
5946bde6f834d7b1c88ea2577dcb6ae7690800c6
Link:
https://www.unpac.me/results/b818fca6-e1e2-4301-8974-6213ac77adf0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 1266fa18e0ae0fa01e2cf72e9055c62ccb1712ee52f94ec80d26ce27196e6897

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/67316/
  
URLhaus
https://urlhaus.abuse.ch/url/633683/
  
Delivery method
Distributed via web download

Comments