MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1277c4177d2b564b221a369c587c6a99558253234f37bfbf19fef3a63bce88b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1277c4177d2b564b221a369c587c6a99558253234f37bfbf19fef3a63bce88b5
SHA3-384 hash: b70d30db3b82381c965f0519226c3161defa83fbbcd67b2214cd36f38f4add27db7648732a0f15d197440f9e496225e0
SHA1 hash: b30bf29948b2905db6b106d868b334e423ff4ebe
MD5 hash: 31a1197c1f7a1cb2b53bd1bb7fe2e1f8
humanhash: yellow-finch-three-lion
File name:31a1197c1f7a1cb2b53bd1bb7fe2e1f8.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:307'200 bytes
First seen:2022-08-10 14:38:41 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 6144:BVYNzCGQRGC3J1OsdZ0+Hul2TyBVfzo6HLXTjLlG+:BSCDYSJ1O8i+He2TsnHzTVG+
TLSH T11264D0743740E9DAD45880B7FA56DD9412A277719C8688CAF3722FC229632F6DF42B07
TrID 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
26.3% (.EXE) Win32 Executable (generic) (4505/5/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.6% (.EXE) Generic Win/DOS Executable (2002/3)
11.6% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
575
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297682/
Detection(s):
SecuriteInfo.com.Variant.Jaik.89908.8904.7046.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f3c385e456f39ac93f593a/reports/8b8c36f0-f9cb-41e1-b1f8-499f4434c2cc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/23c41a5a-dff1-41bb-bfad-936c2d272231
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1049321
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 681815 Sample: 86qzV4Zvqg.dll Startdate: 10/08/2022 Architecture: WINDOWS Score: 100 77 8.8.8.8.in-addr.arpa 2->77 79 1.0.0.127.in-addr.arpa 2->79 99 Snort IDS alert for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 105 Yara detected  Ursnif 2->105 10 loaddll32.exe 1 2->10         started        13 mshta.exe 19 2->13         started        15 mshta.exe 2->15         started        signatures3 process4 signatures5 107 Found evasive API chain (may stop execution after checking system information) 10->107 109 Found API chain indicative of debugger detection 10->109 17 rundll32.exe 6 10->17         started        20 regsvr32.exe 1 6 10->20         started        23 cmd.exe 1 10->23         started        29 4 other processes 10->29 25 powershell.exe 13->25         started        27 powershell.exe 15->27         started        process6 dnsIp7 87 System process connects to network (likely due to code injection or exploit) 17->87 89 Writes to foreign memory regions 17->89 91 Allocates memory in foreign processes 17->91 97 2 other signatures 17->97 31 control.exe 17->31         started        81 79.110.52.8, 80 V4ESCROW-ASRO Romania 20->81 83 79.110.52.80, 49916, 49918, 80 V4ESCROW-ASRO Romania 20->83 85 192.168.2.1 unknown unknown 20->85 93 Writes or reads registry keys via WMI 20->93 95 Writes registry values via WMI 20->95 34 control.exe 20->34         started        36 rundll32.exe 23->36         started        38 csc.exe 25->38         started        41 csc.exe 25->41         started        43 conhost.exe 25->43         started        45 csc.exe 27->45         started        49 3 other processes 27->49 47 Conhost.exe 29->47         started        signatures8 process9 file10 111 Changes memory attributes in foreign processes to executable or writable 31->111 113 Injects code into the Windows Explorer (explorer.exe) 31->113 115 Writes to foreign memory regions 31->115 119 4 other signatures 31->119 51 rundll32.exe 34->51         started        117 Writes registry values via WMI 36->117 69 C:\Users\user\AppData\Local\...\dz0pu0dy.dll, PE32 38->69 dropped 53 cvtres.exe 38->53         started        55 Conhost.exe 38->55         started        57 Conhost.exe 38->57         started        71 C:\Users\user\AppData\Local\...\wcs151qi.dll, PE32 41->71 dropped 59 cvtres.exe 41->59         started        73 C:\Users\user\AppData\Local\...\izszzy0k.dll, PE32 45->73 dropped 61 cvtres.exe 45->61         started        75 C:\Users\user\AppData\Local\...\efgpeqga.dll, PE32 49->75 dropped 63 Conhost.exe 49->63         started        signatures11 process12 process13 65 Conhost.exe 51->65         started        67 Conhost.exe 53->67         started       
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1277c4177d2b564b221a369c587c6a99558253234f37bfbf19fef3a63bce88b5/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 14:39:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
11 of 39 (28.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cj34if35fnlewiq2g2ofq7dktfkyeuzdj4337pyz73z2mo6orc2q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220810-rz96msbdhp/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
79.110.52.8
79.110.52.80
193.106.191.163
Unpacked files
SH256 hash:
1277c4177d2b564b221a369c587c6a99558253234f37bfbf19fef3a63bce88b5
MD5 hash:
31a1197c1f7a1cb2b53bd1bb7fe2e1f8
SHA1 hash:
b30bf29948b2905db6b106d868b334e423ff4ebe
Link:
https://www.unpac.me/results/09f09ec8-bddc-466e-9eda-b96095d4b68d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/1277c4177d2b564b221a369c587c6a99558253234f37bfbf19fef3a63bce88b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 1277c4177d2b564b221a369c587c6a99558253234f37bfbf19fef3a63bce88b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2270459/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/297682/

Comments