MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12e858bb6b8b20d96563324b69e77e03dfe3255332dbb32e79d94f7863bb0f8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12e858bb6b8b20d96563324b69e77e03dfe3255332dbb32e79d94f7863bb0f8b
SHA3-384 hash: 65aa9a8c8a1eb11e703e1c0b41b80e506efba7d10e40675481e1b085a3c40aa6021bb45d646da3c42e3928cfe1bf4c44
SHA1 hash: 70c916d64e4cdfdc025052456789b58eb6ecea64
MD5 hash: 23246d384883f7e9e2488e9380ae596b
humanhash: ack-mirror-emma-snake
File name:con3cti0n.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:210'944 bytes
First seen:2020-11-30 05:48:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dd0185af8f1e735a2302cff3d75dcfa1 (1 x Gozi)
ssdeep 3072:+Ykomvag+Cf525rRWfGz1ODOPoS08rqaddb2hgt9s+gGXV7odX:+YHA12Yu/PoSJzl2+t9s+gwV7o5
TLSH 3024DA9B70EA1A16E21EF37F241C217A5F92DD18F7D290B375EDE648F2017642A4A331
Reporter JAMESWT_WT
Tags:dll Gozi isfb Ursnif vodafone

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105991/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/550774
Signature
Creates a COM Internet Explorer object
Found malware configuration
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324498 Sample: con3cti0n.dll Startdate: 30/11/2020 Architecture: WINDOWS Score: 76 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected  Ursnif 2->36 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        signatures5 38 Writes or reads registry keys via WMI 10->38 40 Writes registry values via WMI 10->40 42 Creates a COM Internet Explorer object 10->42 15 iexplore.exe 2 70 13->15         started        process6 process7 17 iexplore.exe 5 162 15->17         started        20 iexplore.exe 25 15->20         started        22 iexplore.exe 29 15->22         started        dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49740, 49741 FASTLYUS United States 17->24 26 www.msn.com 17->26 30 7 other IPs or domains 17->30 28 ocsp.sca1b.amazontrust.com 143.204.214.74, 49764, 49765, 80 AMAZON-02US United States 20->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12e858bb6b8b20d96563324b69e77e03dfe3255332dbb32e79d94f7863bb0f8b/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 05:43:55 UTC
File Type:
PE (Dll)
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201130-lmvmkdrr4a/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
12e858bb6b8b20d96563324b69e77e03dfe3255332dbb32e79d94f7863bb0f8b
MD5 hash:
23246d384883f7e9e2488e9380ae596b
SHA1 hash:
70c916d64e4cdfdc025052456789b58eb6ecea64
Link:
https://www.unpac.me/results/8b22a295-ee15-4047-aa9d-393e6fe99c31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12e858bb6b8b20d96563324b69e77e03dfe3255332dbb32e79d94f7863bb0f8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 12e858bb6b8b20d96563324b69e77e03dfe3255332dbb32e79d94f7863bb0f8b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/868704/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105991/
  
URLhaus
https://urlhaus.abuse.ch/url/868780/
  
URLhaus
https://urlhaus.abuse.ch/url/868807/
  
URLhaus
https://urlhaus.abuse.ch/url/868813/

Comments