MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
SHA3-384 hash: 2b558e6da8ecd6fa05ce798845b0c3c6e87c465ca364884432d412fd82bb64351ae21a72763241abe8787ba4b632ac52
SHA1 hash: 327d30673443752005c2baecfcefcfec4f0d9ed7
MD5 hash: 1e6a3c742a4f88736a6e8fa7f2a06fe8
humanhash: six-summer-rugby-sodium
File name:readme.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:413'320 bytes
First seen:2022-02-17 10:19:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 45bc978ea9fd2a51ce11ae427f45879e (1 x Gozi)
ssdeep 6144:nMV6no/LLiMV6no/LIJmW7Z6HCBMV6no/LrMV6no/LoqxWRpBu7L4sce:MV60LLV60LIJmc2V60L4V60LlCB0
Threatray 90 similar samples on MalwareBazaar
TLSH T18594D0B3618DBD7BD7CB9A37B90DF9B41800C863E6D9C5C363560F4CD0A8BE24598A52
Reporter JAMESWT_WT
Tags:agenziaentrate dll exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242215/
Detection(s):
SecuriteInfo.com.Variant.Lazy.130708.26100.9570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/620e2159ac8ad0468b4b26d2/reports/37437226-85ca-4502-a3e3-33b252e62e58/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/007e4997-0f03-44a0-ad91-d9ea77521d70
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941508
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573986 Sample: readme.dll Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 5 other signatures 2->65 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 1 58 2->11         started        13 iexplore.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 55 linkspremium.ru 7->55 57 blogsline.top 7->57 77 Found evasive API chain (may stop execution after checking system information) 7->77 79 Found API chain indicative of debugger detection 7->79 81 Writes or reads registry keys via WMI 7->81 83 Writes registry values via WMI 7->83 17 cmd.exe 1 7->17         started        19 regsvr32.exe 6 7->19         started        23 rundll32.exe 6 7->23         started        25 iexplore.exe 31 11->25         started        27 iexplore.exe 33 11->27         started        29 iexplore.exe 31 11->29         started        31 iexplore.exe 11->31         started        33 4 other processes 13->33 35 8 other processes 15->35 signatures5 process6 dnsIp7 37 rundll32.exe 6 17->37         started        41 blogsline.top 62.173.149.135, 49852, 49853, 49854 SPACENET-ASInternetServiceProviderRU Russian Federation 19->41 67 Writes or reads registry keys via WMI 19->67 69 Writes registry values via WMI 19->69 71 System process connects to network (likely due to code injection or exploit) 23->71 43 blogline.top 31.41.46.120, 49733, 49734, 49735 ASRELINKRU Russian Federation 27->43 45 192.168.2.1 unknown unknown 29->45 47 linkspremium.ru 31.41.44.3, 80 ASRELINKRU Russian Federation 33->47 49 premiumlists.ru 45.128.184.132, 49820, 49821, 49822 MGNHOST-ASRU Russian Federation 35->49 signatures8 process9 dnsIp10 51 linkspremium.ru 37->51 53 blogsline.top 37->53 73 System process connects to network (likely due to code injection or exploit) 37->73 75 Writes registry values via WMI 37->75 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 10:20:11 UTC
File Type:
PE (Dll)
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
Gozi
+ 80 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7615 banker trojan
Link:
https://tria.ge/reports/220217-mc5kesahf6/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
blogline.top
blogsline.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
20a5bdd6d2b5af5742affc66b0ae97822888be661cecf12daabbf28f2e447ebf
MD5 hash:
605cb28a9e0c060bf3afaabff8c9e978
SHA1 hash:
99b25b03a9807ed8a428e53aad1840f188f52175
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/550977cc-738d-4342-abb5-ad83052e7781/
SH256 hash:
22a1ba3f04ef91155bd1da2d2c4728ea7920acdea56b786880b864c98345b710
MD5 hash:
eb0b7ef3fa3f10318861d34248fed378
SHA1 hash:
5f189550df8f25780eb0cf899fc13300ab2d29bd
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/550977cc-738d-4342-abb5-ad83052e7781/
SH256 hash:
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
MD5 hash:
1e6a3c742a4f88736a6e8fa7f2a06fe8
SHA1 hash:
327d30673443752005c2baecfcefcfec4f0d9ed7
Link:
https://www.unpac.me/results/550977cc-738d-4342-abb5-ad83052e7781/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/242215/
  
URLhaus
https://urlhaus.abuse.ch/url/2046241/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2046240/

Comments