MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
SHA3-384 hash: bcdd9a7a064e88884fbec3d610ffe597a9fd960958a702f2148b382d950c7ad666a4c44ff586487263472540f86337f4
SHA1 hash: e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
MD5 hash: c36ab737db2b6d11fb1f443f8117a7fa
humanhash: blossom-east-fix-alanine
File name:c36.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:421'376 bytes
First seen:2021-07-09 13:21:55 UTC
Last seen:2021-07-09 13:37:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9ac2df5a14a0377b217ae274fd22ed43 (1 x Gozi)
ssdeep 6144:XoiHyepaXa+Cv3FyUtySzhyq++rWM+AVF7tct2PytUDlrfu+U39O:YfGFvFu8hPwM+AVLcMKtKtK
Threatray 377 similar samples on MalwareBazaar
TLSH T1C494AE013655F836D2E622724F69D6A54359B8300F7492CFB6E83BAF1F291E39A35307
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170678/
Detection(s):
SecuriteInfo.com.Beautyresult.24466.7036.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7392b34-2ed1-40f5-8d8a-a94b25caeaf4
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/814009
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 446420 Sample: c36.dll Startdate: 09/07/2021 Architecture: WINDOWS Score: 84 39 taybhctdyehfhgthp2.xyz 2->39 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 2 other signatures 2->63 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 1 50 2->11         started        13 iexplore.exe 2->13         started        15 5 other processes 2->15 signatures3 process4 signatures5 65 Writes or reads registry keys via WMI 8->65 67 Writes registry values via WMI 8->67 17 rundll32.exe 8->17         started        20 cmd.exe 1 8->20         started        33 3 other processes 8->33 22 iexplore.exe 35 11->22         started        25 iexplore.exe 13->25         started        27 iexplore.exe 15->27         started        29 iexplore.exe 24 15->29         started        31 iexplore.exe 25 15->31         started        35 2 other processes 15->35 process6 dnsIp7 55 Writes registry values via WMI 17->55 37 rundll32.exe 20->37         started        41 taybhctdyehfhgthp2.xyz 22->41 43 thyihjtkylhmhnypp2.xyz 25->43 45 taybhctdyehfhgthp2.xyz 27->45 49 7 other IPs or domains 29->49 51 7 other IPs or domains 31->51 47 plusmailcom.ha-cdn.de 195.20.250.115, 443, 49806, 49807 ONEANDONE-ASBrauerstrasse48DE Germany 35->47 53 14 other IPs or domains 35->53 signatures8 process9
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 01:15:00 UTC
AV detection:
4 of 29 (13.79%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
4b631043c6ff0a2fd24591b0564f7b3fc59c46319646b27cec4cf24349227d36
Gozi
56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
Gozi
5831ebc72dc810c036fa0c1dc85e17490ebfe2f7379b9573f99d47817b9eb42c
Gozi
62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
Gozi
a5e4df4eb5cde68b4fa36dffdfe687ce95b926ac3761cb5b13f5fa886991ba24
Gozi
bdb26c5860ed5657c9b29eae09079c950159ccc2ebc56f2dffc190d90e33efa4
Gozi
c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
+ 367 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5456 banker trojan
Link:
https://tria.ge/reports/210709-mvd5kdfsms/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
mail.com
taybhctdyehfhgthp2.xyz
thyihjtkylhmhnypp2.xyz
Unpacked files
SH256 hash:
b1f5dd3432ccaf332a055fa8124b088228590b32c5433f229484a4fc166110cd
MD5 hash:
da7dc123fd941f3ff5b37c12ef4d2e34
SHA1 hash:
6ea466e5c2eca325835dbdb6cd9f942a2d2a8a11
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a27440a-7d8c-4243-ba00-bea34418144f/
SH256 hash:
181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
MD5 hash:
c36ab737db2b6d11fb1f443f8117a7fa
SHA1 hash:
e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
Link:
https://www.unpac.me/results/5a27440a-7d8c-4243-ba00-bea34418144f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170678/

Comments