MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0
SHA3-384 hash: 4be6d547fde83569c8729b1b67e8d201af393b95b9c51ebfd670424248ee0bfc39d69fafce0ded0021dd246210a890ab
SHA1 hash: f32ebd4b964d06f350207ee84d041f1c83a79142
MD5 hash: df765ccd4b1c44dade295ab32b43a73e
humanhash: bulldog-cold-stream-winner
File name:5fbce6bbc8cc4png
Download: download sample
Signature Gozi
Create hunting rule
File size:117'320 bytes
First seen:2020-11-24 10:56:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3c3593eb4d4503c28f26a39125b3c25 (1 x Gozi)
ssdeep 3072:VoyKuh5oY1cFaUTsrx4XBfXEKLBfMNBDdhuX7l:myKuhlOaUTYgdFLBSBDdcXZ
Threatray 62 similar samples on MalwareBazaar
TLSH 45B3D0C31A2578F2DB0717BB08D26B264F6AD1D4DD3C6D49ABC924099D4E2FE2C37168
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb Ursnif

Code Signing Certificate

Organisation:G DATA Software AG
Issuer:GlobalSign ObjectSign CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 16 09:28:47 2007 GMT
Valid to:Nov 16 09:28:47 2010 GMT
Serial number: 0100000000011647C9FA8E
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: C73F1036ADF9436179E8A04619A47C13452854054EAAEBEFFAD30C85967435C7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545910
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322051 Sample: 5fbce6bbc8cc4png Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 62 8.8.8.8.in-addr.arpa 2->62 64 1.0.0.127.in-addr.arpa 2->64 66 resolver1.opendns.com 2->66 78 Found malware configuration 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected  Ursnif 2->82 84 10 other signatures 2->84 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        signatures3 process4 signatures5 100 Suspicious powershell command line found 9->100 14 powershell.exe 9->14         started        18 regsvr32.exe 12->18         started        20 cmd.exe 1 12->20         started        process6 file7 58 C:\Users\user\AppData\Local\...\ncwpagzn.0.cs, UTF-8 14->58 dropped 60 C:\Users\user\AppData\...\1rpmo52x.cmdline, UTF-8 14->60 dropped 102 Injects code into the Windows Explorer (explorer.exe) 14->102 104 Writes to foreign memory regions 14->104 106 Modifies the context of a thread in another process (thread injection) 14->106 116 2 other signatures 14->116 22 explorer.exe 14->22 injected 26 csc.exe 14->26         started        29 csc.exe 14->29         started        31 conhost.exe 14->31         started        108 Maps a DLL or memory area into another process 18->108 110 Writes or reads registry keys via WMI 18->110 112 Writes registry values via WMI 18->112 114 Creates a COM Internet Explorer object 18->114 33 control.exe 18->33         started        35 iexplore.exe 2 74 20->35         started        signatures8 process9 dnsIp10 68 89.44.9.160, 80 M247GB Romania 22->68 86 Tries to steal Mail credentials (via file access) 22->86 88 Changes memory attributes in foreign processes to executable or writable 22->88 90 Tries to harvest and steal browser information (history, passwords, etc) 22->90 98 3 other signatures 22->98 37 RuntimeBroker.exe 22->37 injected 54 C:\Users\user\AppData\Local\...\1rpmo52x.dll, PE32 26->54 dropped 39 cvtres.exe 26->39         started        56 C:\Users\user\AppData\Local\...\ncwpagzn.dll, PE32 29->56 dropped 41 cvtres.exe 29->41         started        92 Writes to foreign memory regions 33->92 94 Allocates memory in foreign processes 33->94 96 Modifies the context of a thread in another process (thread injection) 33->96 43 rundll32.exe 33->43         started        45 iexplore.exe 5 166 35->45         started        48 iexplore.exe 35->48         started        50 iexplore.exe 35->50         started        52 2 other processes 35->52 file11 signatures12 process13 dnsIp14 70 img.img-taboola.com 45->70 72 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49742, 49744 YAHOO-DEBDE United Kingdom 45->72 76 10 other IPs or domains 45->76 74 marzoom.org 198.54.112.157, 49758, 49759, 49762 NAMECHEAP-NETUS United States 48->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 10:56:55 UTC
File Type:
PE (Dll)
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1f489fc6703dd57a5d322a920c98c60b0a9be1168147e3ab1f0db8fa2ba03dae
Gozi
394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517
Gozi
562be8984ba2629bba153f053977bb0ef17942bfefdb610a8eb618d955ded112
Gozi
6a39a3e7387f3d214042b2d9d99f4d6de18303d56ad96c9a48df20cf4693091b
Gozi
b5bca2548051f7a0bccedd44ae018dfe9df7632ecb9c7c7ff98a6aadecc985b3
Gozi
b958fb921a0e3bcc14962b3771f610e972526713f70bd36437b3f299fd252e52
Gozi
ba1a4ae1f2155524be33ae4addcc907881d1b4e64c4a8090f4f77d1ad1e87cd0
Gozi
d7c37dced460635f71add15aa5071cdd82d73ab250c7f3104387bcdceb7ddced
Gozi
f394be3f5bca6042b4c243810e61047cdc48802d278059ab03d07b2495e48704
Gozi
ff84091bb6f0eee80d98d41baf3ea143b48502d3933c0d9097abdf99618ffcf8
Gozi
+ 52 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201124-5tmmbr1rke/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0
MD5 hash:
df765ccd4b1c44dade295ab32b43a73e
SHA1 hash:
f32ebd4b964d06f350207ee84d041f1c83a79142
Link:
https://www.unpac.me/results/bc714da9-c46f-4c86-ae6a-37d62cea8577/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ursnif
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments