MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd
SHA3-384 hash: fa8b56bdb87cc7a973689f5b3f9cce8979d1f05b504699e2fa38cd8a671f532da0101687f62c566c23082855d208a2ac
SHA1 hash: 200ee4388830bbc4640f7f8c2b9eea07b84adc7c
MD5 hash: 034a0ada972701c9e6241243c82798a5
humanhash: yellow-uranus-yellow-kitten
File name:status.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'078'784 bytes
First seen:2022-03-17 12:07:06 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 29b0a68551a99728af2da380e4cc5074 (2 x Gozi)
ssdeep 12288:qP8LPFKkgEUAa+Mp1YEZdFyHkvs0ky268wdiWTNLxJO3vp7WnUaF5prq+etXrslj:4EPFGiatMEvsIfdi0Svp7WUwrzetXc
Threatray 508 similar samples on MalwareBazaar
TLSH T13F356C22BE9E4837C17A2A389D2F576868397E103928586F27F41D4CDF397417C252AF
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:dll Gozi isfb mise Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251918/
Detection(s):
SecuriteInfo.com.Trojan.Win32.BunituCrypt.3889.24005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger replace.exe
Link:
https://www.filescan.io/uploads/623324a60cd58dbd92ae33f8/reports/9669f033-1ad7-4a78-a68e-4e5a2422b7e8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fe338e7-698b-4eb5-8fe9-5a4c289d3af1
Result
Threat name:
Ursnif CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958671
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591159 Sample: status.dll Startdate: 17/03/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Antivirus detection for URL or domain 2->54 56 4 other signatures 2->56 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 50 2->12         started        14 iexplore.exe 1 50 2->14         started        16 2 other processes 2->16 process3 dnsIp4 44 linkspremium.ru 8->44 46 atmospheri.top 8->46 58 Found evasive API chain (may stop execution after checking system information) 8->58 60 Found API chain indicative of debugger detection 8->60 62 Writes or reads registry keys via WMI 8->62 64 Writes registry values via WMI 8->64 18 cmd.exe 1 8->18         started        48 192.168.2.1 unknown unknown 12->48 20 iexplore.exe 12->20         started        23 iexplore.exe 32 14->23         started        25 iexplore.exe 31 16->25         started        27 iexplore.exe 32 16->27         started        signatures5 process6 dnsIp7 29 rundll32.exe 18->29         started        34 premiumlists.ru 45.128.184.132, 49797, 49798, 49825 MGNHOST-ASRU Russian Federation 23->34 36 127.0.0.1 unknown unknown 23->36 38 linkspremium.ru 62.173.149.135, 49780, 49781, 49782 SPACENET-ASInternetServiceProviderRU Russian Federation 25->38 40 atmospheri.top 25->40 42 atmospheri.top 27->42 process8 signatures9 66 Contains functionality to detect sleep reduction / modifications 29->66 32 WerFault.exe 23 9 29->32         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 12:17:22 UTC
File Type:
PE (Dll)
Extracted files:
140
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=de6gigvj5vyjey4wsqrz2d2hp4bkwsj5hrjfsf3bhijusbjtxh6q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7
Gozi
388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
+ 498 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7624 banker trojan
Link:
https://tria.ge/reports/220317-padd9sddh2/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
atmospheri.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
58de73de95351b4fd22ad38a2ee6190d59e5d28c2258121d10456429e2bd9e46
MD5 hash:
6ab937d5483abf12e17e8da8a35cbe09
SHA1 hash:
faba2946763f55ee8a0ee45754086fc9e395553a
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/3d197ea2-6932-48b9-bbd8-f5a999a6d58d/
Parent samples :
2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7
193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd
SH256 hash:
e105922d77028c891b36eaeda9e536e9bbfbd6de6f78219e49e1d7c83fa67d93
MD5 hash:
7c30a730ae6a19fd39377ac70dde1aa0
SHA1 hash:
63bb79daadf84081827394ab27652436ded7b53e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/3d197ea2-6932-48b9-bbd8-f5a999a6d58d/
Parent samples :
2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7
193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd
SH256 hash:
193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd
MD5 hash:
034a0ada972701c9e6241243c82798a5
SHA1 hash:
200ee4388830bbc4640f7f8c2b9eea07b84adc7c
Link:
https://www.unpac.me/results/3d197ea2-6932-48b9-bbd8-f5a999a6d58d/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/193c641aa9ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2101929/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/251918/

Comments