MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
SHA3-384 hash: 098727035aea6df3072d68d1caf54d0f7b2af2224d6ed5c6de5a01bf42a6389a50d72f005a787b1fa3ff0ca77739a000
SHA1 hash: 984a3ba5d4fe06265ce23cec82bda6a63b2bb3bc
MD5 hash: b9b732dbc6f94c79b5767eb98ebd899a
humanhash: happy-kansas-pennsylvania-two
File name:b9b732dbc6f94c79b5767eb98ebd899a.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:478'720 bytes
First seen:2021-05-12 10:40:46 UTC
Last seen:2021-05-12 12:00:04 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a2f0d616525ae6c643810961c7d4fdfe (2 x Gozi)
ssdeep 12288:4Z31u8+a95+CA9lROexw8P7CbxXTTbWA:4Z31P9wr9lROow8W/
Threatray 248 similar samples on MalwareBazaar
TLSH B9A4AC307696C27BD212AC39CD5AE5FA1B057D20EF19248B35C53FAF79312A10B7D229
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/155239/
Detection(s):
SecuriteInfo.com.Variant.Zusy.381952.1561.23236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/779761
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412159 Sample: kZcCqvNtWa.dll Startdate: 12/05/2021 Architecture: WINDOWS Score: 76 25 www.outlook.com 2->25 27 outlook.office365.com 2->27 29 4 other IPs or domains 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected  Ursnif 2->35 37 Machine Learning detection for sample 2->37 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 59 2->11         started        signatures3 process4 signatures5 39 Writes or reads registry keys via WMI 8->39 41 Writes registry values via WMI 8->41 13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        21 iexplore.exe 7 11->21         started        process6 process7 23 rundll32.exe 13->23         started       
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 10:41:13 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=diguwmuehctsz3qbf5rypas5sqsghoew7lobh4wbp2gqax2rbtka._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
Gozi
821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
+ 238 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210512-jmdq8k9atn/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com/login
gmail.com
worunekulo.club
horunekulo.website
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1220072/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/155239/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-12 11:02:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0019] Data Micro-objective::Check String
1) [C0052] File System Micro-objective::Writes File
2) [C0007] Memory Micro-objective::Allocate Memory
3) [C0040] Process Micro-objective::Allocate Thread Local Storage
4) [C0041] Process Micro-objective::Set Thread Local Storage Value
5) [C0018] Process Micro-objective::Terminate Process