MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b9995b4d1ef90b4b1db62b8db973db8e7a88be66df0c77a66d5a1198dfe1487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b9995b4d1ef90b4b1db62b8db973db8e7a88be66df0c77a66d5a1198dfe1487
SHA3-384 hash: d8eb1622a18b677f917cec42ba6aa892d34f7a5e93f994e87f95e06600f423c158bcea489fcd129bda663240e9e2a124
SHA1 hash: b8b9e5a02f3ad81913f6d950bfbfcedee26d128e
MD5 hash: 4f63f831f0cc6ccf353e1a6bc39440c1
humanhash: river-lima-alanine-venus
File name:payload_1b9995b4d1ef90b4b1db62b8db973db8e7a88be66df0c77a66d5a1198dfe1487.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:193'536 bytes
First seen:2021-06-21 22:40:53 UTC
Last seen:2021-06-21 23:47:19 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 59a07f90a12b6534fc49375f47060d12 (1 x Gozi)
ssdeep 3072:bDSzMKZQdQEf9+39CALhSOjHOPUZTaznTy0ZEznFBvw3BQZcsHR4wJ+Hg5VXfoUL:beoKZwT9+38AL8OCwaTTRWACHRTJ+Hi3
Threatray 226 similar samples on MalwareBazaar
TLSH 44148C447080C57FEBB70237C4BBB73A63FBA2942734D8C7DB885D896465A42E726643
Reporter JasonMilletary
Tags:dll Gozi isfb

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167398/
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Ursnif.1.7CB0A41B.24912.29764.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ceb9d754-3f9e-4412-a866-6416e7994103
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/805644
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438055 Sample: obNCrjkROm.dll Startdate: 22/06/2021 Architecture: WINDOWS Score: 80 27 Found malware configuration 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 2 other signatures 2->33 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        process5 16 WerFault.exe 23 9 10->16         started        19 rundll32.exe 2 12->19         started        21 WerFault.exe 9 14->21         started        signatures6 25 Tries to evade analysis by execution special instruction which cause usermode exception 16->25 23 WerFault.exe 2 9 19->23         started        process7
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1b9995b4d1ef90b4b1db62b8db973db8e7a88be66df0c77a66d5a1198dfe1487/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 22:41:09 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=domzlngr56iljmo3mk4nxfz5xdt2rc7gnxymo6tg2wqrtdp6csdq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
Gozi
4080ff8f402587476926487e628103c97d0519f65f4d3222b152507e60816059
Gozi
4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156
Gozi
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
Gozi
71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
Gozi
a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b
Gozi
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
Gozi
d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
Gozi
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
Gozi
f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3
Gozi
+ 216 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:6100
Link:
https://tria.ge/reports/210621-9vehqccj32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Malware Config
C2 Extraction:
todo.faroin.at
apr.intoolkom.at
r23cirt55ysvtdvl.onion
kas.kargoapp.at
io.feen007.at
gtk.uploner.at
l46t3vgvmtx5wxe6.onion
pop.biopiof.at
free.monotreener.com
tb.yapker.at
app.flashgameo.at
Unpacked files
SH256 hash:
1b9995b4d1ef90b4b1db62b8db973db8e7a88be66df0c77a66d5a1198dfe1487
MD5 hash:
4f63f831f0cc6ccf353e1a6bc39440c1
SHA1 hash:
b8b9e5a02f3ad81913f6d950bfbfcedee26d128e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/4a4744fc-7b7b-4092-950f-82557232ef88/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/1b9995b4d1ef90b4b1db62b8db973db8e7a88be66df0c77a66d5a1198dfe1487

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167398/

Comments