MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4
SHA3-384 hash:	22e8872ba76d1bb1159239a17fd71258fa0658f9c30d6526f49ab700b79fbe1a4a4b53066bcc4b1c8c41639c23b51cc2
SHA1 hash:	972bcb9401faa74c1b66a1929b6cfa20ce26aa70
MD5 hash:	4a97461216c8a905f374ebb4f9d5423c
humanhash:	princess-east-oregon-arizona
File name:	71e0000.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	233'472 bytes
First seen:	2022-11-14 15:32:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:1lfGqwJTeTEom3lIkR2SCD6q9KgyItk78mV0dfgxT/cqApw5VgCK5hcjw9xJFoc:1lDosEPR66q9KgylInd6oqApD5BnFoc
Threatray	106 similar samples on MalwareBazaar
TLSH	T14D346D5AA3E50995ED6BD5B6CD53D227EBF234492B24C30F53B0CAA66F17362B21C301
TrID	28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25) 28.3% (.EXE) Generic Win/DOS Executable (2002/3) 28.3% (.EXE) DOS Executable Generic (2000/1) 14.2% (.SCORE) Music Craft Score (1007/6) 0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter	0x746f6d6669
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

71e0000.dll

Verdict:

No threats detected

Analysis date:

2022-11-14 15:35:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9fd20cf5-6ec5-4c7d-911c-4a80faaf706d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/333817/

Detection(s):

Win.Malware.Ursnif-9884005-0

Win.Malware.Ursnif-9886559-0

Win.Malware.Ursnif-9892796-0

Win.Malware.Ursnif-9896448-0

Win.Malware.Ursnif-9917123-0

Win.Malware.Ursnif-9937854-0

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/63725fae07c3f5e84a0117ba/reports/13f12433-9214-4dc1-8ce2-e02604c8c3cc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c488c6ad-bbad-4dbd-afe7-b798c72cde1b

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1113009

Signature

Antivirus / Scanner detection for submitted sample

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4/

Threat name:

Win64.Infostealer.Gozi

Status:

Malicious

First seen:

2022-11-14 15:33:06 UTC

File Type:

PE+ (Dll)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqjhyir6zymqvoeyfs4lkxfs26dvjmpi4ulxlkrhn2cvq6qtchsa._file

Verdict:

malicious

Label(s):

gozi

Gozi

154a3d6b6884c0ad1152f84d209053fc2dbabfadae47d22eb1486c83d001cfab

Gozi

3e099b9a4d2092444a335dad2a3ad688b4c981b1a5e4e522f489c59a3e6f4e6a

Gozi

555df9df7ab7a1edf7764add9ff88b1266a078d48ee1cc00f21f0131a6b30b84

Gozi

857ea4a7ea0b6903992bc62853453e780b8e8e6af87daa574660be322473b9fc

Gozi

b8ede90d77745ec6121d2ce8e06e85710855df06fe192788081f2b6ef6abb1d9

Gozi

cf043012ad2be371b8f945ac4952f79d9484f74d8e5fe9a08970d0df748927ab

Gozi

d7c21a2d7356de716a0d38bd83ca240c7c12b3830494ffde30e3599fa2243b5c

Gozi

dc641a85150af5ede0e9a4ab23144a578889bbee7163addf9e97b5fab7d09fc8

Gozi

+ 96 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:15072022 isfb

Link:

https://tria.ge/reports/221114-sy6mhagf6s/

Malware Config

C2 Extraction:

telemetry.skype.com
pushkin-kotero.ru
ballya99.ru
tympedyrra66kos2.ru
svoona8vdia88.ru
okpoker009291.ru
sandinsd7x6e.ru
p4elauus.ru
kraskinaayd7imus.ru
dukatto03lo.ru
leikocitoosih9racker.ru
simenshina88a8.ru

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b70b869c-08d8-4331-9e55-bb3e7001f7ce

Unpacked files

SH256 hash:

1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4

MD5 hash:

4a97461216c8a905f374ebb4f9d5423c

SHA1 hash:

972bcb9401faa74c1b66a1929b6cfa20ce26aa70

Detections:

ISFB_Main

win_dreambot_auto

Link:

https://www.unpac.me/results/49527305-1790-424d-bd34-c681136b0d8d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ursnif3

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dreambot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.dreambot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/333817/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample