MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af
SHA3-384 hash:	10a2f72f3054ec48c642389fe289164839f96a857cb9ecfcde7410bee35fec30b0bef3a49930dbe17a1a8ea3641620be
SHA1 hash:	f0f2d064f93a5b16245ae0a5b88f36ee347b6283
MD5 hash:	3f4b537b1d831dd67a6ba8eab39ac5d2
humanhash:	whiskey-three-helium-maine
File name:	server.exe
Download:	download sample
Signature	Gozi Create hunting rule
File size:	202'752 bytes
First seen:	2023-03-10 11:33:27 UTC
Last seen:	2023-03-10 13:31:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fb2a6261d6fa4e5619ccb6a249cd16c0 (4 x RedLineStealer, 1 x Gozi, 1 x Amadey)
ssdeep	3072:MKG4Ei6H/ddMwUJrxGaAwbpwmggjnBjxmIAhY+NEfMHxOmcglIxC:h6fddjAdbuLgjnBjx6qS5z
TLSH	T1DC148E12A3E1F865E626EA31AE3EC2E4271FF4915E797B5A13195B3F0DB01E0C963701
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1090c86870524844 (1 x Gozi)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi isfb ITA MEF mise Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

server.exe

Verdict:

No threats detected

Analysis date:

2023-03-10 11:35:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/658e7e1b-00c3-40c2-92be-a194a50ad11b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/373317/

Detection(s):

SecuriteInfo.com.Variant.Zusy.452500.30132.21954.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

DNS request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware khalesi lockbit packed shell32.dll zusy

Link:

https://www.filescan.io/uploads/640b15ac79380d66a3b24b70/reports/8d52b1a8-10da-4c05-b781-a4f7d5f511c7/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6765779d-c0df-4511-8e07-d73cc1795c2b

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1191125

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2023-03-10 12:45:50 UTC

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dvgm7kkzsd57n3ttdw3yvfc3vvot76uc6atr3de257jrjnxmy2xq._file

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7712 banker isfb trojan

Link:

https://tria.ge/reports/230310-npep7sfb6z/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.140.236
31.41.44.92
46.8.210.143
45.128.185.33

Unpacked files

SH256 hash:

37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf

MD5 hash:

4ea4f4bde9f76d9ba624d958d4ca5b50

SHA1 hash:

81009ab0612ef7e4ee437a136c0e5cb22bab4ec0

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/3a01e329-62e8-426a-abaa-0574f71c2c4c/

Parent samples :

4b8dbe4d5a5547c30971cda34392a943c11964e43f62325dd753620744063b8d
37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf
1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af
8449f58ebb84db076809e6701e7195202a3f77dc2ef8a0809451b585c9194d6e

SH256 hash:

08773cbacd6141b7999696d1dbfb4fbec15a3c5d3f5ae508a1db12c567644fa6

MD5 hash:

74d2caf4bcf3ec7eed48591e5ef84d3b

SHA1 hash:

5ff2067cc2e631798607773542ab5e42acee80da

Link:

https://www.unpac.me/results/3a01e329-62e8-426a-abaa-0574f71c2c4c/

SH256 hash:

1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af

MD5 hash:

3f4b537b1d831dd67a6ba8eab39ac5d2

SHA1 hash:

f0f2d064f93a5b16245ae0a5b88f36ee347b6283

Link:

https://www.unpac.me/results/3a01e329-62e8-426a-abaa-0574f71c2c4c/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d4ccfa95990/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/373317/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample