MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5
SHA3-384 hash: bfb2ff7fcaadcc2276d2c15aae24946582590191566f49600e3ece2c901638be80446d649980e903d50d3ed901e4024c
SHA1 hash: 3306d48bd1ff87555d9a8accd30583b6789d4683
MD5 hash: 93b0ad344d44befa41b292d0a4609e56
humanhash: shade-carbon-carpet-timing
File name:shorefront.eps
Download: download sample
Signature Gozi
Create hunting rule
File size:393'728 bytes
First seen:2021-06-03 15:35:40 UTC
Last seen:2021-06-03 16:37:17 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash f97da13a5df33dbcb72f17527b1d6819 (2 x Gozi)
ssdeep 6144:hC5FUWwNmY036ua+71w5uJEr+AitTdZh+a6R+/ZQWdB:0FBwNuKu4umqAinZh+7+h1H
Threatray 355 similar samples on MalwareBazaar
TLSH F484BD5076C6E031E17241354A69EAE0073DBC629FA10B8F77E41E8F9D7C6C26E35B62
Reporter bigmacjpg
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164448/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/796804
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429204 Sample: shorefront.eps Startdate: 03/06/2021 Architecture: WINDOWS Score: 88 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 3 other signatures 2->33 7 loaddll32.exe 1 2->7         started        9 iexplore.exe 2 60 2->9         started        process3 process4 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        20 iexplore.exe 36 9->20         started        dnsIp5 35 Writes registry values via WMI 11->35 23 rundll32.exe 14->23         started        25 app.buboleinov.com 20->25 signatures6 process7
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5/
Threat name:
Win32.Trojan.Sdum
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 15:36:12 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwqrqpy42x4w6ej2hoexqnm3ka4ax66ifzuypyturexn6vx46o2q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01fd38efd6b413c52b73ae4bdb563472a37a2ec440a8441a86ed11f4d8f4c5a0
Gozi
08dafa77d5b9a550504ff06b05afef539e6f669ba8c330e776fbff2a2cc31b81
Gozi
1346bf7820f12ebcb3b6924fcbbcde045b4819773b924f1524abec895efa78e4
Gozi
20c09f055323ec942cb40efc13c0ff06bb7c60f44087e9b8a4a4744bf80935ed
Gozi
478be2a2eff77ac1ad7ff5e048bfb795ff7afd323f8e95b769ad26c40e582f38
Gozi
70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
Gozi
8840a062340c8fe5dea458987115a53879cca745fdaccc40edf1c20b6a6f3861
Gozi
9b83ff3af3645baf703075ecce628742d87f3349f08516d5affb105962b4fd6b
Gozi
a75c290ca3dd70d57c3f2805fb7c5668d95402c0cea95f62054a47084200ef24
Gozi
ab2ac6bebb2713759ce6e3d5db80fe8ccd4bb752199d9d71ce74a67ed8cf0c3b
Gozi
+ 345 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:4500 banker trojan
Link:
https://tria.ge/reports/210603-eg4nnq57qs/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
app.buboleinov.com
chat.veminiare.com
chat.billionady.com
app3.maintorna.com
Unpacked files
SH256 hash:
d3ddc34b39bb078c5ffe9a5fc45d619a5032e1c63cabf0d9e62ad5d878870fea
MD5 hash:
f2835b8f8092a85f8a981e75fd7c3df2
SHA1 hash:
b571d59a7a0733d83be06763d8415e5106bead0e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ee13a3b4-176f-40a1-901e-becbd248b384/
SH256 hash:
1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5
MD5 hash:
93b0ad344d44befa41b292d0a4609e56
SHA1 hash:
3306d48bd1ff87555d9a8accd30583b6789d4683
Link:
https://www.unpac.me/results/ee13a3b4-176f-40a1-901e-becbd248b384/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1da1183f1cd5f96f113a3b8978359b50380bfbc82e6987e274892edf56fcf3b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164448/

Comments