MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3
SHA3-384 hash: 780b7d942f1c6c51c8585bc1a40e2fff4874bdab529d5001d024d7c520718d710377e400d0a1c2c7bff175ac146ee017
SHA1 hash: 445f14c9fe938d283454bd5dd40f005413be3c7a
MD5 hash: 221200e48284c73759bdae363257c3f4
humanhash: pip-sodium-river-london
File name:221200e48284c73759bdae363257c3f4.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:438'272 bytes
First seen:2022-06-29 16:10:32 UTC
Last seen:2022-06-29 17:04:09 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 90744814dc538303afb767d2b0a66a6b (3 x Gozi)
ssdeep 6144:Q6p9ErD03svy+zGEMrDwyKJPUpge5vyfxN9ROH8CjmdPFQETNdITUC/CK96ouQEF:Q1DzzjMnwhJPcgYvyfD97hTNrC/d1E
TLSH T13394BE5303F66A87F3684EBFD79B337E44A7A4215D1BE18703524ABAA0759E06724333
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
700
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284322/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet gozi greyware packed ursnif
Link:
https://www.filescan.io/uploads/62bc79d6114aa383d0ed08cd/reports/319588d3-45fb-40f9-8778-a731f0b6f8a8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff4448f0-f8a0-48ef-b54a-fe242f0da50d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1022025
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 16:11:06 UTC
File Type:
PE (Dll)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dx72qzj3onr2w57myck5e2ficfwab5jy5nnna6ptt7dlmi4wo2rq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker suricata trojan
Link:
https://tria.ge/reports/220629-tmx2nacfb5/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
config.edge.skype.com
194.76.225.112
194.76.225.113
46.21.153.203
xmhomestilesh.at
geodezhols.at
46.21.153.221
194.76.224.26
Unpacked files
SH256 hash:
1776f6da8c520fd5753480ed1900040cffaa86edf51220b6b7c45af74c9514ce
MD5 hash:
ababce15b20848b530dfdd65c001d0e3
SHA1 hash:
72c917b56b11635f2b8f2996a48301cab251b78e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/2c4b7d47-8c4d-41a4-9f1c-9426d2ed7856/
Parent samples :
7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84
1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3
SH256 hash:
206aa5203226d5cda7e4c2082245e8a2b32ee0251545ace03e87616cda94fc0e
MD5 hash:
78efb998d4dfef52753a4d9263bc5656
SHA1 hash:
a6434d93e58b2a164b20e61fd60c41a3775a508d
Link:
https://www.unpac.me/results/2c4b7d47-8c4d-41a4-9f1c-9426d2ed7856/
SH256 hash:
1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3
MD5 hash:
221200e48284c73759bdae363257c3f4
SHA1 hash:
445f14c9fe938d283454bd5dd40f005413be3c7a
Link:
https://www.unpac.me/results/2c4b7d47-8c4d-41a4-9f1c-9426d2ed7856/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1dffa8653b73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2252377/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/284322/

Comments