MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f1f38914a548cd04bb1793d17e50cf8e7b7e0ac027217d5f0aaa6ede159a259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f1f38914a548cd04bb1793d17e50cf8e7b7e0ac027217d5f0aaa6ede159a259
SHA3-384 hash: 9ab4722d513e8ade38a525a6d421378d9dd75d01f0e303c275313d6a07587c782bf5daa517a2b72bceb7677d22ba071e
SHA1 hash: d40df68f07e6c869dc5a7289633aae601a50a252
MD5 hash: bf9c876f23f775582d9a6d4db13e6aae
humanhash: venus-red-pennsylvania-gee
File name:setup.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:184'320 bytes
First seen:2020-06-29 09:48:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a0d0f639f1797acac382c709b4d7769 (3 x RaccoonStealer, 1 x Gozi)
ssdeep 3072:21VtnVGK6LygROhMBxlbl1YS3ZhBN1H6AZX0GEkIA:2tnVGKoZR9bVZHfbJEW
TLSH 6604BF223290D073D05622309864FAE219FDF8715B77D5CB3B943F3EAE726904A7974A
Reporter JAMESWT_WT
Tags:#gozi #isfb Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16119/
Detection(s):
SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL
Create hunting rule

Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f1f38914a548cd04bb1793d17e50cf8e7b7e0ac027217d5f0aaa6ede159a259/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 09:50:05 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4ptrekkksgnas5rpe6rpzim7dt3pyfmajzbpvpqvkto3ykzujmq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
banker trojan family:gozi_ifsb
Link:
https://tria.ge/reports/200629-az9b6ye1v2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks whether UAC is enabled
Modifies Internet Explorer settings
Modifies system certificate store
Gozi, Gozi IFSB
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 1f1f38914a548cd04bb1793d17e50cf8e7b7e0ac027217d5f0aaa6ede159a259

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/16119/
  
URLhaus
https://urlhaus.abuse.ch/url/403149/
  
Delivery method
Distributed via web download

Comments