MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7
SHA3-384 hash: e28ccdd207259f95b5bef28ed9863052baa4eacccbba4952b4b52037e3fea6fab4878842004470a9685b91064dd5b8b0
SHA1 hash: ccaab62608ebf84af6f86a4833835bdec6ea63d9
MD5 hash: 620486432073a19eab114ba312dadb7e
humanhash: bravo-grey-carpet-mike
File name:22.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:291'840 bytes
First seen:2021-03-03 23:33:43 UTC
Last seen:2021-03-04 08:15:02 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 648f24612472602127cb556bb3c471fd (1 x Gozi)
ssdeep 6144:xG/INKaKs6Pp2dPkukibOwxc+u6QSamDRaWVUHmQaTelN:xsINnv6Pp2uuVbnNRaWVUHmQaKlN
Threatray 146 similar samples on MalwareBazaar
TLSH 74541831B401C59BC0A72B39A454E3A477D97C538879A8837BD92FEF6B2F0825C62F51
Reporter Cryptolaemus1
Tags:2200 dll Gozi isfb

Intelligence

File Origin
# of uploads :
3
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122132/
Detection(s):
SecuriteInfo.com.ML.PE-A.10092.23490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/626989
Signature
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 362479 Sample: 22.dll Startdate: 04/03/2021 Architecture: WINDOWS Score: 100 60 c56.lepini.at 2->60 62 resolver1.opendns.com 2->62 64 api3.lepini.at 2->64 86 Multi AV Scanner detection for domain / URL 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 4 other signatures 2->92 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        14 mshta.exe 2->14         started        signatures3 process4 signatures5 94 Suspicious powershell command line found 9->94 16 powershell.exe 9->16         started        19 regsvr32.exe 12->19         started        21 cmd.exe 1 12->21         started        23 rundll32.exe 2 12->23         started        25 powershell.exe 14->25         started        process6 file7 74 Modifies the context of a thread in another process (thread injection) 16->74 76 Maps a DLL or memory area into another process 16->76 78 Compiles code for process injection (via .Net compiler) 16->78 28 csc.exe 16->28         started        31 conhost.exe 16->31         started        80 Writes or reads registry keys via WMI 19->80 82 Writes registry values via WMI 19->82 33 iexplore.exe 2 91 21->33         started        52 C:\Users\user\AppData\Local\...\l54sfw4i.0.cs, UTF-8 25->52 dropped 54 C:\Users\user\AppData\...\frmdhvpf.cmdline, UTF-8 25->54 dropped 84 Creates a thread in another existing process (thread injection) 25->84 35 csc.exe 25->35         started        37 conhost.exe 25->37         started        signatures8 process9 file10 56 C:\Users\user\AppData\Local\...\fmhqhdsx.dll, PE32 28->56 dropped 39 cvtres.exe 28->39         started        41 iexplore.exe 153 33->41         started        44 iexplore.exe 33->44         started        46 iexplore.exe 33->46         started        50 3 other processes 33->50 58 C:\Users\user\AppData\Local\...\frmdhvpf.dll, PE32 35->58 dropped 48 cvtres.exe 35->48         started        process11 dnsIp12 66 img.img-taboola.com 41->66 68 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49732, 49733 YAHOO-DEBDE United Kingdom 41->68 72 10 other IPs or domains 41->72 70 api10.laptok.at 34.65.108.95, 49766, 49767, 49768 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 44->70
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7/
Threat name:
Win32.Backdoor.ZLoader
Create hunting rule
Status:
Suspicious
First seen:
2021-03-03 23:34:19 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4rig2tbvapbtbihjvspz7htb57zjpyzrnajkmonkyznuhb7fx3q._file
Verdict:
malicious
Similar samples:
2b8c7b7112e8070d01b2f977c360772e05704fff1838bf124780b9c8b699f337
Gozi
3b98e6c87edfb4da99612025cf485d302d42c184e73bcb727f9807923bfa9850
Gozi
3e8b92cda2c0d1dc74de0b060f43c2baf23ab08af69667ddbbe66f78d5e0389a
Gozi
51992453cfe179fa3a637985cba9f5a6d5ab495a268e000f480086821c009f3b
Gozi
56a0cec492d2f8d68f8c9c5f54a9c9407f352e3b33e1e3e6c68409acb0ec04ac
Gozi
71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
Gozi
74cc533238ae33245519b52784db0e6adbd3380b350717fdc69d4e36714173d5
Gozi
9179364ede393451f891c5eabd5ae671bdc926e940a728f9b78756520b6f7175
Gozi
d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
Gozi
e98762fa17dcbe18b6698e7ee2fabf85c4a46c742d3fef2ae38b2906b0b501f6
Gozi
+ 136 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:2200 banker trojan
Link:
https://tria.ge/reports/210303-qzh8hs6dwx/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Unpacked files
SH256 hash:
8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32
MD5 hash:
f52995516bb061fa7bc7f788b131cb68
SHA1 hash:
b8a808b508e57794aae41dc3e6d9ae64be0c0cce
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/852e10c3-4517-46ca-ba5b-1b4137a7ee6a/
Parent samples :
f30b3f53f613d953680fdde8faf35c96a25a1136d0dd6c7aab1cc14ee908702c
51992453cfe179fa3a637985cba9f5a6d5ab495a268e000f480086821c009f3b
b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f
1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7
7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50
SH256 hash:
1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7
MD5 hash:
620486432073a19eab114ba312dadb7e
SHA1 hash:
ccaab62608ebf84af6f86a4833835bdec6ea63d9
Link:
https://www.unpac.me/results/852e10c3-4517-46ca-ba5b-1b4137a7ee6a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/122132/
  
URLhaus
https://urlhaus.abuse.ch/url/1045308/
  
URLhaus
https://urlhaus.abuse.ch/url/1045316/

Comments