MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2529564b6b5098add59e7e05d56f149adada82897d2a62856d72c1d55062943a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	2529564b6b5098add59e7e05d56f149adada82897d2a62856d72c1d55062943a
SHA3-384 hash:	79c9e87e49262b8fb50915d0543428878f253eb31c0b97874574d252cc3eafb47b96447393539c6961bd3542bd1b80da
SHA1 hash:	2ec9ed0a863ae9f58efeb8b8303a2e069866df49
MD5 hash:	41fba2ad06a0464507da5666e21b8230
humanhash:	carbon-alpha-robin-nebraska
File name:	svs.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	1'289'728 bytes
First seen:	2020-03-23 20:23:11 UTC
Last seen:	2020-03-23 21:57:39 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	63eae35e4792e8e9be82543a9ca90b90 (3 x Gozi)
ssdeep	12288:GeP0p9g9rPfO1i2CUVTfWp+ToIXf3OM6KCgc7Ptevpm9nnc2E7GEiDXlCU8BMYYG:G6S9APfOiifr8wRgX7Avc5TEhiblC2
Threatray	736 similar samples on MalwareBazaar
TLSH	2B559C44AE10B8E5E80BCCB80881D0D7A20D799D1DB5744A358037FEF763A897B6E5F9
Reporter	Anonymous
Tags:	Dreambot Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

1'960

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.22032.6210.6985.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2020-03-24 03:57:40 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

xls 2784a7bc578c5e9a6820bd2475f4a9210af2c08e4f0f44ffec3ae35667260a17

Gozi

DLL dll 2529564b6b5098add59e7e05d56f149adada82897d2a62856d72c1d55062943a

(this sample)

Link

https://orrmingnextyou.xyz/372873/svs.dll

Dropped by

SHA256 2784a7bc578c5e9a6820bd2475f4a9210af2c08e4f0f44ffec3ae35667260a17

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::RemoveDirectoryW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample