MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
SHA3-384 hash:	6a9c9d4f58b54c5b9c1098d435a8e44c7d335181d0cbf670326ba6e723ee36b535e105a27b107f59fee5a34b67d7c349
SHA1 hash:	302f8aa0b2c284634a06098c9a8f0a81ea10e402
MD5 hash:	99eb077df2ad3f8678d7d80e0b240682
humanhash:	batman-bacon-harry-three
File name:	image.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	515'312 bytes
First seen:	2022-02-08 13:23:50 UTC
Last seen:	2022-02-08 13:44:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9224affad59e38bb713e15dad5464671 (1 x Gozi)
ssdeep	12288:vF8165G8Ku+u5S8TAkir0ejSrAJ+nxI6bj7nR66WbFznwt9fjd1c/Fb35vaqsZKO:vFgg9Ku+uzCFn2xI6bj7nR66WbFznwt1
Threatray	520 similar samples on MalwareBazaar
TLSH	T16BB4BF6372CDEE26E759153D7A9403F29D41F409C73984E7E9A0B49A9089FBA0DB0FC1
Reporter	JAMESWT_WT
Tags:	agenziaentrate dll exe Gozi isfb Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

375

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

image.dll

Verdict:

Malicious activity

Analysis date:

2022-02-08 14:20:28 UTC

Tags:

trojan gozi ursnif dreambot

Link:

https://app.any.run/tasks/cc46070c-a29d-4c55-a852-de94aca146b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/238190/

Detection(s):

SecuriteInfo.com.ML.PE-A.12957.25280.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Using the Windows Management Instrumentation requests

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Creating a window

Sending an HTTP GET request

Searching for the window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6375/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger overlay packed shell32.dll update.exe

Link:

https://www.filescan.io/uploads/62026ef7c79b424d72086781/reports/89cedc2c-b916-4025-b838-867130552ac9/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6a95d4b3-3049-46db-a141-b216d4fa71be

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936060

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2022-02-08 13:25:33 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Verdict:

malicious

Label(s):

gozi

Gozi

4ddacac68fd062781fece1e92b3f1682d49fe23fc812e721c330f25237f4c20f

Gozi

6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9

Gozi

834c9cc222bf8cc79f13c782fec74f2f6c7bb332c0540ef04c9aeb3889b92a87

Gozi

a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56

Gozi

a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750

Gozi

aef8910dddfc1c5c009db13160c82aae5af66692effb41469c6490e774a420e3

Gozi

e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe

Gozi

eb44943385bba67eff81794d2f5667817a6761f13775149c615a543c0e78186c

Gozi

+ 510 additional samples on MalwareBazaar

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:7611 banker trojan

Link:

https://tria.ge/reports/220208-qnc64aggh3/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

premiumliner.top
premiumline.space
linkspremium.ru
premiumlists.ru

Unpacked files

SH256 hash:

4e59f11fff0f1110d9d591e8eac1f87eeb9465f2c6b5201a041abc1e633bfbcc

MD5 hash:

04e663fa970375b70a943e3c88d56a1f

SHA1 hash:

95ed23ae54e634c5b4330abbfb1911a5e69554b2

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/5f1ff6fa-871d-48c2-8812-bb2e3e3f509d/

SH256 hash:

0c223203653cf2d11caeea76d723e11a380bf1243837763e0a293651e4538222

MD5 hash:

fbc660ec3ec280e790e6fff9d35ebe26

SHA1 hash:

89d06762ee8b64457866de2f5b1feed891d7d212

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/5f1ff6fa-871d-48c2-8812-bb2e3e3f509d/

SH256 hash:

2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8

MD5 hash:

99eb077df2ad3f8678d7d80e0b240682

SHA1 hash:

302f8aa0b2c284634a06098c9a8f0a81ea10e402

Link:

https://www.unpac.me/results/5f1ff6fa-871d-48c2-8812-bb2e3e3f509d/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

exe 2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8

(this sample)

Cape

https://www.capesandbox.com/analysis/238190/

URLhaus

https://urlhaus.abuse.ch/url/2036798/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2036834/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample