MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
SHA3-384 hash: dcd2a47611edbe08af2e24373e1c047fd8aed5bc947227b6de09c3cd6fe4f934f256d33c790a97648601509759b5db66
SHA1 hash: acfa4c388fabff83d95350cd13d543e2b42b2fab
MD5 hash: e72af5335ae4edc445b8159077ef48ed
humanhash: hamper-river-wyoming-queen
File name:e72af5335ae4edc445b8159077ef48ed.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:368'213 bytes
First seen:2021-03-30 07:05:23 UTC
Last seen:2021-03-30 08:01:06 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 77af713b1f2916ea138f9bb7258cf849 (5 x Gozi)
ssdeep 1536:bepG5ACCny8GenidAHcz92ZIx9FxIl+YkSVoZlP1usBVEwnoxJashnXcX:36lGeExx9FmSSkfBt8
Threatray 196 similar samples on MalwareBazaar
TLSH 1874AE053BB0C5D9D2A521B44ECD8EA4E924FCAA1F20D21372D975DCBDF9F89262D381
Reporter abuse_ch
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127924/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.796.27823.32219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Searching for the window
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/658070
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377969 Sample: KBauR285e7.dll Startdate: 30/03/2021 Architecture: WINDOWS Score: 92 33 paralikulat.website 2->33 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 regsvr32.exe 9->13         started        16 cmd.exe 1 9->16         started        signatures6 18 iexplore.exe 2 101 11->18         started        61 Writes or reads registry keys via WMI 13->61 63 Writes registry values via WMI 13->63 21 rundll32.exe 16->21         started        process7 dnsIp8 35 192.168.2.1 unknown unknown 18->35 24 iexplore.exe 5 152 18->24         started        27 iexplore.exe 18->27         started        29 iexplore.exe 18->29         started        31 4 other processes 18->31 59 Writes registry values via WMI 21->59 signatures9 process10 dnsIp11 37 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49722, 49723 FASTLYUS United States 24->37 39 geolocation.onetrust.com 104.20.184.68, 443, 49710, 49711 CLOUDFLARENETUS United States 24->39 49 8 other IPs or domains 24->49 41 fdjjasdoeoriefjd.live 82.118.22.245, 80 GREENFLOID-ASUA Ukraine 27->41 43 prda.aadg.msidentity.com 31->43 45 login.microsoftonline.com 31->45 47 a.privatelink.msidentity.com 31->47
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 02:02:10 UTC
AV detection:
14 of 48 (29.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237
Gozi
10d0cd214468977ca01267d4e74b2ad431595bd12dbc6b04e04a6e50081e6514
Gozi
128674ced35bebfc9dd171633b6570b3c127d89af1ed01f86db8dfc6999450b0
Gozi
2b008fe5818667b064573889db6500c245bddeb65c37facd260fea09e9801eae
Gozi
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
Gozi
35375028a2cc4876b5a8476876ad75a037b8c4e303589ce6e9d9c61aaba9f74c
Gozi
472c6d7282d5ad1ea6b8aa3e66fd0b42c1ccf6086a33e16cbab93f423203e4d4
Gozi
802033992634317b28a736038b41e264727819a1fd76770e28dd5931779a8833
Gozi
cecc7c45b526be846e68a05775a05ec1809342b0dc225fd4335ae252e07cd200
Gozi
ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
Gozi
+ 186 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5566 banker trojan
Link:
https://tria.ge/reports/210330-qwpzytg45e/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
bing.com
update4.microsoft.com
fdjjasdoeoriefjd.live
paralikulat.website
Unpacked files
SH256 hash:
cb4475124262bc50962a10e63683b3113ae4ef8008110c995c36edc04460fe41
MD5 hash:
d5e5806a67c22dc1ff4432ac7f74afe9
SHA1 hash:
b8f94f843c875941987edee13173baeda35177ac
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/51cac4ad-5d61-4011-bb95-db3014e03104/
Parent samples :
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
SH256 hash:
220f635b3a747e133170eb0dbf2c63c91646b460f4315498a31a176498ca215b
MD5 hash:
4df4258bb725b92568e441970439dff5
SHA1 hash:
8673bd2ab0eb5e60a787c0b75c5b6baeda4cec91
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/51cac4ad-5d61-4011-bb95-db3014e03104/
Parent samples :
5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
SH256 hash:
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
MD5 hash:
e72af5335ae4edc445b8159077ef48ed
SHA1 hash:
acfa4c388fabff83d95350cd13d543e2b42b2fab
Link:
https://www.unpac.me/results/51cac4ad-5d61-4011-bb95-db3014e03104/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1098498/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127924/

Comments