MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428
SHA3-384 hash: f117f72c345118f822a8d73c52bd5607a7bf16743326db6088c48682189aa8e266e6ce719c1d4cae019e75a3c2dd7d86
SHA1 hash: 715b0d42de69ae8a491f32cf595765d884f2f5f1
MD5 hash: 22435f3cc47baeed07370b4821e5a4b5
humanhash: neptune-oregon-salami-six
File name:22435f3cc47baeed07370b4821e5a4b5.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:211'456 bytes
First seen:2021-03-01 07:33:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9669bff9bc879617c752cfe5a950efcb (1 x Gozi)
ssdeep 6144:UzgUzTX27LtnasQqTUpuyGlxjnnMYEpi:UMUzb27hnaBquhvp
TLSH D624AD60B6C2C073D487057468E5C7B51A3ABCB14B2559C7BBE42F3D9E713E28A36782
Reporter abuse_ch
Tags:exe Gozi isfb Ursnif


Avatar
abuse_ch
Gozi C2:
http://klounisoronws.xyz7

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22435f3cc47baeed07370b4821e5a4b5.exe
Verdict:
No threats detected
Analysis date:
2021-03-01 08:05:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3cf566ca-6288-4b95-897d-af3864bbf0fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120146/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/621762
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359872 Sample: 1160UObsXc.exe Startdate: 01/03/2021 Architecture: WINDOWS Score: 92 27 klounisoronws.xyz 2->27 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected  Ursnif 2->33 35 Machine Learning detection for sample 2->35 7 1160UObsXc.exe 2->7         started        10 iexplore.exe 1 50 2->10         started        12 iexplore.exe 1 72 2->12         started        14 2 other processes 2->14 signatures3 process4 signatures5 37 Detected unpacking (changes PE section rights) 7->37 39 Detected unpacking (overwrites its own PE header) 7->39 41 Writes or reads registry keys via WMI 7->41 43 Writes registry values via WMI 7->43 16 iexplore.exe 31 10->16         started        19 iexplore.exe 35 12->19         started        21 iexplore.exe 32 14->21         started        23 iexplore.exe 14->23         started        process6 dnsIp7 25 darwikalldkkalsld.xyz 16->25
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 01:11:33 UTC
AV detection:
17 of 48 (35.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ez6teznurmc25nxkqlfa625bozqqr3fltv7cuwadzexkavofgqua._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:6565 banker trojan
Link:
https://tria.ge/reports/210301-4mg17sm1ae/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
updates.microsoft.com
klounisoronws.xyz
darwikalldkkalsld.xyz
c1.microsoft.com
ctldl.windowsupdate.com
195.123.209.122
185.82.218.23
5.34.183.180
bloombergdalas.xyz
groovermanikos.xyz
kadskasdjlkewrjk.xyz
Unpacked files
SH256 hash:
ba63c14d0972a3bed8b8813954b4ddeaa8ef733afac9ed3a86372bfc87a2aa97
MD5 hash:
01bbf9a59beeb52288bdec21980db6e7
SHA1 hash:
ca85f5df9b2572f5a1606eeabee646dc871a9712
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae5e0b9b-a446-4579-b871-27cad0ad53e1/
Parent samples :
77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61
33b931c8f19d3ef8b354cc7ca24ebfbb2cdf2b83e5717b1dd7c81cef80238591
9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4
e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388
f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09
267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428
1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507
SH256 hash:
267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428
MD5 hash:
22435f3cc47baeed07370b4821e5a4b5
SHA1 hash:
715b0d42de69ae8a491f32cf595765d884f2f5f1
Link:
https://www.unpac.me/results/ae5e0b9b-a446-4579-b871-27cad0ad53e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_dreambot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1030978/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/120146/

Comments