MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309
SHA3-384 hash: df6a70d4cba40e9c238fa5d0a27515291a37c2dd1c45402aa3ee30db6366d048d81d8b48b421fc7db3973083ffe6b7c8
SHA1 hash: 39d33f5c7aa2364f0f345f566946758ad3af80d4
MD5 hash: 75dd85a6d1389e53fb125ebd9d2711a3
humanhash: california-burger-five-salami
File name:75dd85a6d1389e53fb125ebd9d2711a3.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:193'024 bytes
First seen:2020-11-28 10:52:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 146e7fadf37dc1a6aabb0951b715f04e (1 x Glupteba, 1 x SystemBC, 1 x ArkeiStealer)
ssdeep 3072:Y4cYSAmimVnYVVfoaxG2JgvlsJU/GLDUdx6SkIQWW:npWVVneVgcGGgsJHYrP
Threatray 640 similar samples on MalwareBazaar
TLSH 05149D2034D1C032E59B293508F1D7B52A6ABCB55B244ACBBBD42B6E6F313E28735747
Reporter abuse_ch
Tags:exe Gozi isfb Ursnif


Avatar
abuse_ch
Gozi C2:
http://loadshemsplot.xyz/images/

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105907/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Creating a file
Searching for the window
Sending a custom TCP request
Sending a UDP request
Deleting a recently created file
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550022
Signature
Creates a COM Internet Explorer object
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324124 Sample: 2tsY1gtYQe.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 36 microsoftwindows.112.2o7.net 2->36 38 mem.gfx.ms 2->38 40 2 other IPs or domains 2->40 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 2 other signatures 2->60 7 2tsY1gtYQe.exe 2->7         started        10 iexplore.exe 1 50 2->10         started        12 iexplore.exe 1 72 2->12         started        15 iexplore.exe 1 50 2->15         started        signatures3 process4 dnsIp5 62 Detected unpacking (changes PE section rights) 7->62 64 Detected unpacking (overwrites its own PE header) 7->64 66 Writes or reads registry keys via WMI 7->66 68 2 other signatures 7->68 17 iexplore.exe 31 10->17         started        42 microsoftwindows.112.2o7.net 12->42 44 mem.gfx.ms 12->44 46 assets.onestore.ms 12->46 20 iexplore.exe 3 83 12->20         started        48 microsoftwindows.112.2o7.net 15->48 50 mem.gfx.ms 15->50 52 assets.onestore.ms 15->52 22 iexplore.exe 37 15->22         started        signatures6 process7 dnsIp8 24 loadshemsplot.xyz 185.219.220.94, 80 SERVINGADE Sweden 17->24 26 liveperson.map.fastly.net 151.101.1.192, 443, 49756, 49757 FASTLYUS United States 20->26 28 cs1227.wpc.alphacdn.net 192.229.221.185, 443, 49773, 49774 EDGECASTUS United States 20->28 34 8 other IPs or domains 20->34 30 publisher.liveperson.net 22->30 32 accdn.lpsnmedia.net 22->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 12:47:16 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
08fd0983b9d0d9cd5947e885da8031fdf54d02a89a5d274e1c18bc8967bdde00
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b
Gozi
d365d2272c6be7f3420d9083251496bfa2f48e4b2ac2f3563b65c3b246714a18
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
+ 630 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201128-a1gtvgqyf2/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
JavaScript code in executable
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
383a879e9fed267d56559b411722068aaf381e5266e3d771f31cf200f79a487d
MD5 hash:
84dda945b7969e5ad48a4beae94557c1
SHA1 hash:
75fb966bae2027934720c1dbd92e3cddb13518ac
Link:
https://www.unpac.me/results/bc09f863-c5b0-4cc6-8383-4d23141806b0/
SH256 hash:
f1507a6f359a3e53cfde1c5331d068313326b97275092a0509856bd1f27375a6
MD5 hash:
faacab4d25d4e0ac232826b13d6ffecb
SHA1 hash:
5113855e3f29f44f1a923e2833ab94586853cc62
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc09f863-c5b0-4cc6-8383-4d23141806b0/
SH256 hash:
2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309
MD5 hash:
75dd85a6d1389e53fb125ebd9d2711a3
SHA1 hash:
39d33f5c7aa2364f0f345f566946758ad3af80d4
Link:
https://www.unpac.me/results/bc09f863-c5b0-4cc6-8383-4d23141806b0/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/858427/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105907/

Comments