MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7
SHA3-384 hash: 3a8d2fabd604982a8007adc21e5166945f3594096db3438d8d53dd2366c216b66b20ed3e111434d54fe2ce6b33583b79
SHA1 hash: 4afb78598c94f5a1078a1cf3f30f3ed4495f31d6
MD5 hash: a88eb1440652a0e919ae2a9a8dac1dae
humanhash: mike-magnesium-florida-wyoming
File name:readme.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:1'078'784 bytes
First seen:2022-03-17 09:31:05 UTC
Last seen:2022-04-20 10:20:51 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 29b0a68551a99728af2da380e4cc5074 (2 x Gozi)
ssdeep 12288:jP8LPFKkgEUAa+Mp1YEZdFyHkvs0ky268wdiWTNLxJO3vp7WnUa5prq+KHrstj:LEPFGiatMEvsIfdi0Svp7WU2rzKH0
Threatray 507 similar samples on MalwareBazaar
TLSH T15D356C22BE9E4437C17A2A389D2F576868397E103928686F27F41D4CDF397417C252AF
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:dll exe Gozi isfb mise Ursnif

Intelligence

File Origin
# of uploads :
5
# of downloads :
413
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251800/
Detection(s):
SecuriteInfo.com.FileRepMalwareBot.27810.12079.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger replace.exe
Link:
https://www.filescan.io/uploads/623300170cd58dbd92ad4683/reports/256a4406-3044-4608-8952-371f5c621f51/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d7a99d4-d90a-4630-b3d2-2ea061e0c5a5
Result
Threat name:
Ursnif CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958569
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591049 Sample: readme.exe Startdate: 17/03/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 4 other signatures 2->61 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 1 50 2->12         started        14 iexplore.exe 1 73 2->14         started        16 2 other processes 2->16 process3 dnsIp4 49 premiumlists.ru 8->49 51 linkspremium.ru 8->51 53 atmospheri.top 8->53 63 Writes or reads registry keys via WMI 8->63 65 Writes registry values via WMI 8->65 67 Contains functionality to detect sleep reduction / modifications 8->67 18 cmd.exe 1 8->18         started        20 iexplore.exe 31 12->20         started        23 iexplore.exe 31 14->23         started        25 iexplore.exe 33 16->25         started        27 iexplore.exe 16->27         started        signatures5 process6 dnsIp7 29 rundll32.exe 18->29         started        37 31.41.46.120, 49792, 49793, 49794 ASRELINKRU Russian Federation 20->37 39 atmospheri.top 20->39 41 linkspremium.ru 62.173.149.135, 49778, 49779, 49801 SPACENET-ASInternetServiceProviderRU Russian Federation 23->41 43 atmospheri.top 23->43 45 premiumlists.ru 45.128.184.132, 49788, 49789, 49824 MGNHOST-ASRU Russian Federation 25->45 47 127.0.0.1 unknown unknown 25->47 process8 signatures9 69 Contains functionality to detect sleep reduction / modifications 29->69 32 WerFault.exe 23 9 29->32         started        process10 dnsIp11 35 192.168.2.1 unknown unknown 32->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 10:14:59 UTC
File Type:
PE (Dll)
Extracted files:
140
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7
Gozi
+ 497 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7624 banker trojan
Link:
https://tria.ge/reports/220317-lhmq5abbak/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
atmospheri.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
58de73de95351b4fd22ad38a2ee6190d59e5d28c2258121d10456429e2bd9e46
MD5 hash:
6ab937d5483abf12e17e8da8a35cbe09
SHA1 hash:
faba2946763f55ee8a0ee45754086fc9e395553a
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/aade804e-f01f-405b-a015-f4ad0f120e5d/
Parent samples :
2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7
193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd
SH256 hash:
e105922d77028c891b36eaeda9e536e9bbfbd6de6f78219e49e1d7c83fa67d93
MD5 hash:
7c30a730ae6a19fd39377ac70dde1aa0
SHA1 hash:
63bb79daadf84081827394ab27652436ded7b53e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/aade804e-f01f-405b-a015-f4ad0f120e5d/
Parent samples :
2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7
193c641aa9ed7092639694239d0f477f02ab493d3c525917613a13490533b9fd
SH256 hash:
2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7
MD5 hash:
a88eb1440652a0e919ae2a9a8dac1dae
SHA1 hash:
4afb78598c94f5a1078a1cf3f30f3ed4495f31d6
Link:
https://www.unpac.me/results/aade804e-f01f-405b-a015-f4ad0f120e5d/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2cb2f5884d3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/2cb2f5884d3c1a02febe53b8c8997d070a4c54dc75628714f829b894cf1c73a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251800/

Comments