MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1
SHA3-384 hash: 4a30e0fb2c40d59316166aacbd0b43c8dee7338ac025ac6d372626fff5f530c37d601fb9bab91e0251b21b14bf38b798
SHA1 hash: 5f239376302476ad1b46cf4020a2c02a5ec2d516
MD5 hash: d9750a24b16a6e1586f51692c2f25aef
humanhash: spring-finch-magazine-magnesium
File name:xspcd1.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:220'160 bytes
First seen:2020-12-03 15:18:01 UTC
Last seen:2020-12-03 17:00:00 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e52c56c636c7f737590c4c91e79b2a8e (5 x Gozi)
ssdeep 3072:tO+b0Q1QZQ6QuQP1pNOtcR1sGFHlx5QN0SGrgv+iwTGH9ZZSTPCEyS+Vja8ziryL:txD1bOaR1Hbg0vr2+30ZSDCFZW8u2
Threatray 118 similar samples on MalwareBazaar
TLSH 0B24C0643194C07AE40714B58C06C7A196B93D706B66AECB7BC9AE3B9F305A5BF343C1
Reporter JAMESWT_WT
Tags:dll Gozi isfb pw 5236721 Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
446
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106627/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.770.23584.17955.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/554833
Signature
Creates a COM Internet Explorer object
Found malware configuration
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326514 Sample: xspcd1.dll Startdate: 03/12/2020 Architecture: WINDOWS Score: 68 26 Found malware configuration 2->26 28 Yara detected  Ursnif 2->28 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 2 89 2->9         started        process3 signatures4 30 Writes or reads registry keys via WMI 6->30 32 Writes registry values via WMI 6->32 34 Creates a COM Internet Explorer object 6->34 11 rundll32.exe 6->11         started        14 rundll32.exe 6->14         started        16 rundll32.exe 6->16         started        18 iexplore.exe 36 9->18         started        20 iexplore.exe 6 9->20         started        22 iexplore.exe 6 9->22         started        24 iexplore.exe 6 9->24         started        process5 signatures6 36 Writes registry values via WMI 11->36 38 Creates a COM Internet Explorer object 11->38
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 14:41:37 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
31ace401668e11cf7874612cc2ce412dcb2ea96428e14f55364cde9214826023
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
Gozi
7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478
Gozi
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
Gozi
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
+ 108 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201203-swhjq1kmkj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1
MD5 hash:
d9750a24b16a6e1586f51692c2f25aef
SHA1 hash:
5f239376302476ad1b46cf4020a2c02a5ec2d516
Link:
https://www.unpac.me/results/8a3dd151-4c3d-4cf4-b46f-1c6f52bd8713/
SH256 hash:
7534dbbc47cecf43fb9e4f419f056984c245964e48fe420d658b0537bc6a2461
MD5 hash:
32f9935ff8af42677020e6f0b3ad20bb
SHA1 hash:
78c0653cd1748e4ae3cb682a93ecb8ae5604721a
Link:
https://www.unpac.me/results/8a3dd151-4c3d-4cf4-b46f-1c6f52bd8713/
SH256 hash:
565b18e17db98d9820dfd504ad5239806734c7e434fe605e5caaf2b4619036fd
MD5 hash:
32552af170552def743ad513a911babf
SHA1 hash:
18d330e627cc64dccec350d61581c6ddf3c07c6f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/8a3dd151-4c3d-4cf4-b46f-1c6f52bd8713/
Parent samples :
89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106627/

Comments