MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d20fa945e25833b10535bfc615993248c6d82daa04c1213f1104d4c9d8cfa94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d20fa945e25833b10535bfc615993248c6d82daa04c1213f1104d4c9d8cfa94
SHA3-384 hash: 59bf8037bfd81a9e5c3be299132567723e66b9fc0617af5729e0927148c874b423845d88a217720d3a382192f30918f2
SHA1 hash: bf47560f6e59d10534317117bdbabc9be229d583
MD5 hash: 178c55236d82c3930d7a4d4c309a8fd9
humanhash: nuts-johnny-glucose-november
File name:62cfe30cd8021.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:311'296 bytes
First seen:2022-07-14 09:35:31 UTC
Last seen:2022-07-14 21:56:42 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8974cf62dee35f19d9a6f6e00985fc9e (2 x Gozi)
ssdeep 6144:E8HrNL3Dk5OcwNGHiPEpbLWfh6cDeG/1Gc1wr5otRYMC:E8LNL3I1wNGHicpfW4cDeG/Dy5xx
TLSH T16E64E150B200A29FE8DB50BF23D8F3E14F0859C807A8501ED44534B5AEF5BD665E7BEA
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:agenziaentrate dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
667
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/289082/
Detection(s):
SecuriteInfo.com.Variant.Lazy.220729.11437.15285.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62cfe3c0d6d93426ceed0037/reports/484c7094-6c0c-4a25-96c7-7f22c00f77c0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1031229
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 663724 Sample: 62cfe30cd8021.dll Startdate: 14/07/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected  Ursnif 2->73 75 Machine Learning detection for sample 2->75 11 loaddll32.exe 1 2->11         started        13 mshta.exe 19 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 WerFault.exe 3 9 11->17         started        20 WerFault.exe 2 9 11->20         started        22 WerFault.exe 3 9 11->22         started        24 powershell.exe 33 13->24         started        dnsIp5 27 rundll32.exe 1 6 15->27         started        61 192.168.2.1 unknown unknown 17->61 85 Injects code into the Windows Explorer (explorer.exe) 24->85 87 Writes to foreign memory regions 24->87 89 Modifies the context of a thread in another process (thread injection) 24->89 91 2 other signatures 24->91 31 csc.exe 3 24->31         started        34 csc.exe 24->34         started        36 conhost.exe 24->36         started        signatures6 process7 dnsIp8 63 46.21.153.252, 49769, 80 HVC-ASUS Netherlands 27->63 93 System process connects to network (likely due to code injection or exploit) 27->93 95 Writes to foreign memory regions 27->95 97 Allocates memory in foreign processes 27->97 99 3 other signatures 27->99 38 control.exe 27->38         started        57 C:\Users\user\AppData\Local\...\114nbqzy.dll, PE32 31->57 dropped 41 cvtres.exe 1 31->41         started        59 C:\Users\user\AppData\Local\...\xudfcdkv.dll, PE32 34->59 dropped 43 cvtres.exe 34->43         started        file9 signatures10 process11 signatures12 77 Changes memory attributes in foreign processes to executable or writable 38->77 79 Injects code into the Windows Explorer (explorer.exe) 38->79 81 Writes to foreign memory regions 38->81 83 4 other signatures 38->83 45 explorer.exe 38->45 injected process13 signatures14 101 Self deletion via cmd or bat file 45->101 103 Disables SPDY (HTTP compression, likely to perform web injects) 45->103 105 Creates a thread in another existing process (thread injection) 45->105 48 cmd.exe 45->48         started        51 RuntimeBroker.exe 45->51 injected process15 signatures16 65 Uses ping.exe to sleep 48->65 67 Uses ping.exe to check the status of other devices and networks 48->67 53 conhost.exe 48->53         started        55 PING.EXE 48->55         started        process17
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d20fa945e25833b10535bfc615993248c6d82daa04c1213f1104d4c9d8cfa94/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 09:36:05 UTC
File Type:
PE (Dll)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fuqpvfc6ewbtwectlp6gcwmtesgg3aw2ubgbee7rcbguzhmm7kka._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220714-lkw3ksabf3/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
46.21.153.252
79.110.52.241
kimzooxl.at
Unpacked files
SH256 hash:
2d20fa945e25833b10535bfc615993248c6d82daa04c1213f1104d4c9d8cfa94
MD5 hash:
178c55236d82c3930d7a4d4c309a8fd9
SHA1 hash:
bf47560f6e59d10534317117bdbabc9be229d583
Link:
https://www.unpac.me/results/4cac8a0f-326c-45a4-83db-b94cdb43e886/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2d20fa945e25833b10535bfc615993248c6d82daa04c1213f1104d4c9d8cfa94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/289082/

Comments