MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dbf55098bbfc12d8366e80b682bd5dfac4a328470d6b00bd0d5eec7e989cb6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dbf55098bbfc12d8366e80b682bd5dfac4a328470d6b00bd0d5eec7e989cb6c
SHA3-384 hash: 43bf4fae5d092bc6efaa4a98950c15c697b4e0bab6ab92762fdf4c7947576dfaa6eb8570b7aca81de8883f2efb14c401
SHA1 hash: 3f3ebebc3c15663a6566090a025924a0d075cdd8
MD5 hash: 2de7b395e585c5a1656c0979d903819e
humanhash: black-freddie-fourteen-venus
File name:preview.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:470'528 bytes
First seen:2021-03-02 05:29:57 UTC
Last seen:2021-03-02 07:54:51 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 89f5158c586941bb845571bd919ec59c (1 x Gozi)
ssdeep 12288:Bij6nJyPF24lFGcZMybNrX2auiSoDeGTg:Bij9FzlFzNfg
TLSH C6A45A05B26AC5A7E07594B9EC11C6FD4BD93C90CD24D867BAC61F2FB87F890A612133
Reporter JAMESWT_WT
Tags:dll Gozi isfb italy Ursnif vodafone

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120490/
Detection(s):
SecuriteInfo.com.Trojan.28502.30735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/623205
Signature
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Register DLL with spoofed extension
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360593 Sample: preview.jpg.dll Startdate: 02/03/2021 Architecture: WINDOWS Score: 68 30 Yara detected  Ursnif 2->30 32 Sigma detected: Register DLL with spoofed extension 2->32 34 Sigma detected: Execute DLL with spoofed extension 2->34 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 regsvr32.exe 8->15         started        signatures5 36 Writes registry values via WMI 10->36 17 iexplore.exe 2 91 13->17         started        process6 process7 19 iexplore.exe 5 152 17->19         started        22 iexplore.exe 29 17->22         started        dnsIp8 24 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49741, 49742 YAHOO-DEBDE United Kingdom 19->24 26 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49735, 49736 FASTLYUS United States 19->26 28 10 other IPs or domains 19->28
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2dbf55098bbfc12d8366e80b682bd5dfac4a328470d6b00bd0d5eec7e989cb6c/
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7253 banker trojan
Link:
https://tria.ge/reports/210302-wefk84rj7a/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
web.vortex.data.microsoft.com
ocsp.sca1b.amazontrust.com
stasecrets.com
Unpacked files
SH256 hash:
019dab90f723efa1fb47f3269186ac209204e800d663c3ea02941021d190f0a8
MD5 hash:
9ac62513cffd2e1063d6d706a80da601
SHA1 hash:
9eafe165076fea3ede4ba3260e2fb995922d0932
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7ac91e55-e646-46bc-941d-8830e69b57a0/
SH256 hash:
2dbf55098bbfc12d8366e80b682bd5dfac4a328470d6b00bd0d5eec7e989cb6c
MD5 hash:
2de7b395e585c5a1656c0979d903819e
SHA1 hash:
3f3ebebc3c15663a6566090a025924a0d075cdd8
Link:
https://www.unpac.me/results/7ac91e55-e646-46bc-941d-8830e69b57a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dbf55098bbfc12d8366e80b682bd5dfac4a328470d6b00bd0d5eec7e989cb6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 2dbf55098bbfc12d8366e80b682bd5dfac4a328470d6b00bd0d5eec7e989cb6c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/120490/
  
URLhaus
https://urlhaus.abuse.ch/url/1041663/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1041677/
  
URLhaus
https://urlhaus.abuse.ch/url/1041727/

Comments