MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
SHA3-384 hash: 4a5be9e1f7ca94fe96ed520a02ceaf51684b2157274cc82dbcf29c7c4ecba3e8a92f3a78eddac41ed926927df57ac2d6
SHA1 hash: d3c22e099df48f78765bba4b64e3f006a9e0bcdd
MD5 hash: 7e98e8fbf2fec9c9d36896a08a26a97f
humanhash: zebra-washington-magazine-butter
File name:7e98e8fbf2fec9c9d36896a08a26a97f.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:380'928 bytes
First seen:2021-03-30 12:53:15 UTC
Last seen:2021-03-30 14:14:58 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e735d9365950e14300009b933a49b131 (1 x Gozi)
ssdeep 6144:NbP57UDV0iDt00LKwwmFxDa9oNiEZ/LbseQB7G9wRENL:NbsV5t0gkgDa9oNiEZ/LbFQmrL
Threatray 203 similar samples on MalwareBazaar
TLSH 8D848B02EAA0C034F5B307B945B747549B7E7DF19B3885CBA2D4259E1A2B6E0AF30753
Reporter abuse_ch
Tags:dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/128037/
Detection(s):
SecuriteInfo.com.ML.PE-A.17592.18254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/658474
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378168 Sample: AOGfYHJwin.dll Startdate: 30/03/2021 Architecture: WINDOWS Score: 80 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected  Ursnif 2->39 41 Yara detected  Ursnif 2->41 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        signatures5 43 Writes or reads registry keys via WMI 10->43 45 Writes registry values via WMI 10->45 17 iexplore.exe 1 83 13->17         started        20 rundll32.exe 15->20         started        process6 dnsIp7 27 192.168.2.1 unknown unknown 17->27 22 iexplore.exe 152 17->22         started        25 iexplore.exe 25 17->25         started        process8 dnsIp9 29 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49747, 49748 YAHOO-DEBDE United Kingdom 22->29 31 prod.appnexus.map.fastly.net 151.101.1.108, 443, 49749, 49750 FASTLYUS United States 22->31 33 12 other IPs or domains 22->33
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 12:54:07 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gefmprelknxxdilha33h7vgsx3k5t5lqrxkgbtz4xqgngt2dupwq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237
Gozi
10d0cd214468977ca01267d4e74b2ad431595bd12dbc6b04e04a6e50081e6514
Gozi
128674ced35bebfc9dd171633b6570b3c127d89af1ed01f86db8dfc6999450b0
Gozi
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
Gozi
35375028a2cc4876b5a8476876ad75a037b8c4e303589ce6e9d9c61aaba9f74c
Gozi
46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
Gozi
4a26633fdd55827fc7a96deb8118e7e70aa360b9fc5e8dc543e66c98bdf987da
Gozi
9936eb6847619d6282a4fd83722250b8a760c5431a2ee3a36fc3453565551dde
Gozi
cecc7c45b526be846e68a05775a05ec1809342b0dc225fd4335ae252e07cd200
Gozi
ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
Gozi
+ 193 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210330-wcqfltlde2/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
ocsp.digicert.com
aus5.mozilla.org
palominoloopus.website
dresdengrauwes.website
Unpacked files
SH256 hash:
bcec613c36cd6b52b1b2e61742639e7943c3314f8005d2776bf562fcac2f2bdc
MD5 hash:
fa5749e80582e759f7e90b76067eb76a
SHA1 hash:
227de8b9d5719566aea14a5ace64101935378bcf
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/74cdf399-c577-41f0-9403-23e13bdbc7de/
SH256 hash:
310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
MD5 hash:
7e98e8fbf2fec9c9d36896a08a26a97f
SHA1 hash:
d3c22e099df48f78765bba4b64e3f006a9e0bcdd
Link:
https://www.unpac.me/results/74cdf399-c577-41f0-9403-23e13bdbc7de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1099147/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/128037/

Comments