MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
SHA3-384 hash: b5a58dd4cf0b90a52cfa88fdd73ac4d9072323a628b4a2ae65b847a8d461a165118d16a5b4164beee0f989daf6ce5119
SHA1 hash: ca4132d6791c084da38ebf73f83688fc30602ed1
MD5 hash: 712882ad6d85945cd0d81399757e6661
humanhash: glucose-fifteen-burger-stream
File name:712882ad6d85945cd0d81399757e6661.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:368'265 bytes
First seen:2021-03-30 06:55:13 UTC
Last seen:2021-03-30 08:01:11 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 77af713b1f2916ea138f9bb7258cf849 (5 x Gozi)
ssdeep 1536:bepG5ACCny8GenidAHcz92ZIx9FxIl+YkSVoZlP1usBVEwnoxJashnXcX:36lGeExx9FmSSkfBt8
Threatray 173 similar samples on MalwareBazaar
TLSH 1B74AE053BB0C5D9D2A521B44ECD8EA4E924FCAA1F20D21372D975DCBDF9F89262D381
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127915/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.796.15439.26254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/658049
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377956 Sample: 4BRIjOEYNf.dll Startdate: 30/03/2021 Architecture: WINDOWS Score: 92 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        15 cmd.exe 1 8->15         started        signatures5 17 iexplore.exe 2 86 10->17         started        51 Writes or reads registry keys via WMI 12->51 53 Writes registry values via WMI 12->53 19 rundll32.exe 15->19         started        process6 signatures7 22 iexplore.exe 17->22         started        25 iexplore.exe 17->25         started        27 iexplore.exe 17->27         started        29 6 other processes 17->29 49 Writes registry values via WMI 19->49 process8 dnsIp9 31 fdjjasdoeoriefjd.live 82.118.22.245, 80 GREENFLOID-ASUA Ukraine 22->31 33 paralikulat.website 45.90.58.162, 80 GREENFLOID-ASUA Bulgaria 27->33 35 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49726, 49727 FASTLYUS United States 29->35 37 geolocation.onetrust.com 104.20.185.68, 443, 49714, 49715 CLOUDFLARENETUS United States 29->37 39 11 other IPs or domains 29->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 06:56:06 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gevjutpg3fg6vtcccbruk7edarjuthcyjdwgycxpyoemkmgpxdzq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237
Gozi
10d0cd214468977ca01267d4e74b2ad431595bd12dbc6b04e04a6e50081e6514
Gozi
128674ced35bebfc9dd171633b6570b3c127d89af1ed01f86db8dfc6999450b0
Gozi
2b008fe5818667b064573889db6500c245bddeb65c37facd260fea09e9801eae
Gozi
35375028a2cc4876b5a8476876ad75a037b8c4e303589ce6e9d9c61aaba9f74c
Gozi
472c6d7282d5ad1ea6b8aa3e66fd0b42c1ccf6086a33e16cbab93f423203e4d4
Gozi
4a26633fdd55827fc7a96deb8118e7e70aa360b9fc5e8dc543e66c98bdf987da
Gozi
802033992634317b28a736038b41e264727819a1fd76770e28dd5931779a8833
Gozi
9936eb6847619d6282a4fd83722250b8a760c5431a2ee3a36fc3453565551dde
Gozi
ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
Gozi
+ 163 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5566 banker trojan
Link:
https://tria.ge/reports/210330-t6tftsjn1a/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
bing.com
update4.microsoft.com
fdjjasdoeoriefjd.live
paralikulat.website
Unpacked files
SH256 hash:
220f635b3a747e133170eb0dbf2c63c91646b460f4315498a31a176498ca215b
MD5 hash:
4df4258bb725b92568e441970439dff5
SHA1 hash:
8673bd2ab0eb5e60a787c0b75c5b6baeda4cec91
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a7179445-3195-466d-a5aa-db14beab9ae0/
Parent samples :
5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
SH256 hash:
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
MD5 hash:
712882ad6d85945cd0d81399757e6661
SHA1 hash:
ca4132d6791c084da38ebf73f83688fc30602ed1
Link:
https://www.unpac.me/results/a7179445-3195-466d-a5aa-db14beab9ae0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1098494/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127915/

Comments