MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31ace401668e11cf7874612cc2ce412dcb2ea96428e14f55364cde9214826023. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31ace401668e11cf7874612cc2ce412dcb2ea96428e14f55364cde9214826023
SHA3-384 hash: 03e08c8f352a6fc26aa9c12794785bf48cdf471fd562dd8f555e42a5f3bd0f63e1137f0da0cb112365eb8ecdfcf1514b
SHA1 hash: 6ef252db67b1a0fe9b28c01cc6b7206fcb94a731
MD5 hash: 6dc320da82bfe9f897cd02fcd83c5d9b
humanhash: foxtrot-carolina-xray-twenty
File name:xspcd10.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:220'160 bytes
First seen:2020-12-03 11:18:28 UTC
Last seen:2020-12-03 12:53:38 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e52c56c636c7f737590c4c91e79b2a8e (5 x Gozi)
ssdeep 3072:tO+b0Q1QZQ6QuQP1pNOtcR1sGFHlx5QN0SGrgv+iwTmH9ZZSTPCEyS+Vja8ziryL:txD1bOaR1Hbg0vr2+3kZSDCFZW8u2
Threatray 112 similar samples on MalwareBazaar
TLSH 4A24C0643194C07AE40714B58C06C7A196B93D706B66AECB7BC9AE3B9F305A5BF343C1
Reporter JAMESWT_WT
Tags:dll Gozi isfb pw 5236721 pw 8564121 Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106586/
Detection(s):
SecuriteInfo.com.Generic.mg.6dc320da82bfe9f8.7096.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/554567
Signature
Creates a COM Internet Explorer object
Found malware configuration
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326382 Sample: xspcd10.dll Startdate: 03/12/2020 Architecture: WINDOWS Score: 68 20 Found malware configuration 2->20 22 Yara detected  Ursnif 2->22 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 2 82 2->9         started        process3 signatures4 24 Writes or reads registry keys via WMI 6->24 26 Writes registry values via WMI 6->26 28 Creates a COM Internet Explorer object 6->28 11 rundll32.exe 6->11         started        14 rundll32.exe 6->14         started        16 rundll32.exe 6->16         started        18 iexplore.exe 36 9->18         started        process5 signatures6 30 Writes registry values via WMI 11->30 32 Creates a COM Internet Explorer object 11->32
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31ace401668e11cf7874612cc2ce412dcb2ea96428e14f55364cde9214826023/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 11:19:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ggwoialgryi466dumewmftsbfxfs5klefdqu6vjwjtpjefecmarq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478
Gozi
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
Gozi
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
+ 102 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201203-1fdylqhncx/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
31ace401668e11cf7874612cc2ce412dcb2ea96428e14f55364cde9214826023
MD5 hash:
6dc320da82bfe9f897cd02fcd83c5d9b
SHA1 hash:
6ef252db67b1a0fe9b28c01cc6b7206fcb94a731
Link:
https://www.unpac.me/results/8feab84f-dc78-4336-be61-881933615e77/
SH256 hash:
dacaaf1439b3bf88dba3dde71d38549bd6004c064f4cbab02cb5814fc476d50c
MD5 hash:
a47844be33222d7be7730e4fef077f30
SHA1 hash:
98dae7755b28fdb997ea41f3e2000180f16ed229
Link:
https://www.unpac.me/results/8feab84f-dc78-4336-be61-881933615e77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31ace401668e11cf7874612cc2ce412dcb2ea96428e14f55364cde9214826023

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106586/

Comments