MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a
SHA3-384 hash: 245fd88777072ff551ca4f2f2a8e62e15ebac2378e8222c2d8a2a581731fc8e79d772f866f433d33c3e7afa2285e4ab1
SHA1 hash: 3bd394b0fa503f1f98cd11f787963116ec44a80c
MD5 hash: 9fbe59a22e56b3625c4371c0d486a3a7
humanhash: fillet-neptune-green-nine
File name:9fbe59a22e56b3625c4371c0d486a3a7.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:117'197 bytes
First seen:2021-04-02 18:09:05 UTC
Last seen:2021-04-02 19:09:38 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 811de8e945c2087a6e052096546cd842 (15 x Gozi)
ssdeep 1536:DWKaY5Se9WnVI78XvnoxJasJvRHKmyGDvDk0Rt9Y56l5ZMpvV05o9OX5xPw8:DWa0eQnVI7qCqZGDvDk4wol5w0EU
TLSH B5B3DF00B9DCC4C1D3EA99B049A4DE75350AEDA62834900733F37F6D7EF63A629AB544
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/131836/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APW.9272.4730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Searching for the window
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67f6c43a-2d92-4b5c-8fef-6169f6f1a7d2
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.bank.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/664110
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 380988 Sample: BPD1b7H44e.dll Startdate: 03/04/2021 Architecture: WINDOWS Score: 100 58 urs-world.com 2->58 60 resolver1.opendns.com 2->60 72 Found malware configuration 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected  Ursnif 2->76 78 8 other signatures 2->78 9 loaddll32.exe 1 2->9         started        12 mshta.exe 2->12         started        14 iexplore.exe 57 2->14         started        16 3 other processes 2->16 signatures3 process4 signatures5 100 Writes or reads registry keys via WMI 9->100 102 Writes registry values via WMI 9->102 18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        104 Suspicious powershell command line found 12->104 23 powershell.exe 12->23         started        26 iexplore.exe 14->26         started        29 iexplore.exe 14->29         started        31 iexplore.exe 14->31         started        33 iexplore.exe 97 16->33         started        35 iexplore.exe 31 16->35         started        37 2 other processes 16->37 process6 dnsIp7 39 rundll32.exe 1 18->39         started        80 Detected Gozi e-Banking trojan 20->80 82 Writes registry values via WMI 20->82 52 C:\Users\user\AppData\Local\...\i5qutydc.0.cs, UTF-8 23->52 dropped 54 C:\Users\user\AppData\...\3jrg14pv.cmdline, UTF-8 23->54 dropped 84 Modifies the context of a thread in another process (thread injection) 23->84 86 Maps a DLL or memory area into another process 23->86 88 Compiles code for process injection (via .Net compiler) 23->88 90 Creates a thread in another existing process (thread injection) 23->90 42 csc.exe 23->42         started        45 conhost.exe 23->45         started        62 urs-world.com 185.186.244.95, 49765, 49766, 49767 WEBZILLANL Netherlands 29->62 64 192.168.2.1 unknown unknown 33->64 66 prda.aadg.msidentity.com 33->66 70 2 other IPs or domains 33->70 68 under17.com 185.243.114.196, 80 ACCELERATED-ITDE Netherlands 35->68 file8 signatures9 process10 file11 92 Writes to foreign memory regions 39->92 94 Allocates memory in foreign processes 39->94 96 Modifies the context of a thread in another process (thread injection) 39->96 98 Maps a DLL or memory area into another process 39->98 47 control.exe 39->47         started        56 C:\Users\user\AppData\Local\...\3jrg14pv.dll, PE32 42->56 dropped 50 cvtres.exe 42->50         started        signatures12 process13 signatures14 106 Changes memory attributes in foreign processes to executable or writable 47->106 108 Modifies the context of a thread in another process (thread injection) 47->108 110 Maps a DLL or memory area into another process 47->110 112 Creates a thread in another existing process (thread injection) 47->112
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-02 18:09:16 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnbzxdp5oexialenuvybn4ciil4xar74xb27uu73py2nf2dw7sna._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5566 banker trojan
Link:
https://tria.ge/reports/210402-3rz6mb8men/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
bing.com
update4.microsoft.com
under17.com
urs-world.com
Unpacked files
SH256 hash:
d8badab2df94fedfa9b7f978add09ff2076fd653f3ebb5152a0bf98bf619ba69
MD5 hash:
e72737e72f201e73b1d8c20ae7d1316b
SHA1 hash:
1ac30858e11cffa7fb5a0cb0d192971e7ef4002b
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5642062d-2873-470b-92d5-d8a15d675040/
Parent samples :
4502918b2eb7a7ff6bc77a2d9878fae3b2389f30124d224ba92958ab13fdf39c
33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a
def873123cd2f2a1a2bb661c1ea1986526b86240fb4263e96be6c6a528c02428
eb617fa7cba6309640cda1035eee2fc79fa77c44b229e3c0213d44d97f1b4426
a1600c28548734d79d07a4d91da7e7420da472636a0820764247601f9dd73d5d
7d4aa2b93d2d795cdeca94ae454abbcaffe331583670893076ede4cfb58f5c79
22682ac6f8c484759f44786cc73109993d858a29b25fa1512196154cf2f0299c
d7102c2bee0abe8f04f3faf34374462dbe7b528f3de6492b6e9ce230a5a8d5ef
657455d2129ca06ee85cb534186d7d80b648e10f7f9e50f43cc5f56fbc7d154c
7d80947ba6784330e792fae5eded56f2e7f228740e19f9af19106886e567b268
8b130f9fbdcfc64e2ef698a1f111409c66aff2ab6ce66ae0286f8c6817376064
65179a35467708828de13c9a53f254c956cc4235a0196e3c53ca5022c176a6aa
db9ede8dfbecb23b804cd592eeb7500e397ade3bc1fa01551a912ae572cda8b3
7af19b7aa91cf1a3fb479f1f352e0a979df69779256653eb1c9961fc9238fb73
2817053b604f2d5f62400afd737d9124c87cc388f76aa10e5cc2db867a31c5dd
SH256 hash:
33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a
MD5 hash:
9fbe59a22e56b3625c4371c0d486a3a7
SHA1 hash:
3bd394b0fa503f1f98cd11f787963116ec44a80c
Link:
https://www.unpac.me/results/5642062d-2873-470b-92d5-d8a15d675040/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 33439b8dfd712e802c8da57016f04842f97047fcb875fa53fb7e34d2e876fc9a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/131836/
  
URLhaus
https://urlhaus.abuse.ch/url/1101531/
  
Delivery method
Distributed via web download

Comments