MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
SHA3-384 hash: 4c5437ef16a7fad2ceccd35e4eacbfdb58fa59b3b7e4f5656219fded57dc8967959b8d10cfc5f7387f4cc6d4a95ddbae
SHA1 hash: a71ece59f3c0875476d2ccc12a2ce39e59ef1bb3
MD5 hash: 80973714181535b9fb854929ee8e879c
humanhash: bravo-north-cold-twelve
File name:status bmp.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'450'496 bytes
First seen:2022-02-22 09:48:03 UTC
Last seen:2022-02-22 11:52:01 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a2c4c1cc45cf157e67048505a3f85c3c (8 x Quakbot, 2 x Gozi)
ssdeep 24576:AMNsUX1VjnGO5RmnJoXlEuWRGt0R3SQ6c0Naa/Ek3vRtGEaL1M:ARWrGOiJoEuWRdSc0Naa/Ek/fGEoM
Threatray 475 similar samples on MalwareBazaar
TLSH T15F65C49EB2D01ECCF1E638BC7A5463A90F8A5FB10E3E6072B003388A56715F95D25B57
Reporter JAMESWT_WT
Tags:dll Gozi inps isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243221/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.26978.11179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6214b15ea2660f3bb923f9e3/reports/8f03edf3-7183-44b6-9886-55d2f4fad6b9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27f9431d-da29-4494-aead-c30a586e7a2e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943801
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 576280 Sample: status bmp.dll Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 41 linkspremium.ru 2->41 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 5 other signatures 2->61 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 1 53 2->12         started        14 iexplore.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 51 loginslink.top 62.173.149.135, 49837, 49838, 80 SPACENET-ASInternetServiceProviderRU Russian Federation 8->51 53 linkspremium.ru 8->53 67 Found evasive API chain (may stop execution after checking system information) 8->67 69 Found API chain indicative of debugger detection 8->69 71 Writes or reads registry keys via WMI 8->71 73 Writes registry values via WMI 8->73 18 cmd.exe 1 8->18         started        35 4 other processes 8->35 20 iexplore.exe 31 12->20         started        23 iexplore.exe 31 12->23         started        25 iexplore.exe 14->25         started        27 iexplore.exe 14->27         started        29 iexplore.exe 31 16->29         started        31 iexplore.exe 16->31         started        33 iexplore.exe 16->33         started        signatures6 process7 dnsIp8 37 rundll32.exe 6 18->37         started        43 linkspremium.ru 31.41.44.3, 80 ASRELINKRU Russian Federation 20->43 45 premiumlists.ru 45.128.184.132, 80 MGNHOST-ASRU Russian Federation 25->45 47 loginsline.top 31.41.46.120, 49766, 49767, 49768 ASRELINKRU Russian Federation 29->47 process9 dnsIp10 49 loginslink.top 37->49 63 System process connects to network (likely due to code injection or exploit) 37->63 65 Writes registry values via WMI 37->65 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 09:49:11 UTC
File Type:
PE (Dll)
Extracted files:
109
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
Gozi
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
+ 465 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7616 banker trojan
Link:
https://tria.ge/reports/220222-lss1wsgdhm/
Behaviour
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
loginsline.top
loginslink.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
d07097d9cd2c7b0f190af4a009e52c729710b1952ec19a78c76f95d6fa51b85b
MD5 hash:
81adf5a0326d2f4e0bb9fcf01aa6ad08
SHA1 hash:
f9c6c1eb409bd8467b3a6ae69d838057d08f032d
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/680f60f8-6b2e-4020-8009-94a0efb464e9/
SH256 hash:
f55d54a8bddce8014ce5548603a30e9a48f29d3a4741d8b35f1349ac24570fcf
MD5 hash:
f4e5adbe5b68993a0c25fc09ea17426c
SHA1 hash:
70714b4884a03364cfe4a336161148dbafb70827
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/680f60f8-6b2e-4020-8009-94a0efb464e9/
SH256 hash:
37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
MD5 hash:
80973714181535b9fb854929ee8e879c
SHA1 hash:
a71ece59f3c0875476d2ccc12a2ce39e59ef1bb3
Link:
https://www.unpac.me/results/680f60f8-6b2e-4020-8009-94a0efb464e9/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/37603cddc36e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2052041/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243221/

Comments