MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf
SHA3-384 hash:	5849e53b1b6d2ba013bba5bb6319bb8eceb4ecf0046f73563bb86fdef5c3ad86d84928f1e94db084f23b8688b43e3727
SHA1 hash:	81009ab0612ef7e4ee437a136c0e5cb22bab4ec0
MD5 hash:	4ea4f4bde9f76d9ba624d958d4ca5b50
humanhash:	pip-uranus-sweet-tango
File name:	20230310_unpacked_gozi.bin
Download:	download sample
Signature	Gozi Create hunting rule
File size:	44'544 bytes
First seen:	2023-03-10 09:14:32 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	ef075d26b728b78a932306e24062e80c (7 x Gozi)
ssdeep	768:V0gsqVXye2rS/Q4VYXQIVpCHlNBmQWGk2j+A6ewBvu7gpzhK3D1GcS:V9sq8S/QEYXQIVWlvmYp6ewNu7hD1Gc
Threatray	422 similar samples on MalwareBazaar
TLSH	T10B139F01F6F548F6C7A31EB06614FBA9A7F9D631213C5055AF23A9CA1E60953E13D20B
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	Viuleeenz
Tags:	agenziaentrate dll Gozi MEF mise unpacked Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/373285/

Detection(s):

Win.Malware.Ursnif-9975502-0

Result

Verdict:

Malware

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed shell32.dll

Link:

https://www.filescan.io/uploads/640af5188a02c7ebaf23fe6a/reports/1bd152fb-c3bf-4b8d-87c2-d2e3d7f3c6e2/overview

Verdict:

Malicious

Labled as:

Ursnif.1.Generic

Link:

https://www.hybrid-analysis.com/sample/37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f4086148-d742-4663-8a89-ed46b7cc41df

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1191031

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2023-03-10 09:15:59 UTC

File Type:

PE (Dll)

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g65olyuwgpyxcyljrd6wjt5osa4m7alhm54htigeznhni5q3t27q._file

Verdict:

malicious

Label(s):

gozi

Gozi

3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e

Gozi

896c5898ce95f078e8246f62ccd4b7da07959b2884362fa9c1933712aedeb553

Gozi

9cc3318cdf29c5b6a1c170facbd0e7849b674ecd2072d9741424709e0931f8cf

Gozi

a9f25933eb0dc82972d77854034dbc86220088eff4758a7df4e65f87ee1745e1

Gozi

aa96b7f6516f3f8d7d63d61a30b3af156b92b3e8dace05c8953dcf82ac96a3c6

Gozi

c95c8b01e7a58afbae1b0c3a795108ae46b22c3867680dcdb883ca97e6f092a0

Gozi

f0606eb18477cfec7939d20432ba7999ac9044dfbc936a0071cbe920d02a7e1c

Gozi

fc74e8faf8772293f2947c803c5309c64310c38d8e3f8efe18271004a9b96bba

Gozi

+ 412 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:7712 isfb

Link:

https://tria.ge/reports/230310-k7w6eseb9y/

Behaviour

Suspicious use of WriteProcessMemory

Malware Config

C2 Extraction:

checklist.skype.com
62.173.140.236
31.41.44.92
46.8.210.143
45.128.185.33

Unpacked files

SH256 hash:

37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf

MD5 hash:

4ea4f4bde9f76d9ba624d958d4ca5b50

SHA1 hash:

81009ab0612ef7e4ee437a136c0e5cb22bab4ec0

Detections:

ISFB_Main

win_isfb_auto

Link:

https://www.unpac.me/results/2ebabcc0-e4bd-4db7-a9a3-d0bb4128aa7e/

Parent samples :

4b8dbe4d5a5547c30971cda34392a943c11964e43f62325dd753620744063b8d
37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf
1d4ccfa95990fbf6ee731db78a945bad5d3ffa82f0271d8c9aefd314b6ecc6af
8449f58ebb84db076809e6701e7195202a3f77dc2ef8a0809451b585c9194d6e

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/37bae5e29633f171616988fd64cfae9038cf8167677879a0c4cb4ed4761b9ebf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/373285/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample