MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17
SHA3-384 hash: e9602e5c0daaf7d628830e19f3571a5744fae8a4a43fe69d2b796a3d36136cba2632d906219d93151dc76628a9d77cf6
SHA1 hash: 9107b239f7365d6e30416f28bcd8edbd5d7ce632
MD5 hash: 8a3d8b5dd1f2022eaf5a9b7232aaab1e
humanhash: whiskey-dakota-mobile-massachusetts
File name:status.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:1'270'272 bytes
First seen:2022-03-15 11:49:44 UTC
Last seen:2022-03-15 13:51:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4c22b18d5c8a30144996b95335a2df1a (1 x Gozi)
ssdeep 24576:8IsLKFY0naHqkmm2GBT2XU6QAztP8zUX+:8IsLD0aHq82M2XUba2+
Threatray 569 similar samples on MalwareBazaar
TLSH T1C1459465ADA4FF84F43E0C38C62173EAD22E1E6D0615912AD386784079B53D47CFAF4A
File icon (PE):PE icon
dhash icon 736934fc4de8cc92 (4 x Quakbot, 3 x Gozi, 1 x CryptBot)
Reporter JAMESWT_WT
Tags:dll Gozi isfb mise Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250734/
Detection(s):
SecuriteInfo.com.Artemis8A3D8B5DD1F2.20478.18192.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed ursnif
Link:
https://www.filescan.io/uploads/62307d700cd58dbd929e4611/reports/4eb77583-04a9-4e5a-935b-39394fe2e68a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a82377e2-55fc-461e-bfc3-7c915b1f0d19
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956949
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 589426 Sample: status.dll Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 40 premiumlists.ru 2->40 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 5 other signatures 2->62 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 1 58 2->11         started        13 iexplore.exe 2->13         started        15 2 other processes 2->15 signatures3 process4 signatures5 66 Found evasive API chain (may stop execution after checking system information) 8->66 68 Found API chain indicative of debugger detection 8->68 70 Writes or reads registry keys via WMI 8->70 72 Writes registry values via WMI 8->72 17 regsvr32.exe 8->17         started        20 cmd.exe 1 8->20         started        31 3 other processes 8->31 22 iexplore.exe 31 11->22         started        25 iexplore.exe 36 11->25         started        27 iexplore.exe 32 11->27         started        29 iexplore.exe 13->29         started        33 2 other processes 13->33 35 6 other processes 15->35 process6 dnsIp7 52 Writes or reads registry keys via WMI 17->52 54 Writes registry values via WMI 17->54 37 rundll32.exe 20->37         started        42 atmosphera.top 31.41.46.120, 49793, 49794, 49795 ASRELINKRU Russian Federation 22->42 44 linkspremium.ru 62.173.149.135, 49799, 49800, 49867 SPACENET-ASInternetServiceProviderRU Russian Federation 25->44 46 192.168.2.1 unknown unknown 27->46 48 premiumlists.ru 45.128.184.132, 49829, 49830, 49839 MGNHOST-ASRU Russian Federation 29->48 50 127.0.0.1 unknown unknown 29->50 signatures8 process9 signatures10 64 Writes registry values via WMI 37->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Suspicious
First seen:
2022-03-15 11:50:13 UTC
File Type:
PE (Dll)
Extracted files:
13
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcacf6bm6fhqhyj2vqcsbhic4jtilluxyrihpnsl3ovt475ej4lq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4bd004047533752383486ead4f6ce67459d38f816d63d110744f0df009b2d022
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9eb0bdb45d505a24290b3fe9adb1ac5c856238e91358fcf7e6af73d9a1b9c244
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
9fcaf7ae5e2b5e2a4e7b34c37b5f6f1a539c07bc258379314b7590582b859147
Gozi
e13a056f1ba8250d266ea3e3b6790d142b92d7febb256af5f922bd2cec603e05
Gozi
+ 559 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7623 banker trojan
Link:
https://tria.ge/reports/220315-nzm5bscffp/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
atmosphera.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
6bc1b78faef56340ef40cca5f59aeb94d47e278caef785a7efceb5b6f82242bb
MD5 hash:
c74170f333820b4caba09b3604a8d3f3
SHA1 hash:
f0ceaf40c208088da92aec54d53cef37f352d942
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbd0511d-5da5-414c-9a3e-cbc9c08b60ec/
SH256 hash:
6dd86d063fc1a94de91cd4d3dd793ffc6882bde471b6d1f1aa5ff34aa84b84cf
MD5 hash:
98f0c86efde9d27827e8192a002368b5
SHA1 hash:
806f50b60ffa359715287b07be75ff6b5730de35
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbd0511d-5da5-414c-9a3e-cbc9c08b60ec/
SH256 hash:
388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17
MD5 hash:
8a3d8b5dd1f2022eaf5a9b7232aaab1e
SHA1 hash:
9107b239f7365d6e30416f28bcd8edbd5d7ce632
Link:
https://www.unpac.me/results/bbd0511d-5da5-414c-9a3e-cbc9c08b60ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250734/

Comments