MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
SHA3-384 hash: 2bcc27d2ecad4d8b837f2c669133ccacde32d309d1d96d365122bfc2bb2c45f0ee7106f229259c46ef4943d5f7f92547
SHA1 hash: 8f653e50b82d1141eaef724ffb5330065fb4cfbc
MD5 hash: 9a83f2064a395adc459f87c243167dd7
humanhash: vegan-steak-uncle-victor
File name:readme.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:420'864 bytes
First seen:2022-03-18 13:22:53 UTC
Last seen:2022-03-18 14:32:17 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9ddb3bbcd99543c365ed933ba49f71ae (2 x Gozi)
ssdeep 6144:dxfsNksMFgVp68Rlz43Ku+lzgktf1VeSboRBVMMRddcTFCIyT911CGl:vsasMaVAmBzLtffKRAwddIFD/s
Threatray 536 similar samples on MalwareBazaar
TLSH T105948E22F2D18837C173263C8D5B5678A8397E503D295C4E2BE81E4C5F397813B792AB
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:agenziaentrate dll Gozi isfb mise Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
476
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252612/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.857.31915.22819.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Fareit-FDGG889B7BFFEC04.15386.930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/623487c80cd58dbd92b6af61/reports/e37ca16f-9d5d-49c1-a7f0-5d0e4bd6b21d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52301346-4137-4c05-879d-636d21373caf
Result
Threat name:
Ursnif CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959536
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592012 Sample: readme.exe Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 6 other signatures 2->56 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 1 50 2->12         started        14 iexplore.exe 1 50 2->14         started        16 2 other processes 2->16 process3 dnsIp4 44 31.41.46.120, 49868, 80 ASRELINKRU Russian Federation 8->44 46 sistemliner.top 8->46 48 2 other IPs or domains 8->48 58 Found evasive API chain (may stop execution after checking system information) 8->58 60 Found API chain indicative of debugger detection 8->60 62 Writes or reads registry keys via WMI 8->62 64 2 other signatures 8->64 18 cmd.exe 1 8->18         started        20 iexplore.exe 33 12->20         started        23 iexplore.exe 31 14->23         started        25 iexplore.exe 32 16->25         started        27 iexplore.exe 16->27         started        signatures5 process6 dnsIp7 29 rundll32.exe 18->29         started        34 premiumlists.ru 45.128.184.132, 49818, 49819, 49865 MGNHOST-ASRU Russian Federation 20->34 36 127.0.0.1 unknown unknown 20->36 38 sistemliner.top 23->38 40 linkspremium.ru 62.173.149.135, 49763, 49764, 49854 SPACENET-ASInternetServiceProviderRU Russian Federation 25->40 42 sistemliner.top 25->42 process8 signatures9 66 Found evasive API chain (may stop execution after checking system information) 29->66 68 Found API chain indicative of debugger detection 29->68 70 Contains functionality to detect sleep reduction / modifications 29->70 32 WerFault.exe 23 9 29->32         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 13:23:13 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7
Gozi
+ 526 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7625 banker trojan
Link:
https://tria.ge/reports/220318-qmtsfshhb4/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
sistemliner.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
6fb42a57c8dcc56f467290ab3754b512d0074fd1445284b3998b7161372cf4a0
MD5 hash:
a023cde5343b81586aea9ed8e8b62f79
SHA1 hash:
c883826d569b2bdd5e71f3fc39b15a183381464a
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a8f6526c-2f0e-4ddb-80a5-a27f57cbfad0/
Parent samples :
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
SH256 hash:
ab2fad795e531fbfc0c3ebef645522fdc7fa058d905634e5512987348ec79783
MD5 hash:
a62dfacb00cc2b502154e3b77e35dd6c
SHA1 hash:
c5482a53d940c22af20bb475364d8e4bce187b81
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a8f6526c-2f0e-4ddb-80a5-a27f57cbfad0/
Parent samples :
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
SH256 hash:
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
MD5 hash:
9a83f2064a395adc459f87c243167dd7
SHA1 hash:
8f653e50b82d1141eaef724ffb5330065fb4cfbc
Link:
https://www.unpac.me/results/a8f6526c-2f0e-4ddb-80a5-a27f57cbfad0/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3a97651f970c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2103348/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/252612/

Comments