MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aa3a80a403194be781482d4c954adc4ebd773cfd1fa008c2072c591b4bb5c5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aa3a80a403194be781482d4c954adc4ebd773cfd1fa008c2072c591b4bb5c5f
SHA3-384 hash: 19ee436147548d66a30af0fef31fec8605294cb0793434c414569b30c3dc23a1a9e745d2ff92a7d412751036c7b3c29c
SHA1 hash: 0d0e546d80f324b9fc024e7bf4850455647c31d8
MD5 hash: 14549a6ccc41deaf7ccf9abd4c5ae61a
humanhash: hydrogen-solar-coffee-artist
File name:globalCounter.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:638'464 bytes
First seen:2021-06-14 15:18:45 UTC
Last seen:2021-06-14 16:06:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1bf03a2f0c3f791c6d4615af85585b98 (1 x Gozi)
ssdeep 12288:rd4keA4P2oZNZZ9xf/5gqNT+ZSzojPeb6NAFYAqhVIdnBOciMajGVeR61:p4/VZNZZ15zojPrNWRQ0BOciMzQR
Threatray 374 similar samples on MalwareBazaar
TLSH 2DD4CE017580C032C57529368E64E3F10B7DBE648F649ACF37C82E7F6F74A92962572A
Reporter James_inthe_box
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.30702.23044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1665535-b500-4d95-9e2d-d43e7a84b92d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/801892
Signature
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Execute DLL with spoofed extension
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434287 Sample: globalCounter.jpg.dll Startdate: 14/06/2021 Architecture: WINDOWS Score: 80 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Yara detected  Ursnif 2->40 42 Sigma detected: Execute DLL with spoofed extension 2->42 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2 64 2->10         started        12 iexplore.exe 1 52 2->12         started        process3 signatures4 44 Writes or reads registry keys via WMI 7->44 46 Writes registry values via WMI 7->46 14 rundll32.exe 7->14         started        17 cmd.exe 1 7->17         started        19 rundll32.exe 7->19         started        21 rundll32.exe 7->21         started        23 iexplore.exe 39 10->23         started        26 iexplore.exe 35 10->26         started        28 iexplore.exe 35 12->28         started        30 iexplore.exe 35 12->30         started        process5 dnsIp6 48 Writes registry values via WMI 14->48 32 rundll32.exe 17->32         started        34 authd.feronok.com 185.233.80.31, 49705, 49706, 49707 SUPERSERVERSDATACENTERRU Russian Federation 23->34 signatures7 process8
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3aa3a80a403194be781482d4c954adc4ebd773cfd1fa008c2072c591b4bb5c5f/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 15:18:38 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkr2qcsaggkl46auqlkmsvfnytv5o46p2h5abdbaolczdnf3lrpq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
08dafa77d5b9a550504ff06b05afef539e6f669ba8c330e776fbff2a2cc31b81
Gozi
1346bf7820f12ebcb3b6924fcbbcde045b4819773b924f1524abec895efa78e4
Gozi
70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
Gozi
871193097b82dfa586f0c8701bd7f9b533fda74709ce53ce7e06fa541221e8d0
Gozi
8840a062340c8fe5dea458987115a53879cca745fdaccc40edf1c20b6a6f3861
Gozi
8f8268c13ddc484a180cff0dd8e764e328897e7a978d0f45e9c26de57f233106
Gozi
a75c290ca3dd70d57c3f2805fb7c5668d95402c0cea95f62054a47084200ef24
Gozi
aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
Gozi
bea4b9483f25ce74c1116e05cc655c4735bf33ef90ded340c56e55218c26b0e7
Gozi
d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
Gozi
+ 364 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:6000 banker trojan
Link:
https://tria.ge/reports/210614-latf8wah5e/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
authd.feronok.com
app.bighomegl.at
Unpacked files
SH256 hash:
1af9dd3e80554cfa88603e46856c62f33986b6f8b10a03a4af281dd6fccb2fcf
MD5 hash:
e8c791a007753f42379f36327dc9e526
SHA1 hash:
6f1e98b5615717e2677a41e8d90ef3aaea0b2e8b
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/02982af9-059a-4d21-9789-e9027b99c3a6/
SH256 hash:
3aa3a80a403194be781482d4c954adc4ebd773cfd1fa008c2072c591b4bb5c5f
MD5 hash:
14549a6ccc41deaf7ccf9abd4c5ae61a
SHA1 hash:
0d0e546d80f324b9fc024e7bf4850455647c31d8
Link:
https://www.unpac.me/results/02982af9-059a-4d21-9789-e9027b99c3a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3aa3a80a403194be781482d4c954adc4ebd773cfd1fa008c2072c591b4bb5c5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments