MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858
SHA3-384 hash:	629a219b1ac26a6469ca853d5dcc2490ad1b3839aa8e97887243be696ffbef0c091c38184bd68ff8a390954f7ef1ea86
SHA1 hash:	4e1f78f9e5dc186eb8414c30da9fdeb798aee506
MD5 hash:	ecf60b35956f6544467f430dcd5449a9
humanhash:	spring-thirteen-video-music
File name:	login1.exe
Download:	download sample
Signature	Gozi Alert Create hunting rule
File size:	196'608 bytes
First seen:	2023-03-01 10:16:57 UTC
Last seen:	2023-03-01 11:28:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6744e6dbe648effa9a7b038219038af5 (7 x RedLineStealer, 1 x CoinMiner, 1 x Gozi)
ssdeep	3072:/UUTZkfU1gKiKUvGmAlTt0tT3TC/VsvoYiR8YQmy9WeuG+EB:8IZyogKBUePHYiRNQmreN+
Threatray	396 similar samples on MalwareBazaar
TLSH	T15414B01273D0B870E4364B319D19D6F4AB2EFC514E7A96EB23143AAF0EF0291C675786
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	956a6a6a6a6a6a60 (2 x Smoke Loader, 1 x CoinMiner, 1 x Gozi)
Reporter	JAMESWT_WT
Tags:	agenziaentrate exe Gozi Ursnif

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

232

Origin country :

IT

Vendor Threat Intelligence

ANY.RUN ursnif

Malware family:

ursnif

Alert

Create hunting rule

ID:

1

File name:

login1.exe

Verdict:

Malicious activity

Analysis date:

2023-03-01 10:22:34 UTC

Tags:

gozi ursnif dreambot trojan

Link:

https://app.any.run/tasks/2c49aded-cc19-435f-a78c-a9f129cbdee7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370774/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.26765.13892.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending a custom TCP request

DNS request

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

greyware lockbit mikey packed

Link:

https://www.filescan.io/uploads/63ff261f66e79c93ba0d5585/reports/3129a539-235a-434a-9933-4e8954a959d7/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5729dedc-6d19-4fce-a623-d1a836ea4636

Joe Sandbox Ursnif

Result

Threat name:

Ursnif

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1184758

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858/

ReversingLabs TitaniumCloud Win32.Ransomware.StopCrypt

Threat name:

Win32.Ransomware.StopCrypt

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-03-01 10:15:58 UTC

File Type:

PE (Exe)

Extracted files:

21

AV detection:

23 of 25 (92.00%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hm7d6fbfbbajcm5vmxc64b3foq2ay3jo33jbxauu3mivnskhjbma._file

Threatray gozi

Verdict:

malicious

Label(s):

gozi

Alert

Create hunting rule

Similar samples:

03df3981a6a8793c2240507cfa8140591b35fdcab5230f13a95242ec00e94364

Gozi

4ce2353420b3fef9a268a018a0b8bb5d4389bd7ff288c1168af812dd81b2d54a

Gozi

52e17a4f06328ee20d16c54d8bea3b44badafcf9ce533d17a9817264b6beb3d4

Gozi

84908c9c014c59a36369a618dfc51316646d1dbc3314da3c66100b0706567d22

Gozi

b0d58abdf40c6e922ecad36224a0c65bc3f87fcd36c781566f5d7733b72e608b

Gozi

cff404581196accfce86e8ba7a5b8f63b686ef831e384d95e46a04f908e0987a

Gozi

db70da9773d78809fd44a1b4efa2f1c92f3001417b7a46d0ab014d0007ef3805

Gozi

dcc33bc510228ff4cf4dc286e5902be5a262e3def4189960c702d27b83da84b2

Gozi

df9bc10545b7066ec3bc8868a9e20379aa9a7cbb38928902520eea8fdd3ac2a7

Gozi

+ 386 additional samples on MalwareBazaar

Hatching Triage gozi

Result

Malware family:

gozi

Alert

Create hunting rule

Score:

  10/10

Tags:

family:gozi botnet:7709 banker isfb trojan

Link:

https://tria.ge/reports/230301-mbcs1sfc6t/

Behaviour

Gozi

Malware Config

C2 Extraction:

checklist.skype.com
62.173.141.252
31.41.44.33
109.248.11.112

UnpacMe ISFB_Main win_isfb_auto

Unpacked files

SH256 hash:

876860a923754e2d2f6b1514d98f4914271e8cf60d3f95cf1f983e91baffa32b

MD5 hash:

2beb711bcfd441ca2d92da0313823a41

SHA1 hash:

ebc1777b9ef7242892e8479f3330ed561c370127

Detections:

ISFB_Main

Alert

Create hunting rule

win_isfb_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/97cc18db-f7cb-47bb-9d2e-d0e59cabd295/

Parent samples :

3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858
876860a923754e2d2f6b1514d98f4914271e8cf60d3f95cf1f983e91baffa32b
9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d
05b73bccd726df4df86b10b00b2ed4d6e6ba9832e3b473dd7abe6c50c8d5bfbf
061c271c0617e56aeb196c834fcab2d24755afa50cd95cc6a299d76be496a858

SH256 hash:

0368213fda034a3878243909f3c7943f971d3612af7fc1e97cb29673014ff837

MD5 hash:

ef600e76df6ed020b1b17b2f809408fd

SHA1 hash:

13654f0cbbf74d4477798f06e69cc69ba478328d

Link:

https://www.unpac.me/results/97cc18db-f7cb-47bb-9d2e-d0e59cabd295/

SH256 hash:

3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858

MD5 hash:

ecf60b35956f6544467f430dcd5449a9

SHA1 hash:

4e1f78f9e5dc186eb8414c30da9fdeb798aee506

Link:

https://www.unpac.me/results/97cc18db-f7cb-47bb-9d2e-d0e59cabd295/

VMRay Ursnif

Malware family:

Ursnif

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3b3e3f142508/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b3e3f142508409133b565c5ee076574340c6d2eded21b8294db1156c9474858

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/370774/