MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
SHA3-384 hash: d6a460e6d51fac71adae37a68a4f33d8c58f1af2f71ea93a085135757a41969812a5d24d34c1014815439fe3f6ca4e3a
SHA1 hash: c188272ab757dbbf14e74781fc90fcefe4aeb615
MD5 hash: 50a299d1e92d9205e123404c8e05904d
humanhash: bakerloo-grey-delaware-berlin
File name:609a460e94791.tiff.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:841'216 bytes
First seen:2021-05-11 08:54:31 UTC
Last seen:2021-05-11 10:07:30 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dc55991f7b8a912c780d10d352635290 (2 x Gozi)
ssdeep 12288:mzCoYRvNZrA8Res/TPUOjUUGcqcoWEx9kMGUS6vOV5y4gnuD5wtqqB7ol:VdNZr5RLL1AZ/clUnHvk5hgU
Threatray 239 similar samples on MalwareBazaar
TLSH A5055D01B7908038F5B759F585BEA1A8693DBEE15B24D0C763C42AEE5635EE0BC30727
Reporter JAMESWT_WT
Tags:brt dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154964/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/778422
Signature
Found malware configuration
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410818 Sample: 609a460e94791.tiff.dll Startdate: 11/05/2021 Architecture: WINDOWS Score: 64 32 Found malware configuration 2->32 34 Yara detected  Ursnif 2->34 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 51 2->10         started        process3 signatures4 36 Writes or reads registry keys via WMI 7->36 38 Writes registry values via WMI 7->38 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 rundll32.exe 7->19         started        21 iexplore.exe 24 10->21         started        process5 dnsIp6 40 Writes registry values via WMI 12->40 24 rundll32.exe 15->24         started        26 FRA-efz.ms-acdc.office.com 40.101.12.82, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->26 28 outlook.com 40.97.161.50, 443, 49732, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->28 30 5 other IPs or domains 21->30 signatures7 process8
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnllokmmgzvdepjimwfekwv7bvhhr6qzpjb44e563kyf6juqdu2a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
43b3014c1627c40c31c724e1a7b1dee4ef51428e2f68adad93c0df95f454275d
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
Gozi
83d9e62cebb8f222083e6d6670b0ca5e82459c8d7815b0c415c9d1964bd56583
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
a2fa5a4d18033e67a7c0477e69acd03a61808c31e24dd9c120106fec161012ef
Gozi
ae1143cc98f29dad7cd956c881606f55b51d8b5789ae670736e6e115519fbccb
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
+ 229 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210511-5rg1kk63lj/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com/login
gmail.com
worunekulo.club
horunekulo.website
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154964/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 09:01:59 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0032.002] Data Micro-objective::Luhn::Checksum
4) [C0051] File System Micro-objective::Read File
5) [C0052] File System Micro-objective::Writes File
6) [C0007] Memory Micro-objective::Allocate Memory
7) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
8) [C0040] Process Micro-objective::Allocate Thread Local Storage
9) [C0043] Process Micro-objective::Check Mutex
10) [C0041] Process Micro-objective::Set Thread Local Storage Value
11) [C0018] Process Micro-objective::Terminate Process