MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26
SHA3-384 hash: abbeded77344f1d4f0dd2913b8a09cec1535939401a7fffd8f68e514c2c35c2a2ea5e019b45c5207c5cddb02910d8aab
SHA1 hash: ffe46db953bc5227f323baf29008a8eb79ed8dc9
MD5 hash: eb320243d41500647b767f567a285401
humanhash: beryllium-spring-lemon-cat
File name:setup.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:111'498 bytes
First seen:2020-06-29 10:51:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 1536:QXoKlnzpMyqDQ+IJDDctJUX0DKR+co90+/bCOpwJsr3v83BdL7XEDLugdX8tBQsz:comnzVincQDKgct+/baBdL8hdIQs7n
Threatray 485 similar samples on MalwareBazaar
TLSH 83B3CF163360C8EAE4D546700DB6AE319FF5B8250491A35B2BD53F6E7D73983DA0F282
Reporter JAMESWT_WT
Tags:Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16185/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/379690
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 241985 Sample: setup.exe Startdate: 29/06/2020 Architecture: WINDOWS Score: 100 29 sb.scorecardresearch.com 2->29 31 geo.moatads.com 2->31 33 27 other IPs or domains 2->33 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected  Ursnif 2->55 57 Machine Learning detection for sample 2->57 7 setup.exe 18 2->7         started        11 iexplore.exe 7 83 2->11         started        13 iexplore.exe 1 50 2->13         started        15 iexplore.exe 1 50 2->15         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\System.dll, PE32 7->27 dropped 59 Detected unpacking (changes PE section rights) 7->59 61 Detected unpacking (overwrites its own PE header) 7->61 63 Maps a DLL or memory area into another process 7->63 65 2 other signatures 7->65 17 setup.exe 7->17         started        20 iexplore.exe 4 71 11->20         started        23 iexplore.exe 47 13->23         started        25 iexplore.exe 31 15->25         started        signatures6 process7 dnsIp8 49 Creates a COM Internet Explorer object 17->49 35 sb.scorecardresearch.com 20->35 37 geo.moatads.com 20->37 43 38 other IPs or domains 20->43 39 sb.scorecardresearch.com 23->39 41 geo.moatads.com 23->41 45 32 other IPs or domains 23->45 47 2 other IPs or domains 25->47 signatures9
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 10:53:03 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7s73pobifzh3rvxbj6i4ldxacqo54pomi3npjolmkyvy5nlt4ta._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
trickbot
Create hunting rule
Similar samples:
22a8827e130acc160f37cb5f78da95221287b06b4e593efdfd0dd03283945e02
Gozi
685d9e6eb627ace649965ef0549cec63d4b12e21bce641591fbe32ef6ca7350d
Gozi
8e5d52727fd76e7fc3078c8bc3607e8d0fc2b4d9eaf09de824c59f2ed26b0f21
Gozi
92531c1c46721abadcbc92de961a40f50940f1409c31d84cbc8129ce860968e3
Gozi
a6e6d01862c62f53c73f50d34e5209d51100244389a6fbc0f5863d59154582af
Gozi
aa0b542cfde007f858cd18f0b3a104ccaa6c401c26e908829aed144e13471f20
Gozi
c7a24df45e43686f1331c01a5c77ca492924482e29099e778fdee153e88d8363
Gozi
cff7986462a1035c053de4021e2a59ff8de076b7843137354f871084eaa60f9e
Gozi
eb55844a34109790b370caba8afbcafb1fd52d0575b7c031cf21a0ff74f7bbc1
Gozi
ef0d6ddb130fee72d17b1c077b332c474205897f806b16d2dd130768429b9add
Gozi
+ 475 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
banker trojan family:gozi_ifsb
Link:
https://tria.ge/reports/200629-w2cesk2t4a/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Checks whether UAC is enabled
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Gozi, Gozi IFSB
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/16185/
  
URLhaus
https://urlhaus.abuse.ch/url/403149/
  
Delivery method
Distributed via web download

Comments