MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
SHA3-384 hash: 4a2efe9c0178b98647b502d17622639819f1fe03c9f892310aa895c83da109838227755a42efab6530b644a0d40fb9a9
SHA1 hash: 514c1aa17bb07dff3d56dfe9a2f4942d45dc1b85
MD5 hash: 4a6e16d9cdefd1b6a6d4540fcfbf64b2
humanhash: vegan-october-quiet-failed
File name:readme.txt
Download: download sample
Signature Gozi
Create hunting rule
File size:405'776 bytes
First seen:2022-02-16 07:55:40 UTC
Last seen:2022-02-16 09:16:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e9f049071bc7b0477e53aeae95ff46b1 (1 x Gozi)
ssdeep 12288:1fvmTPfvmTjnnmVl8fvmTZefvmToDKaiMVNuVcT:1f+rf+ql8f+sf+DWNuVcT
Threatray 418 similar samples on MalwareBazaar
TLSH T10D84F16169CC717FEAD3797BE20AEDF6180ACC04E199A2C773A34A5DC49DE870D44B42
Reporter ffforward
Tags:dll exe Gozi ministerodellasalute

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
111.dll
Verdict:
No threats detected
Analysis date:
2022-02-16 14:16:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a29466e9-9485-4c6e-a49d-c11a2b0641af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241823/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.iObit-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/620cae1ba2660f3bb9e38392/reports/81e516da-1894-4ef6-90e2-65744af8e48c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940627
Signature
Antivirus detection for URL or domain
Detected potential unwanted application
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573105 Sample: readme.txt Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 6 other signatures 2->63 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 1 58 2->11         started        13 iexplore.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 55 servicelines.space 7->55 75 Found evasive API chain (may stop execution after checking system information) 7->75 77 Found API chain indicative of debugger detection 7->77 79 Writes or reads registry keys via WMI 7->79 81 Writes registry values via WMI 7->81 17 cmd.exe 1 7->17         started        19 regsvr32.exe 6 7->19         started        23 rundll32.exe 6 7->23         started        25 iexplore.exe 31 11->25         started        27 iexplore.exe 30 11->27         started        29 iexplore.exe 31 11->29         started        31 iexplore.exe 29 11->31         started        33 4 other processes 13->33 35 8 other processes 15->35 signatures5 process6 dnsIp7 37 rundll32.exe 6 17->37         started        41 servicelines.space 19->41 65 Writes or reads registry keys via WMI 19->65 67 Writes registry values via WMI 19->67 43 servicelines.space 23->43 69 System process connects to network (likely due to code injection or exploit) 23->69 45 servicelines.top 31.41.46.120, 49772, 49773, 49774 ASRELINKRU Russian Federation 25->45 47 192.168.2.1 unknown unknown 29->47 49 linkspremium.ru 31.41.44.3, 80 ASRELINKRU Russian Federation 33->49 51 premiumlists.ru 45.128.184.132, 49855, 49856, 49865 MGNHOST-ASRU Russian Federation 35->51 signatures8 process9 dnsIp10 53 servicelines.space 62.173.145.14, 80 SPACENET-ASInternetServiceProviderRU Russian Federation 37->53 71 System process connects to network (likely due to code injection or exploit) 37->71 73 Writes registry values via WMI 37->73 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 07:56:14 UTC
File Type:
PE (Dll)
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
210943dc00e09514fe7d9a433596e78a21d7eb3bf3537b7e8327b985c8ad7d4d
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
28a4d1a4952661364f6f61d18f815dc9cdc9747e8ae014c4ba035145af26f04c
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
Gozi
852f3d58b0bce11b1ab5017d215b9d805f02ac8e932a39558c75f2166dd7d488
Gozi
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
Gozi
aef8910dddfc1c5c009db13160c82aae5af66692effb41469c6490e774a420e3
Gozi
eb44943385bba67eff81794d2f5667817a6761f13775149c615a543c0e78186c
Gozi
+ 408 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7614 banker trojan
Link:
https://tria.ge/reports/220216-jsp8wsbdf4/
Behaviour
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
servicelines.top
servicelines.space
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
cdd33fc5f9a41f530ddd64d88b90eb03a99d0e2dca38c12a0e310b1b22f90f4c
MD5 hash:
eff039d424bccc20e85c3c86873aabd4
SHA1 hash:
f997d27dc45f81088820b610012dd7b284167290
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb8ac791-3116-4c54-8724-f4955deaff90/
SH256 hash:
0e2b49b4f363ece924b58b7a2c37839091213eabc9011d30d37aa9eb300a3411
MD5 hash:
5d10a4c9aaa657d129252a5ae22695ab
SHA1 hash:
21619c95b2437c03c28c4481fa8b9ae6567f1972
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb8ac791-3116-4c54-8724-f4955deaff90/
SH256 hash:
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
MD5 hash:
4a6e16d9cdefd1b6a6d4540fcfbf64b2
SHA1 hash:
514c1aa17bb07dff3d56dfe9a2f4942d45dc1b85
Link:
https://www.unpac.me/results/fb8ac791-3116-4c54-8724-f4955deaff90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2045049/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2045048/
Cape
Cape
https://www.capesandbox.com/analysis/241823/

Comments