MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9
SHA3-384 hash: 2ba4c7bc683df27a04f69584bb1038c1fd10bc5b5bd11e8cd74b33d0e2669136fda9250fe3f457cac37855dafcff9d81
SHA1 hash: aa9197b154d0cf0ae1867e2b7befe56030c8609f
MD5 hash: 798d5713512b5cb6228138ceea7c8066
humanhash: alpha-london-sodium-louisiana
File name:ursnif_unpacked.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:44'544 bytes
First seen:2023-12-20 09:50:43 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0d41e840891676bdaee3e54973cf5a69 (1 x Gozi)
ssdeep 768:nmEpMZSMa44sl1paFt5XJ2Wt8W2rsbdcOJNm17g40NxWhTL:njMZSJ44Nt5XJ2WuWCWcOJM17YCTL
TLSH T179136E41F5F94CF2C3E34EB0A665FBF457F9863122685091AF23A9C91A70953E53D20B
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Viuleeenz
Tags:April 2022 dll Gozi unpacked Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468611/
Detection(s):
Win.Malware.Ursnif-9975502-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto gozi greyware lolbin masquerade packed razy shell32 ursnif
Link:
https://www.filescan.io/uploads/6582b907b855eb3693e85451/reports/b2f241df-c026-424c-ac7d-1620e946c008/overview
Verdict:
Malicious
Labled as:
Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f749d89-49de-474e-b54e-d4f562911e2c
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1364990
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1364990 Sample: ursnif_unpacked.bin.dll Startdate: 20/12/2023 Architecture: WINDOWS Score: 84 15 Found malware configuration 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9/
Threat name:
Win32.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 15:00:13 UTC
File Type:
PE (Dll)
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ie6pnjuu5332j4lsliizhdy2wlprsv57wo7sbt3ki4axx2522kuq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:3000 isfb
Link:
https://tria.ge/reports/231220-lvgqmsgdaq/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
config.edge.skype.com
185.189.151.28
185.189.151.70
Unpacked files
SH256 hash:
413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9
MD5 hash:
798d5713512b5cb6228138ceea7c8066
SHA1 hash:
aa9197b154d0cf0ae1867e2b7befe56030c8609f
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/18ff1a4a-a80d-41ed-afff-7c0f43df696e/
Parent samples :
a7e43f89844a769fd9607d78151ebcfac02f58412f7800701b9978e11c82656c
22a462b2da9c893b5f37dbbc19697d6aeaa28758c2338fca3a806e8d9d3ac483
315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/413cf6a694eef7a4f1725a11938f1ab2df1957bfb3bf20cf6a47017bebbad2a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468611/

Comments