MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547
SHA3-384 hash: e86ee1226bd634b6bec8de4baa563f0b5c9e3479bec92f126d005a5a146fc3602ff81ef267e214a296cb78e269abb099
SHA1 hash: aae939cf3995905399e427097fc90c5b62f3d4c3
MD5 hash: 55ab2f304f8c2da30aeee7713a95064d
humanhash: edward-kentucky-diet-speaker
File name:crypted_loader_dll_64Donat_5.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:155'136 bytes
First seen:2022-04-07 14:55:44 UTC
Last seen:2022-04-07 15:39:51 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 69bb86c7d208b22cb0fcb7f481426a22 (1 x Gozi)
ssdeep 3072:xjlZnD8LD6YNUpFJ2RxuxfPBlJwrD7NhqAPDotppOvUi7afevVlsEbrcNXT:FnYLDm/kRExf5jwH7NhqoDM/2Uii6DVc
Threatray 13'144 similar samples on MalwareBazaar
TLSH T16AE38BB13A01A895C0ED417AFD859CC9377763B688C5DBCAE0647EE60EA3253DEE5403
Reporter pr0xylife
Tags:dll Gozi gozi rm3

Intelligence

File Origin
# of uploads :
2
# of downloads :
456
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261750/
Detection(s):
SecuriteInfo.com.Artemis55AB2F304F8C.12064.499.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
wacatac
Link:
https://www.filescan.io/uploads/624efb87d53a7479dacf8092/reports/8181b4be-db79-44e9-8115-dfee6403963c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bc098ab1-18de-402d-9cf9-65f6e21fcf7e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972498
Signature
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Encrypted powershell cmdline option found
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sets debug register (to hijack the execution of another thread)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Encoded FromBase64String
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 604981 Sample: crypted_loader_dll_64Donat_5.dll Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 Yara detected Ursnif 2->93 95 13 other signatures 2->95 10 loaddll32.exe 1 2->10         started        12 cmd.exe 2->12         started        15 iexplore.exe 2->15         started        process3 signatures4 17 regsvr32.exe 1 10->17         started        21 cmd.exe 1 10->21         started        23 rundll32.exe 10->23         started        35 2 other processes 10->35 123 Encrypted powershell cmdline option found 12->123 25 forfiles.exe 12->25         started        27 conhost.exe 12->27         started        29 iexplore.exe 15->29         started        31 iexplore.exe 15->31         started        33 iexplore.exe 15->33         started        process5 dnsIp6 97 System process connects to network (likely due to code injection or exploit) 17->97 99 Performs DNS queries to domains with low reputation 17->99 101 Injects code into the Windows Explorer (explorer.exe) 17->101 103 4 other signatures 17->103 37 explorer.exe 17->37 injected 41 rundll32.exe 21->41         started        43 WerFault.exe 19 9 23->43         started        45 cmd.exe 25->45         started        47 conhost.exe 25->47         started        79 personvil.xyz 77.75.230.49, 443, 49738, 49739 BRIGHTBOX-ASGB Spain 29->79 49 WerFault.exe 9 35->49         started        51 WerFault.exe 9 35->51         started        signatures7 process8 dnsIp9 81 160.119.249.240, 49808, 49819, 49820 xneeloZA South Africa 37->81 83 125.212.217.197, 49861, 49924, 49927 VIETEL-AS-APViettelGroupVN Viet Nam 37->83 85 54 other IPs or domains 37->85 105 System process connects to network (likely due to code injection or exploit) 37->105 107 Performs DNS queries to domains with low reputation 37->107 109 Changes memory attributes in foreign processes to executable or writable 37->109 111 Maps a DLL or memory area into another process 37->111 53 WerFault.exe 6 9 41->53         started        113 Encrypted powershell cmdline option found 45->113 56 powershell.exe 45->56         started        signatures10 process11 dnsIp12 87 192.168.2.1 unknown unknown 53->87 73 C:\Users\user\AppData\Local\...\jusgg51c.0.cs, C++ 56->73 dropped 115 Encrypted powershell cmdline option found 56->115 117 Injects code into the Windows Explorer (explorer.exe) 56->117 119 Sets debug register (to hijack the execution of another thread) 56->119 121 3 other signatures 56->121 60 csc.exe 56->60         started        63 csc.exe 56->63         started        65 powershell.exe 56->65         started        67 powershell.exe 56->67         started        file13 signatures14 process15 file16 75 C:\Users\user\AppData\Local\...\esxuoqkw.dll, PE32 60->75 dropped 69 cvtres.exe 60->69         started        77 C:\Users\user\AppData\Local\...\jusgg51c.dll, PE32 63->77 dropped 71 cvtres.exe 63->71         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 14:56:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igxja6rlw43zjozm75alikpgemcyi6r6dkk7dcfvs3y47es4ivdq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07de0324fd15b8dab3b0c9e4345a2ecc0d2bc0c806f6702cda99e480e9d6506c
Gozi
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Gozi
5521400dffe660536524b06e28edc0805136092457722f3e1246a8749a0a7471
Gozi
6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f
Gozi
74e82ea63f25fdb065ab8d4df1d69f9a22d1c1a76edf609f2f22d5080411fe4c
Gozi
c8ac98c4e43e4290cdaefce51ebf9165143c31d3fbce0f9f80cf5a3258058c4a
Gozi
ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24
Gozi
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
Gozi
+ 13'134 additional samples on MalwareBazaar
Result
Malware family:
gozi_rm3
Create hunting rule
Score:
  10/10
Tags:
family:gozi_rm3 banker trojan
Link:
https://tria.ge/reports/220407-sa1rcaefen/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Uses Tor communications
Gozi RM3
Unpacked files
SH256 hash:
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547
MD5 hash:
55ab2f304f8c2da30aeee7713a95064d
SHA1 hash:
aae939cf3995905399e427097fc90c5b62f3d4c3
Link:
https://www.unpac.me/results/6316687a-a0ce-44d5-bae4-b264a89080d4/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/41ae907a2bb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AlphaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/261750/
  
URLhaus
https://urlhaus.abuse.ch/url/2135982/
  
Delivery method
Distributed via web download

Comments