MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
SHA3-384 hash: e047ded117bc53bf7730f314e0aede8c9524557bd2be0f5917d730982a3a6aa05add72b92dc9f4069880e48eee500643
SHA1 hash: f2c7b0735343081be06e48616d0fc14235a28744
MD5 hash: 9e67e68ddbedba865b91b5469ab642ef
humanhash: fix-robert-crazy-blossom
File name:616412739e268.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:718'336 bytes
First seen:2021-10-11 10:33:28 UTC
Last seen:2021-10-11 12:04:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b5c6badd398e2e3aa283a40a40432c6c (3 x Gozi)
ssdeep 12288:aUAQSxl6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsV:az3xl6fq8Np6bTPPaBreaZlYCOSVol2a
TLSH T14EE47D013980C032E6EE11768E35CAF5476C7C209B7099DFB7D47A2F6F795E2A229316
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
834
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196578/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.20044.27122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6164131b3831960005b41da9/reports/0f4ec35d-c576-4c76-a4e5-3cfbd7e5529b/overview
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/867984
Signature
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500413 Sample: 616412739e268.dll Startdate: 12/10/2021 Architecture: WINDOWS Score: 96 31 outlook.com 2->31 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected  Ursnif 2->53 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 41 breuranel.website 8->41 43 areuranel.website 8->43 45 11 other IPs or domains 8->45 57 Writes or reads registry keys via WMI 8->57 59 Writes registry values via WMI 8->59 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 61 System process connects to network (likely due to code injection or exploit) 12->61 63 Writes registry values via WMI 12->63 21 WerFault.exe 23 9 12->21         started        23 rundll32.exe 15->23         started        27 WerFault.exe 9 17->27         started        29 WerFault.exe 2 9 19->29         started        process9 dnsIp10 33 40.97.153.146, 443, 49809, 49860 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->33 35 52.97.137.210, 443, 49811 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->35 39 11 other IPs or domains 23->39 55 System process connects to network (likely due to code injection or exploit) 23->55 37 192.168.2.1 unknown unknown 27->37 signatures11
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 10:34:04 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihajgs5bxybq3oxelcjra73kfls7thdz25rumjrghtpybh3vk3xa._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8899 banker trojan
Link:
https://tria.ge/reports/211011-ml4dqaghel/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
msn.com/mail
breuranel.website
outlook.com/signup
areuranel.website
Unpacked files
SH256 hash:
cb10daa9771147e4fd240d5362907e9c747ead1000fbc68a56fa7dfdbf503413
MD5 hash:
4b685bc32ac83608f71965573ab560df
SHA1 hash:
31cab28fbc460bafe5306ce9ae86e094b07c92d3
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2aa0141-6ce6-411d-92c6-cd5fd990407d/
Parent samples :
41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
SH256 hash:
79774c0f36eda9f327020921f137e7d6330efb61bcc9bf2c834347c4bfcfdca8
MD5 hash:
fe0027f2571a24f2b97e5cf40b5ca349
SHA1 hash:
5d141698f5bb1e21d8741d72c988a2419acfcba4
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2aa0141-6ce6-411d-92c6-cd5fd990407d/
SH256 hash:
41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
MD5 hash:
9e67e68ddbedba865b91b5469ab642ef
SHA1 hash:
f2c7b0735343081be06e48616d0fc14235a28744
Link:
https://www.unpac.me/results/b2aa0141-6ce6-411d-92c6-cd5fd990407d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/196578/

Comments