MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee
SHA3-384 hash: 9edaa5d467abb7da8c7859ca60224bc4b2712c353312e512f1c3ca0b34441617a89a3cb5457da18359c5e07102059a98
SHA1 hash: 170cd375f8cec823a632db24b6efd9a9f8e32b09
MD5 hash: aba803fe6d032e51c8bc364173a19c20
humanhash: potato-zebra-purple-magazine
File name:test1.test
Download: download sample
Signature Gozi
Create hunting rule
File size:676'593 bytes
First seen:2021-10-05 14:11:43 UTC
Last seen:2021-10-05 15:19:33 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8d2de2ae605a2294ac6efde10e33795a (2 x Gozi)
ssdeep 12288:6vWBEPfqPoo44cvquI2Pg/8wsPrcPgIDU1Iu3vEI8Vck+5gS2oQkoKeyFtseQOYc:6v5Pbo4ZgaPrOpI1IkvIVc1qDoQko/yz
TLSH T1D8E430443A54F510E6AD6972CF2AC5F907157D09EFF1B48B78E03E1F2AAE8A3D516302
Reporter ffforward
Tags:dll Gozi test tr

Intelligence

File Origin
# of uploads :
2
# of downloads :
487
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195105/
Detection(s):
SecuriteInfo.com.ML.PE-A.6293.25401.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/615c5d35b95458900cdc7a05/reports/c7090a9a-2d9c-4c4d-bedb-bb791e1cab13/overview
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6af5a22c-528e-4efa-bb9e-6563cd8c566d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864865
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Sigma detected: Encoded IEX
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell run code from registry
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497297 Sample: test1.test Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 119 Sigma detected: Powershell run code from registry 2->119 121 Yara detected  Ursnif 2->121 123 Sigma detected: Encoded IEX 2->123 125 8 other signatures 2->125 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 2->12         started        15 mshta.exe 2->15         started        process3 dnsIp4 153 Suspicious powershell command line found 9->153 17 powershell.exe 31 9->17         started        113 52.97.151.66, 443, 49783 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->113 115 52.97.171.194, 443, 49782 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->115 117 7 other IPs or domains 12->117 155 Writes to foreign memory regions 12->155 157 Allocates memory in foreign processes 12->157 159 Modifies the context of a thread in another process (thread injection) 12->159 161 3 other signatures 12->161 21 control.exe 12->21         started        23 cmd.exe 1 12->23         started        25 rundll32.exe 12->25         started        29 2 other processes 12->29 27 powershell.exe 15->27         started        signatures5 process6 file7 89 C:\Users\user\AppData\...\ylqu2ykw.cmdline, UTF-8 17->89 dropped 127 Injects code into the Windows Explorer (explorer.exe) 17->127 129 Writes to foreign memory regions 17->129 131 Modifies the context of a thread in another process (thread injection) 17->131 133 Compiles code for process injection (via .Net compiler) 17->133 31 explorer.exe 17->31 injected 34 csc.exe 17->34         started        37 csc.exe 17->37         started        39 conhost.exe 17->39         started        135 Changes memory attributes in foreign processes to executable or writable 21->135 137 Allocates memory in foreign processes 21->137 41 rundll32.exe 21->41         started        43 rundll32.exe 1 23->43         started        139 System process connects to network (likely due to code injection or exploit) 25->139 141 Writes registry values via WMI 25->141 91 C:\Users\user\AppData\Local\...\jmx5ma1q.0.cs, UTF-8 27->91 dropped 143 Maps a DLL or memory area into another process 27->143 145 Creates a thread in another existing process (thread injection) 27->145 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        signatures8 process9 dnsIp10 165 Changes memory attributes in foreign processes to executable or writable 31->165 167 Self deletion via cmd delete 31->167 169 Writes to foreign memory regions 31->169 175 5 other signatures 31->175 52 cmd.exe 31->52         started        55 cmd.exe 31->55         started        57 cmd.exe 31->57         started        69 3 other processes 31->69 93 C:\Users\user\AppData\Local\...\ylqu2ykw.dll, PE32 34->93 dropped 59 cvtres.exe 34->59         started        95 C:\Users\user\AppData\Local\...\akdpm55o.dll, PE32 37->95 dropped 61 cvtres.exe 37->61         started        101 outlook.com 40.97.161.50, 443, 49778, 49781 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->101 103 HHN-efz.ms-acdc.office.com 40.101.124.34, 443, 49779 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->103 105 6 other IPs or domains 43->105 171 System process connects to network (likely due to code injection or exploit) 43->171 63 control.exe 43->63         started        97 C:\Users\user\AppData\Local\...\uurcfkun.dll, PE32 46->97 dropped 65 cvtres.exe 46->65         started        99 C:\Users\user\AppData\Local\...\jmx5ma1q.dll, PE32 48->99 dropped 67 cvtres.exe 48->67         started        file11 173 May check the online IP address of the machine 101->173 signatures12 process13 signatures14 147 Uses ping.exe to sleep 52->147 149 Uses ping.exe to check the status of other devices and networks 52->149 151 Uses nslookup.exe to query domains 52->151 71 conhost.exe 52->71         started        73 PING.EXE 52->73         started        75 nslookup.exe 55->75         started        79 conhost.exe 55->79         started        81 conhost.exe 57->81         started        83 PING.EXE 57->83         started        85 rundll32.exe 63->85         started        87 conhost.exe 69->87         started        process15 dnsIp16 107 resolver1.opendns.com 75->107 109 myip.opendns.com 75->109 111 222.222.67.208.in-addr.arpa 75->111 163 May check the online IP address of the machine 75->163 signatures17
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 14:12:05 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijcts4anotael5ticqwkksci7xqr4kcz3ydze4jq7idka5attlxa._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:2525 banker trojan
Link:
https://tria.ge/reports/211005-rhvpmahhe4/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
zereunrtol.website
xereunrtol.website
Unpacked files
SH256 hash:
ef72cfbd00bc1ab256a90087fe1391b4c9ed8d4755ea7010dc8b7bcac895f33b
MD5 hash:
3c86773ecbe4102315c2a76478fc82e6
SHA1 hash:
a452a07d4599172fa77a6a4c251af97279e2f117
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/27bf053c-0f84-4533-93a1-278a8e399a02/
Parent samples :
424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee
eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
SH256 hash:
7e375b6280eb5a10abb342c3ea6267f2aaebb2cc7450cde928aae17deb93b7b6
MD5 hash:
7c92674795c994f4c9c58bdb500b06f8
SHA1 hash:
020ad0dc10e7bf1cfb155f2c3cd022d4870f25e1
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/27bf053c-0f84-4533-93a1-278a8e399a02/
SH256 hash:
424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee
MD5 hash:
aba803fe6d032e51c8bc364173a19c20
SHA1 hash:
170cd375f8cec823a632db24b6efd9a9f8e32b09
Link:
https://www.unpac.me/results/27bf053c-0f84-4533-93a1-278a8e399a02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 424539700d74c045f668142ca54848fde11e2859de07927130fa06a074139aee

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195105/

Comments