MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689
SHA3-384 hash: 2d2252592c16751cdee7cc1dff97a1fc2ff0e5fc600c47648aa48b8d3d202b15a2b831fb292e05a94068b0498216c965
SHA1 hash: e17e7a040683629dea57be04d2a08a5ce0c04b6c
MD5 hash: 021d3147fa2f3736c19e070ace19c6ba
humanhash: cold-hot-princess-muppet
File name:e970000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:232'960 bytes
First seen:2022-09-06 10:15:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:m5hinZgCo+NjJWSsznC2OCyzjFIz4V1T/JDR1vFBB78C752cjyv5e:m+nZ1o+NJWbn2CMFIzSTRDR1vFR5a
Threatray 73 similar samples on MalwareBazaar
TLSH T1BE345B9AA3E51999DD6BC6B5C953D227EBF374092B14C30F53B0CAA66F47722B11C302
TrID 28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25)
28.3% (.EXE) Generic Win/DOS Executable (2002/3)
28.3% (.EXE) DOS Executable Generic (2000/1)
14.2% (.SCORE) Music Craft Score (1007/6)
0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter 0x746f6d6669
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e970000.dll
Verdict:
No threats detected
Analysis date:
2022-09-06 10:16:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/802d23dc-6cf7-451f-b110-be56e189bf4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308143/
Detection(s):
Win.Malware.Ursnif-9884005-0
Create hunting rule

Win.Malware.Ursnif-9886559-0
Create hunting rule

Win.Malware.Ursnif-9892796-0
Create hunting rule

Win.Malware.Ursnif-9896448-0
Create hunting rule

Win.Malware.Ursnif-9917123-0
Create hunting rule

Win.Malware.Ursnif-9937854-0
Create hunting rule

Win.Malware.GoziISFB-9940853-1
Create hunting rule

SecuriteInfo.com.Generic.Ursnif.3.1.1CADF70D.17341.21393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63171de66d3aa102b9afb1e4/reports/793c7089-0a5c-4902-8584-9b584e09f2fc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49e12738-d562-429c-b22d-a83e1c3a2cf0
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1065550
Signature
Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698076 Sample: e970000.dll.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 56 15 Antivirus / Scanner detection for submitted sample 2->15 17 Yara detected  Ursnif 2->17 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689/
Threat name:
Win64.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 10:16:09 UTC
File Type:
PE+ (Dll)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwnoguw57dklnhx3vuc3xjnqhuvfjwaqib7mh6c3ik3rowxza2eq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
488925a89527506e1e40d24e0599e758bcf44bdd788f9da852823c27898d164e
Gozi
54eed1d4eb8679e67541c1102e743a1d636b90860bdea3ace0e9fd7a2d4309ee
Gozi
59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549
Gozi
86b1f0e8e8d97005fb1d6671fbd424a8296762c4023f03365d04897b87b75cca
Gozi
8c37fb14f34e6633008e6ef4e3a37265c61c367783cb7f4a6666608011eeed3b
Gozi
d622b3fa4d9db13eda3872919fef4285547af86ed38f6b51afeb412535b25003
Gozi
daa3e551c98f62aa1a278205be361a4bf5b193f1540527ff2ceec0b1e3612f38
Gozi
+ 63 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000
Link:
https://tria.ge/reports/220906-massvabbf4/
Malware Config
C2 Extraction:
superliner.top
superlinez.top
internetlined.com
internetlines.in
medialists.su
medialists.ru
mediawagi.info
mediawagi.ru
5.42.199.83
denterdrigx.com
digserchx.at
Unpacked files
SH256 hash:
459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689
MD5 hash:
021d3147fa2f3736c19e070ace19c6ba
SHA1 hash:
e17e7a040683629dea57be04d2a08a5ce0c04b6c
Link:
https://www.unpac.me/results/e81f5133-da0a-40a5-9e8c-e300fb190818/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308143/

Comments