MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
SHA3-384 hash: 14cd5061883ffe6a5531ea541abbcc96c9e2b515d869fc7b6650bfde0e586c1c20daf7103fab4fc3da8494b2d98e12e5
SHA1 hash: e9644e9686e3d5bc0f94099359520506722e601f
MD5 hash: 4081fd95a87905a998b314f7bb4e8b14
humanhash: whiskey-king-angel-moon
File name:SwFlsh32.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:837'824 bytes
First seen:2022-01-12 09:59:39 UTC
Last seen:2022-01-12 14:20:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6299c55186fab34c5992194e04e88327 (1 x Gozi)
ssdeep 12288:ciSPiNOWyw9WVsLhpAkmw3bmR9sIvQ2q5lJlGe+as4frkb3pDNg:cfqy9YhuHwbzIvQ5lJl0M
TLSH T19D05D79414670B20DAFDC5FAD09E9FF179743E001D3CA6F3D7E2DAE11A268A45BB4908
File icon (PE):PE icon
dhash icon b279e4d2d2f479b2 (1 x Gozi)
Reporter JAMESWT_WT
Tags:agenziaentrate exe Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
491
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
agenzia004.zip
Verdict:
No threats detected
Analysis date:
2022-01-11 11:40:42 UTC
Tags:
loader
Link:
https://app.any.run/tasks/4d84a6fe-6ebf-4c44-8398-6db70c3bd8e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218663/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
Searching for the window
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01b64874-c957-4351-b45d-f70551652cc2
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919119
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551599 Sample: SwFlsh32.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 2 other signatures 2->73 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 2->11         started        13 iexplore.exe 2->13         started        15 3 other processes 2->15 process3 dnsIp4 61 www.mmmmmm.casa 7->61 63 mmmmmm.casa 7->63 65 2 other IPs or domains 7->65 85 Found evasive API chain (may stop execution after checking system information) 7->85 87 Found API chain indicative of debugger detection 7->87 89 Writes or reads registry keys via WMI 7->89 91 Writes registry values via WMI 7->91 17 cmd.exe 1 7->17         started        19 regsvr32.exe 6 7->19         started        23 rundll32.exe 6 7->23         started        31 4 other processes 11->31 33 4 other processes 13->33 25 iexplore.exe 31 15->25         started        27 iexplore.exe 29 15->27         started        29 iexplore.exe 29 15->29         started        35 5 other processes 15->35 signatures5 process6 dnsIp7 37 rundll32.exe 6 17->37         started        45 2 other IPs or domains 19->45 75 Writes or reads registry keys via WMI 19->75 77 Writes registry values via WMI 19->77 47 2 other IPs or domains 23->47 79 System process connects to network (likely due to code injection or exploit) 23->79 41 mmmmmm.bar 31.41.45.66, 49764, 49765, 49766 ASRELINKRU Russian Federation 25->41 43 mmmmmm.casa 162.255.119.219, 49784, 49785, 49846 NAMECHEAP-NETUS United States 31->43 49 3 other IPs or domains 31->49 51 3 other IPs or domains 33->51 53 2 other IPs or domains 35->53 signatures8 process9 dnsIp10 55 www.mmmmmm.casa 37->55 57 mmmmmm.casa 37->57 59 2 other IPs or domains 37->59 81 System process connects to network (likely due to code injection or exploit) 37->81 83 Writes registry values via WMI 37->83 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-01-11 12:21:39 UTC
File Type:
PE (Dll)
Extracted files:
34
AV detection:
14 of 43 (32.56%)
Threat level:
  5/5
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7575 banker suricata trojan
Link:
https://tria.ge/reports/220112-l1nfdacbhr/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
mmmmmm.bar
mmmmmm.casa
Unpacked files
SH256 hash:
bc400adea27bd674e98573e25f82dd2cdca09d7794445541e26abe43c4cd2020
MD5 hash:
ed142b2d7bc19a8d7d6e0b8cdf2e5b8a
SHA1 hash:
2c5d7281b881c341b29753d71f958315d0f6e253
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7763b8f4-ce12-4dec-aedf-53d00fa6276a/
SH256 hash:
908cd4d09c066f04e02a01776d5e98c9bb5b6633e2c413403a075465a762a825
MD5 hash:
1d5984f07af497558bd9113d3a796e3b
SHA1 hash:
1f0503715ecc62b1168a3666f894861fe49090ce
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7763b8f4-ce12-4dec-aedf-53d00fa6276a/
SH256 hash:
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
MD5 hash:
4081fd95a87905a998b314f7bb4e8b14
SHA1 hash:
e9644e9686e3d5bc0f94099359520506722e601f
Link:
https://www.unpac.me/results/7763b8f4-ce12-4dec-aedf-53d00fa6276a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218663/

Comments