MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
SHA3-384 hash: 37732e1ce11f308263b8f20083184f3b571a9b5d59cfcf0341f31aec68cd370f9871a6a1ef13de61ffe0daae0ac8ac0e
SHA1 hash: 16d61d8d7ffaaeae98e16163bdda583dd225f903
MD5 hash: ee9dc90235dfc1cc0b4ab0775daaaff4
humanhash: hawaii-early-apart-stairway
File name:ee9dc90235dfc1cc0b4ab0775daaaff4.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:367'878 bytes
First seen:2021-03-30 07:02:26 UTC
Last seen:2021-03-30 08:01:14 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 77af713b1f2916ea138f9bb7258cf849 (5 x Gozi)
ssdeep 1536:bepG5ACCny8GenidAHcz92ZIx9FxIl+YkSVoZlP1usBVEwnoxJashnXcX:36lGeExx9FmSSkfBt8
Threatray 197 similar samples on MalwareBazaar
TLSH 3F74AE053BB0C5D9D2A521B44ECD8EA4E924FCAA1F20D21372D975DCBDF9F89262D381
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127921/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.796.1290.28386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Searching for the window
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/658061
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377960 Sample: OJR5vOaKEw.dll Startdate: 30/03/2021 Architecture: WINDOWS Score: 84 32 paralikulat.website 2->32 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected  Ursnif 2->48 50 2 other signatures 2->50 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 regsvr32.exe 9->13         started        16 cmd.exe 1 9->16         started        signatures6 18 iexplore.exe 2 76 11->18         started        54 Writes or reads registry keys via WMI 13->54 56 Writes registry values via WMI 13->56 20 rundll32.exe 16->20         started        process7 signatures8 23 iexplore.exe 18->23         started        26 iexplore.exe 18->26         started        28 iexplore.exe 18->28         started        30 6 other processes 18->30 52 Writes registry values via WMI 20->52 process9 dnsIp10 34 fdjjasdoeoriefjd.live 82.118.22.245, 80 GREENFLOID-ASUA Ukraine 26->34 36 paralikulat.website 45.90.58.162, 80 GREENFLOID-ASUA Bulgaria 28->36 38 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49725, 49726 FASTLYUS United States 30->38 40 geolocation.onetrust.com 104.20.185.68, 443, 49712, 49713 CLOUDFLARENETUS United States 30->40 42 12 other IPs or domains 30->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 07:03:06 UTC
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3xo6qmhix7gdqofxx3pqkbttjokxrcscx7jmgu44i2tmdogl45a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237
Gozi
128674ced35bebfc9dd171633b6570b3c127d89af1ed01f86db8dfc6999450b0
Gozi
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
Gozi
2b008fe5818667b064573889db6500c245bddeb65c37facd260fea09e9801eae
Gozi
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
Gozi
35375028a2cc4876b5a8476876ad75a037b8c4e303589ce6e9d9c61aaba9f74c
Gozi
472c6d7282d5ad1ea6b8aa3e66fd0b42c1ccf6086a33e16cbab93f423203e4d4
Gozi
802033992634317b28a736038b41e264727819a1fd76770e28dd5931779a8833
Gozi
cecc7c45b526be846e68a05775a05ec1809342b0dc225fd4335ae252e07cd200
Gozi
ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
Gozi
+ 187 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5566 banker trojan
Link:
https://tria.ge/reports/210330-q4p96srdqe/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
bing.com
update4.microsoft.com
fdjjasdoeoriefjd.live
paralikulat.website
Unpacked files
SH256 hash:
220f635b3a747e133170eb0dbf2c63c91646b460f4315498a31a176498ca215b
MD5 hash:
4df4258bb725b92568e441970439dff5
SHA1 hash:
8673bd2ab0eb5e60a787c0b75c5b6baeda4cec91
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/787f9b6f-4035-4f48-95f5-868be5de0b39/
Parent samples :
5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
SH256 hash:
46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
MD5 hash:
ee9dc90235dfc1cc0b4ab0775daaaff4
SHA1 hash:
16d61d8d7ffaaeae98e16163bdda583dd225f903
Link:
https://www.unpac.me/results/787f9b6f-4035-4f48-95f5-868be5de0b39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1098497/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127921/

Comments