MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
SHA3-384 hash: 76be9feae7885428e37238df922699ad9f5e411cb521a5aafc3f28f313a477f65d40fe3c0b982de0a40c4b4713ddff6d
SHA1 hash: 3ef84847fceb31b8814c12c94c57c72a5281d6f5
MD5 hash: c4c060ec6b1e42d70972d0af66a04e66
humanhash: white-harry-kansas-hamper
File name:c4c060ec6b1e42d70972d0af66a04e66.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:718'336 bytes
First seen:2021-10-11 13:59:19 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 8acc1c3be9064cb55c8e3d7147f3d7c3 (1 x Gozi)
ssdeep 12288:QUAQSxT6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XPGAsx:Qz3xT6fq8Np6bTPPaBreaZlYCOSVolam
Threatray 311 similar samples on MalwareBazaar
TLSH T1E7E47D013980C032E6EE11768E35CAF5476C7C209B7099DFB7D47A2F6F795E2A229316
Reporter abuse_ch
Tags:brt dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
862
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196650/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.835.5504.12376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61644367fd35fe780c38221c/reports/483ec131-2009-4e5b-9bb2-c9c17a9da83e/overview
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/468d3b31-8c71-439a-aa94-080f3dab0610
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/867871
Signature
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500299 Sample: B6VQd36tt6.dll Startdate: 11/10/2021 Architecture: WINDOWS Score: 96 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected  Ursnif 2->50 7 loaddll32.exe 1 2->7         started        process3 dnsIp4 38 breuranel.website 7->38 40 areuranel.website 7->40 42 11 other IPs or domains 7->42 54 Writes or reads registry keys via WMI 7->54 56 Writes registry values via WMI 7->56 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 58 System process connects to network (likely due to code injection or exploit) 11->58 60 Writes registry values via WMI 11->60 20 WerFault.exe 27 10 11->20         started        22 rundll32.exe 14->22         started        26 WerFault.exe 2 9 16->26         started        28 WerFault.exe 9 18->28         started        process8 dnsIp9 30 52.97.137.178, 443, 49837 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->30 32 52.97.183.162, 443, 49764, 49767 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 36 11 other IPs or domains 22->36 52 System process connects to network (likely due to code injection or exploit) 22->52 34 192.168.2.1 unknown unknown 26->34 signatures10
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 14:06:16 UTC
AV detection:
18 of 44 (40.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5yv4qsttaud2uybtqtqgennbryj6zqajdjprbgvcfwybomdoq7q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
18aeff30ba057010d7970ee026856ba163eece1adfaa8adf2bfb08bcad3186dc
Gozi
22cf76937043b616cb4c67bec58e329fecc91015329799f7b85abda1b2f6fde2
Gozi
304200fb6fd71dc1fd035c1c202a7e7ba4b2679d14592676322b2e550c7223d3
Gozi
37811565805d0410d1f88f67d722b4d51f3279421566878cf9382f57ab4b81b0
Gozi
3dd13a7ac7e2249f933efe211a4eb64dce0c13811da83e7c41f11c28d3aeac03
Gozi
5a51457b8015e4f9db5a7f257d664dafcbbd8fcc278f9da68c94e2daf425b3a3
Gozi
b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
Gozi
f09569b61b068a70e2570e2df7bd6ee6c288f8ccc4bd03ceabdf3fb6893261d1
Gozi
f9fd7b6794b5579f64c034d1cfd0adbc5c4c5ef433d0e9f2b6ff95d58d3d7201
Gozi
fed0ceb220d653d828440b9858d7cddce0a38afaf368f3dede8c1a9942a9cfac
Gozi
+ 301 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8899 banker trojan
Link:
https://tria.ge/reports/211011-ra1wnshdd3/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
msn.com/mail
breuranel.website
outlook.com/signup
areuranel.website
Unpacked files
SH256 hash:
cb10daa9771147e4fd240d5362907e9c747ead1000fbc68a56fa7dfdbf503413
MD5 hash:
4b685bc32ac83608f71965573ab560df
SHA1 hash:
31cab28fbc460bafe5306ce9ae86e094b07c92d3
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/f11e0ace-5a3f-49f2-9121-7aa114e7257e/
Parent samples :
41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
1be687a0453f23ea53b94a4447c926a9b4b6e01c2788e641b76eb4a5215bd960
b601a3c9c3a3df9043ea82733f1da5b413207d7585ca6b18baa8a4d923ce92d8
47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
SH256 hash:
378b5e645779e8e65295b6eb562d238262be1268d991d14efada261155adc46a
MD5 hash:
22f08a0c7cb8ddac197fa947e4182c04
SHA1 hash:
a7ea63ced61d152ec9131276ef1515ef962cf1a2
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/f11e0ace-5a3f-49f2-9121-7aa114e7257e/
SH256 hash:
47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
MD5 hash:
c4c060ec6b1e42d70972d0af66a04e66
SHA1 hash:
3ef84847fceb31b8814c12c94c57c72a5281d6f5
Link:
https://www.unpac.me/results/f11e0ace-5a3f-49f2-9121-7aa114e7257e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/196650/
  
URLhaus
https://urlhaus.abuse.ch/url/1666490/
  
Delivery method
Distributed via web download

Comments