MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
SHA3-384 hash: b3c00f6174914abe45f084d42ef5e05c32837cd5c3b2445f68464bab04bbb912fdd0f5480e88749cdb00cdee60c0327a
SHA1 hash: f53a59741ddc982af5b77bd77ab99f74e9b33948
MD5 hash: dbe0888d7edb236b38d0dcfd33dd0a06
humanhash: six-pip-berlin-nevada
File name:6329b3a546054tiff.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:523'264 bytes
First seen:2022-09-20 12:36:36 UTC
Last seen:2022-09-20 13:28:17 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d4b28f0790229e980b5d88b605c6e492 (1 x Gozi)
ssdeep 6144:yTZBx+7jsPTl/N80J849j3si2Hw2Kfl0OA5P1rh/YwOnhu58jT7FWQ+ICBFQ5jyy:YZP+7jsZS0r59Qw3RxjkeP
TLSH T196B46CA8374061BAC3D2517A748F0F0F727944DC648CCA98F968C8DA27AD94B5637F78
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:agenziaentrate agenziariscossione dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311681/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6329b40de64c53f047f7f549/reports/8a577f58-640c-430c-ac98-21916da4bb4c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2d4b027-a7d2-4d04-b02e-90344f6feb19
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1073682
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706222 Sample: 6329b3a546054tiff.dll Startdate: 20/09/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 2 other signatures 2->65 8 loaddll32.exe 1 2->8         started        10 mshta.exe 19 2->10         started        process3 process4 12 regsvr32.exe 1 6 8->12         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        23 2 other processes 8->23 20 powershell.exe 30 10->20         started        dnsIp5 55 89.41.26.99, 49712, 80 M247GB Romania 12->55 57 192.168.2.1 unknown unknown 12->57 79 System process connects to network (likely due to code injection or exploit) 12->79 81 Writes to foreign memory regions 12->81 83 Allocates memory in foreign processes 12->83 93 2 other signatures 12->93 25 control.exe 1 12->25         started        28 rundll32.exe 16->28         started        53 C:\Users\user\AppData\...\zzkbucr3.cmdline, UTF-8 20->53 dropped 85 Injects code into the Windows Explorer (explorer.exe) 20->85 87 Modifies the context of a thread in another process (thread injection) 20->87 89 Maps a DLL or memory area into another process 20->89 91 Creates a thread in another existing process (thread injection) 20->91 30 explorer.exe 20->30 injected 32 csc.exe 3 20->32         started        35 csc.exe 3 20->35         started        37 conhost.exe 20->37         started        file6 signatures7 process8 file9 67 Changes memory attributes in foreign processes to executable or writable 25->67 69 Injects code into the Windows Explorer (explorer.exe) 25->69 71 Writes to foreign memory regions 25->71 77 3 other signatures 25->77 39 rundll32.exe 25->39         started        73 Disables SPDY (HTTP compression, likely to perform web injects) 30->73 75 Creates a thread in another existing process (thread injection) 30->75 41 RuntimeBroker.exe 30->41 injected 43 cmd.exe 30->43         started        49 C:\Users\user\AppData\Local\...\zzkbucr3.dll, PE32 32->49 dropped 45 cvtres.exe 1 32->45         started        51 C:\Users\user\AppData\Local\...\rzypqeex.dll, PE32 35->51 dropped 47 cvtres.exe 1 35->47         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 12:37:10 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhcu4ghcfzoifvmr75juljggmdzmqdqu7s7eyot5dx2dmvheb2da._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220920-qc8tmageem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
89.41.26.99
89.45.4.102
interstarts.top
superlist.top
internetcoca.in
interliner.top
interlinel.top
superliner.top
superlinez.top
internetlined.com
internetlines.in
medialists.su
medialists.ru
mediawagi.info
mediawagi.ru
89.41.26.90
89.41.26.93
denterdrigx.com
digserchx.at
Unpacked files
SH256 hash:
d8cb62885ed64dc11c84331ef6ebf71e527d6dc9c91e1b15eb476005cb69480e
MD5 hash:
b9cef18fd39edcfda07dce7c5cbc9d56
SHA1 hash:
5abb45b92d51bd900a0102da778fac46c16077e1
Link:
https://www.unpac.me/results/8d43f5c5-2bf6-4c52-9b9b-e2780031ae76/
SH256 hash:
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
MD5 hash:
dbe0888d7edb236b38d0dcfd33dd0a06
SHA1 hash:
f53a59741ddc982af5b77bd77ab99f74e9b33948
Link:
https://www.unpac.me/results/8d43f5c5-2bf6-4c52-9b9b-e2780031ae76/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49c54e18e22e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311681/

Comments