MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
SHA3-384 hash: 2cfa3be04da46dcf8a64b26fbfc15431189be4e34d59870f1b1b405d433b028703afbc4dc7e04518e12aa3a76bcc9803
SHA1 hash: 39a52cbc48be934cf953d4699e8a1ea5ff53a5bf
MD5 hash: 6fdbd25f7a84da80ee9d8577122c3291
humanhash: fish-hydrogen-hotel-ink
File name:6fdbd25f7a84da80ee9d8577122c3291.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:478'720 bytes
First seen:2021-05-12 10:40:09 UTC
Last seen:2021-05-12 12:00:05 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a2f0d616525ae6c643810961c7d4fdfe (2 x Gozi)
ssdeep 12288:4Z31u8+a95+CA9lROexg8P7CbxXTTbWA:4Z31P9wr9lROog8W/
Threatray 247 similar samples on MalwareBazaar
TLSH 15A4AC307696C27BD212AC39CD5AE5FA1B057D20EF19248B35C53FAF79312A10B7D229
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Zusy.381952.1378.5644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/779765
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412166 Sample: nT5pUwoJSS.dll Startdate: 12/05/2021 Architecture: WINDOWS Score: 76 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected  Ursnif 2->71 73 Machine Learning detection for sample 2->73 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2->10         started        13 iexplore.exe 1 53 2->13         started        15 iexplore.exe 1 73 2->15         started        process3 dnsIp4 75 Writes or reads registry keys via WMI 7->75 77 Writes registry values via WMI 7->77 17 rundll32.exe 7->17         started        20 cmd.exe 1 7->20         started        22 rundll32.exe 7->22         started        24 rundll32.exe 7->24         started        39 vip0x08e.ssl.rncdn5.com 10->39 41 vip0x04f.ssl.rncdn5.com 10->41 47 4 other IPs or domains 10->47 26 iexplore.exe 10->26         started        29 iexplore.exe 10->29         started        43 192.168.2.1 unknown unknown 13->43 45 vip0x08e.ssl.rncdn5.com 13->45 49 4 other IPs or domains 13->49 31 iexplore.exe 3 79 13->31         started        33 iexplore.exe 27 13->33         started        35 iexplore.exe 24 15->35         started        signatures5 process6 dnsIp7 65 Writes registry values via WMI 17->65 37 rundll32.exe 20->37         started        51 horunekulo.website 193.239.85.9, 49778, 49779, 80 MERITAPL Romania 26->51 57 7 other IPs or domains 26->57 59 3 other IPs or domains 29->59 53 worunekulo.club 193.239.84.195, 49733, 49734, 49790 MERITAPL Romania 31->53 61 17 other IPs or domains 31->61 55 gmail.com 172.217.168.69, 443, 49773, 49774 GOOGLEUS United States 33->55 63 7 other IPs or domains 35->63 signatures8 process9
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 10:40:20 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jp3otvagps4qkyy5352fflcxdrhntaamp24py7srw2eocfkpklrq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
43b3014c1627c40c31c724e1a7b1dee4ef51428e2f68adad93c0df95f454275d
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
Gozi
821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
+ 237 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210512-9xhqx7c4k6/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com/login
gmail.com
worunekulo.club
horunekulo.website
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1220072/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-12 11:04:24 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0019] Data Micro-objective::Check String
1) [C0052] File System Micro-objective::Writes File
2) [C0007] Memory Micro-objective::Allocate Memory
3) [C0040] Process Micro-objective::Allocate Thread Local Storage
4) [C0041] Process Micro-objective::Set Thread Local Storage Value
5) [C0018] Process Micro-objective::Terminate Process