MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba
SHA3-384 hash: ffb91fb290b46d3e9b501b016ed35b2b28365c038e2b4f4249f3936bb389e9e1845bd66a0687817b670113a73e0741af
SHA1 hash: 75db1976ccc16912d4f1d4fc68b8c8975ad39ac4
MD5 hash: 17ddc738604a040176b85c80173c5090
humanhash: mexico-blossom-comet-magazine
File name:4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba
Download: download sample
Signature Gozi
Create hunting rule
File size:118'784 bytes
First seen:2022-10-20 12:18:43 UTC
Last seen:2022-10-20 12:41:46 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4d77c77461545176d90bd7e3496b7f55 (1 x Gozi)
ssdeep 3072:q14Nm3YTyGi7bLYB0s7+Ec7V6bW2nnW6rifrQc1+lUmT:CvOwYB0v72n6rQA+b
Threatray 708 similar samples on MalwareBazaar
TLSH T174C3BFBCB604E9F1DB5F1677CD8A385813B176138A8BF5C864A0B6C3093376BEE42945
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:dll Gozi isfb pw 758493 Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321980/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.889.25679.8990.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gozi packed qbot ursnif
Link:
https://www.filescan.io/uploads/63513cb6339362a6061b2482/reports/9f11d797-a605-4a59-a16d-44151946cb43/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ee598a1-bda9-484a-9058-7a9decb7f078
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094126
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 726756 Sample: cVZ5IwmAMe.dll Startdate: 20/10/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 2 other signatures 2->40 7 loaddll32.exe 1 2->7         started        process3 signatures4 50 Found evasive API chain (may stop execution after checking system information) 7->50 52 Found API chain indicative of debugger detection 7->52 10 cmd.exe 1 7->10         started        12 regsvr32.exe 6 7->12         started        16 rundll32.exe 6 7->16         started        18 3 other processes 7->18 process5 dnsIp6 20 rundll32.exe 6 10->20         started        54 Found evasive API chain (may stop execution after checking system information) 12->54 56 Found API chain indicative of debugger detection 12->56 58 Writes or reads registry keys via WMI 12->58 60 Writes registry values via WMI 12->60 28 linetwork.top 62.173.145.183, 49779, 49780, 49781 SPACENET-ASInternetServiceProviderRU Russian Federation 16->28 30 onlinetwork.top 31.41.44.194, 80 ASRELINKRU Russian Federation 16->30 32 192.168.2.1 unknown unknown 16->32 62 System process connects to network (likely due to code injection or exploit) 16->62 signatures7 process8 dnsIp9 24 onlinetwork.top 20->24 26 linetwork.top 20->26 42 System process connects to network (likely due to code injection or exploit) 20->42 44 Found evasive API chain (may stop execution after checking system information) 20->44 46 Found stalling execution ending in API Sleep call 20->46 48 2 other signatures 20->48 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 20:40:38 UTC
File Type:
PE (Dll)
AV detection:
18 of 40 (45.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqgmxiby75itkvjchkea3i3wbkluwbdz7zwpb2bd6cdxj3gq3g5a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2db38485abff68002fced62495b105cf98ca3eda7bbd30249ed3cf8be23ff2e0
Gozi
43582c465af423b50c1743e4326a0830787f1f7f4c27c7fc3866fe546aeb3893
Gozi
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
Gozi
7ca57c7d182c4c00ae2c86e0e2055734d6b6421a7c419b5bb9c69869b8dbec64
Gozi
8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de
Gozi
e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
Gozi
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
Gozi
+ 698 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5000 banker trojan
Link:
https://tria.ge/reports/221020-pg6pdsdbgq/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
onlinetwork.top
linetwork.top
Unpacked files
SH256 hash:
897178e0183a700baf92511aad15d5c6fd575329c496fb912f986cc603030fef
MD5 hash:
2f007a8b7740ec5d4ebe24c4d6080030
SHA1 hash:
1a205ed303fd1706a1ee662b341abf83836398a7
Link:
https://www.unpac.me/results/4a248a1e-6cdd-42a6-a3ee-b337252cb14e/
SH256 hash:
4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba
MD5 hash:
17ddc738604a040176b85c80173c5090
SHA1 hash:
75db1976ccc16912d4f1d4fc68b8c8975ad39ac4
Link:
https://www.unpac.me/results/4a248a1e-6cdd-42a6-a3ee-b337252cb14e/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c0ccba038ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

html 7d04f52af134980eef9544350ee216457910e7531a60c88ec9fa80daae59c2d3

Gozi

DLL dll 4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/321980/
  
Dropped by
SHA256 7d04f52af134980eef9544350ee216457910e7531a60c88ec9fa80daae59c2d3
  
Dropped by
MD5 381a9e7c191245cc7e014e19a2c19442

Comments