MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
SHA3-384 hash: 2f1fa54a0256469b97600a327748b546d9f54f04ba743c6d52c776f2f6e76076d8f739f0687cd792d8cb915de5a82c77
SHA1 hash: 5d4f4d60773ed452188c8a099b5972edbbb03f90
MD5 hash: 3b4e9e88c0dd6e82ecc65e2d219544c6
humanhash: michigan-utah-batman-comet
File name:Wartless_v8.8.9.0.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:442'368 bytes
First seen:2022-01-21 06:51:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 406900a52ebbaff2418df7f831674972 (1 x Gozi)
ssdeep 12288:YudQDXhMYGldQDXhMYGldQDXhMYGAGj7:YKyXhPSyXhPSyXhP
Threatray 431 similar samples on MalwareBazaar
TLSH T1A894D06787FC2C48F2F3AF75B8B1A2538E66BC366D61C05E4684150E88B1E25DD78723
Reporter JAMESWT_WT
Tags:exe Gozi isfb italy pw vodafone Ursnif vodafone

Intelligence

File Origin
# of uploads :
1
# of downloads :
452
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vodafone_21.vbe
Verdict:
Malicious activity
Analysis date:
2022-01-21 06:48:31 UTC
Tags:
loader opendir trojan gozi ursnif dreambot evasion
Link:
https://app.any.run/tasks/38df29b6-9540-44c5-9393-016303c02dd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221364/
Detection(s):
SecuriteInfo.com.ML.PE-A.21743.15081.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger shell32.dll
Link:
https://www.filescan.io/uploads/61ea5818f81da814af951bf4/reports/5fb53adc-0761-45ee-b7ab-1665de2e7dab/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c36ad08-aa43-4cff-be5c-77c848d4f34d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925003
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557481 Sample: Wartless_v8.8.9.0.dll Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Found malware configuration 2->71 73 5 other signatures 2->73 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 2 68 2->11         started        13 iexplore.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 61 www.nnnnnn.casa 7->61 63 nnnnnn.casa 7->63 65 3 other IPs or domains 7->65 85 Found evasive API chain (may stop execution after checking system information) 7->85 87 Found API chain indicative of debugger detection 7->87 89 Writes or reads registry keys via WMI 7->89 91 Writes registry values via WMI 7->91 17 regsvr32.exe 6 7->17         started        21 cmd.exe 1 7->21         started        23 rundll32.exe 6 7->23         started        25 iexplore.exe 32 11->25         started        27 iexplore.exe 29 11->27         started        29 iexplore.exe 32 11->29         started        31 iexplore.exe 11->31         started        33 4 other processes 13->33 35 8 other processes 15->35 signatures5 process6 dnsIp7 41 www.nnnnnn.casa 17->41 75 System process connects to network (likely due to code injection or exploit) 17->75 77 Writes or reads registry keys via WMI 17->77 79 Writes registry values via WMI 17->79 37 rundll32.exe 6 21->37         started        49 2 other IPs or domains 23->49 43 intermedia.bar 31.41.46.120, 49744, 49745, 49746 ASRELINKRU Russian Federation 25->43 45 nnnnnn.casa 192.64.119.233, 49798, 49799, 49800 NAMECHEAP-NETUS United States 33->45 51 7 other IPs or domains 33->51 47 nnnnnn.bar 162.255.119.177, 49864, 49865, 49874 NAMECHEAP-NETUS United States 35->47 53 4 other IPs or domains 35->53 signatures8 process9 dnsIp10 55 198.54.117.215, 49885, 80 NAMECHEAP-NETUS United States 37->55 57 www.nnnnnn.casa 37->57 59 4 other IPs or domains 37->59 81 System process connects to network (likely due to code injection or exploit) 37->81 83 Writes registry values via WMI 37->83 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 06:52:12 UTC
File Type:
PE (Dll)
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
6c4a29e89016b49c854eaf4d7cf8ee4bcf8e58e1f7ccf4ced62df6a57e0b60ff
Gozi
73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d
Gozi
7739c03843a133370371b72a5552ba6a5cb36d5defbfb0b10b9580bb9c62a798
Gozi
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
Gozi
+ 421 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7576 banker trojan
Link:
https://tria.ge/reports/220121-hm4cwseaal/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
intermedia.bar
nnnnnn.bar
nnnnnn.casa
Unpacked files
SH256 hash:
c6f2fe1bba7e74c2fe23cdf52c621814dc71ae0050d3ebcd1e520476b7e29b56
MD5 hash:
7444748e2a70a390e0c5d94d7d9613b3
SHA1 hash:
8395cea3c224e1e53226b27ec045c0189339947e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe0cd561-9639-42cc-ba47-914a620e7b39/
SH256 hash:
58c7593a4bc3877919602c49538b68faf0890febf717a22947dfc3889376b6b0
MD5 hash:
09b6149f8bc364b58cb331b41c2a2a24
SHA1 hash:
3df6534b1a784e789c445194e65b4c7911f36682
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe0cd561-9639-42cc-ba47-914a620e7b39/
SH256 hash:
4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
MD5 hash:
3b4e9e88c0dd6e82ecc65e2d219544c6
SHA1 hash:
5d4f4d60773ed452188c8a099b5972edbbb03f90
Link:
https://www.unpac.me/results/fe0cd561-9639-42cc-ba47-914a620e7b39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/221364/
  
URLhaus
https://urlhaus.abuse.ch/url/1994961/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1995094/
  
URLhaus
https://urlhaus.abuse.ch/url/1995095/

Comments