MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793
SHA3-384 hash: 6e3d3673525faab6e4bacddbbb7ee67f06cf1a174724cd68cac420cc9247b70de984adb1e915ac8b96d69303ae800f78
SHA1 hash: 1578f0933cb3f45df5aa00394d0c35baa19cc679
MD5 hash: 1716d60776f3ecdd4fb2afd5eedba586
humanhash: thirteen-high-carpet-skylark
File name:4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793
Download: download sample
Signature Gozi
Create hunting rule
File size:352'256 bytes
First seen:2022-07-20 10:11:08 UTC
Last seen:2022-07-20 10:50:09 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d5b695ff69a030d49feb212ee1309dba (2 x Gozi)
ssdeep 6144:wWIA1nmhsNe9T73RoyNCCJcblamzmveDLbR+eeYH5GvmDqLuwfQ:mA1mDr7JTmz8efsaWZf
Threatray 2'960 similar samples on MalwareBazaar
TLSH T12E74E1315554C0ABD777EAFA26F23391992D73D4837FCBF2DAA91AED642001128EF484
TrID 59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:agenziaentrate agenziariscossione dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
679
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/292887/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6517.27009.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a window
Searching for the window
Creating a file in the %temp% directory
Running batch commands
Changing a file
Setting browser functions hooks
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet gozi packed
Link:
https://www.filescan.io/uploads/62d7d4ca8fbcdde3605fc273/reports/b6a4ca06-0616-4641-9bda-4cc2bbaba499/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1037359
Behaviour
Behavior Graph:
n/a
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 10:12:06 UTC
File Type:
PE (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jymz5wqie6oh45mo46td4rfjgsdgys3gxgirhxr62ck7nfqfi6jq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
00f830a0748680a63981f427ece7c3f4a989d97431dc1f4e78706eb8987a8286
Gozi
20351bf93e117a01a601e5fcd6b83250e42e001a81cc9bf660e3079516a30f08
Gozi
251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f
Gozi
60064e7969abecfaab8fedd58e0277e9253f5f59d4f60e8a414af290d90ac6df
Gozi
96f13595050ebbbb7e919872631a913867cb282f59e2d687479b419ecd058da2
Gozi
ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
Gozi
+ 2'950 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220720-l8g9bsefbl/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
193.27.14.240
94.198.40.39
kimzooxl.at
94.198.40.47
94.198.40.58
havefuntxmm.at
Unpacked files
SH256 hash:
650e5ef59f5b775ec41895e429d842c22343e7aa92fa14a03c0554f043d043c5
MD5 hash:
a8e571786be0247ba582b94a5cdd9da1
SHA1 hash:
c6e150e950b7914e821942e847e4dc441656e14b
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/13d585a9-8143-4923-9e52-2629c1fb1fd7/
Parent samples :
ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871
4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793
da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b
SH256 hash:
e6fcd9c9d60e75b19be0abede5b1dbde2eecc417129473b89f1e469882d0c50b
MD5 hash:
54f3f57bc00eec0ceda949741ee8ecb8
SHA1 hash:
a55609d150a5b68340f608281ac084f2bd5f4021
Link:
https://www.unpac.me/results/13d585a9-8143-4923-9e52-2629c1fb1fd7/
SH256 hash:
4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793
MD5 hash:
1716d60776f3ecdd4fb2afd5eedba586
SHA1 hash:
1578f0933cb3f45df5aa00394d0c35baa19cc679
Link:
https://www.unpac.me/results/13d585a9-8143-4923-9e52-2629c1fb1fd7/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e199eda0827/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/292887/

Comments