MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b
SHA3-384 hash: 231e2e4de6cb228666e97d0f4bddfa79a19f7d7746adbd787d8ce926595d985cd904556150cd7cd3055ff9ed994db5e4
SHA1 hash: 1cf57d47fab52815150a8236e985e7976aba4f75
MD5 hash: 7dc420886e9c1a1e40e34d73ed2faf7c
humanhash: september-bakerloo-failed-venus
File name:7dc420886e9c1a1e40e34d73ed2faf7c.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:142'336 bytes
First seen:2021-11-22 13:26:02 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 683f6686809eced856b5380c2bb19aab (2 x Gozi)
ssdeep 3072:GBqOd5Ppz9GqG/DY3qPlwMAm7cewYwn87vm0xsP:Ed5R0/0e5wYM8fxsP
Threatray 516 similar samples on MalwareBazaar
TLSH T170D3BF15BA82D17DDBBF16340864A5764F7DBD10EBA08DDB3B80453E4E202D0EE36E66
Reporter abuse_ch
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Delayed reading of the file
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware monero
Link:
https://www.filescan.io/uploads/619b9a7094a88037d2fe6701/reports/6d9a7bda-7549-48dd-8951-072e609eae66/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a00b8d90-0fa7-4af6-afc1-e9f61c78a5e3
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/893844
Signature
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 13:26:12 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0570fd54d98349e62675cf1e53aa2197ed6c0df811350bfae9f64196b0a49278
Gozi
210943dc00e09514fe7d9a433596e78a21d7eb3bf3537b7e8327b985c8ad7d4d
Gozi
2f4d76314a00fb7a8047fcdd3ee26c39d2a550cde356d35ae517631392a66e8a
Gozi
43440e9a6d2d0a68b84f7885fda26748fa86de6ca709a883959e2640f3f706bf
Gozi
4ddacac68fd062781fece1e92b3f1682d49fe23fc812e721c330f25237f4c20f
Gozi
5bbba6d13c8222ef2cc5c4aecf14043f1e74d164ab2a1b3e4b68ee6cb086900c
Gozi
b82a1d06e5650808ae0b9ef1a77cc6047ca0601b13a9afa8cded17a93e27cda9
Gozi
e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662
Gozi
+ 506 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8899 banker suricata trojan
Link:
https://tria.ge/reports/211122-qpjehafefq/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
microsoft.com/windowsdisabler
https://technoshoper.com
https://avolebukoneh.website
http://technoshoper.com
http://avolebukoneh.website
Unpacked files
SH256 hash:
4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b
MD5 hash:
7dc420886e9c1a1e40e34d73ed2faf7c
SHA1 hash:
1cf57d47fab52815150a8236e985e7976aba4f75
Link:
https://www.unpac.me/results/db542e79-e61e-4816-8fba-b67dd94ad6fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 4e7f81fa970f3c2ffa70c22d10b2c81efbf7429594719be49b56a0b516503e4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1804267/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208171/

Comments