MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
SHA3-384 hash: 60047992fdb625a192e735921bceb98b9dc6c35cf2ff03022720bfb3960c316effdbe2fe6d1adef9a69e8b0d5f6b23a3
SHA1 hash: 368859c657c58874ab97167396feaa729304f881
MD5 hash: e5c6442649340b5a0778902ecfbe0cec
humanhash: blue-blue-salami-ohio
File name:e5c6442649340b5a0778902ecfbe0cec.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:359'424 bytes
First seen:2022-02-10 07:37:15 UTC
Last seen:2022-02-10 10:25:25 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1c859fc09e7dd8ae36985c58f1251eab (3 x Gozi)
ssdeep 6144:JIWzRNtkJNxiPsnYaiz4fwE5tTuGYyb8Zuv1DvVOuETHwekZ1M3b2:3zR3TP6Ybz4fxLTbWYjsQecn
Threatray 437 similar samples on MalwareBazaar
TLSH T14274F8BA8700C531F0BA647DA224F1A95C1F4771368884BFF261ACD495769E8CE39F1B
Reporter abuse_ch
Tags:agenziaentrate dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240476/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6204c0e1942573cad44ee5a9/reports/98ab6d81-4860-4d75-b8b4-fb7475e8d5fc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78a4e300-7754-4838-934c-f914655f23b1
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937423
Signature
Antivirus detection for URL or domain
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Remote Thread Created
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569901 Sample: 7AYjl15IPR.dll Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 50 linkspremium.ru 2->50 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 7 other signatures 2->84 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 1 58 2->12         started        14 iexplore.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 76 interlines.space 8->76 96 Writes or reads registry keys via WMI 8->96 98 Writes registry values via WMI 8->98 18 regsvr32.exe 6 8->18         started        22 cmd.exe 1 8->22         started        24 rundll32.exe 6 8->24         started        32 2 other processes 8->32 26 iexplore.exe 36 12->26         started        28 iexplore.exe 31 12->28         started        30 iexplore.exe 12->30         started        34 3 other processes 14->34 36 3 other processes 16->36 signatures6 process7 dnsIp8 52 interlines.space 18->52 86 System process connects to network (likely due to code injection or exploit) 18->86 88 Writes or reads registry keys via WMI 18->88 90 Writes registry values via WMI 18->90 38 rundll32.exe 6 22->38         started        54 interlines.space 24->54 56 192.168.2.1 unknown unknown 26->56 42 iexplore.exe 26->42         started        44 iexplore.exe 26->44         started        46 iexplore.exe 26->46         started        48 iexplore.exe 26->48         started        58 interlines.top 31.41.46.120, 49751, 49752, 49755 ASRELINKRU Russian Federation 28->58 60 linkspremium.ru 31.41.44.3, 80 ASRELINKRU Russian Federation 34->60 62 premiumlists.ru 45.128.184.132, 49819, 49820, 49821 MGNHOST-ASRU Russian Federation 36->62 signatures9 process10 dnsIp11 64 linkspremium.ru 38->64 66 interlines.space 38->66 92 System process connects to network (likely due to code injection or exploit) 38->92 94 Writes registry values via WMI 38->94 68 interlines.top 42->68 70 interlines.top 44->70 72 interlines.top 46->72 74 interlines.top 48->74 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 07:38:11 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2xbyxv5w6zaegitwn2hob333yaxov43n6guhje33crafncwk72a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
210943dc00e09514fe7d9a433596e78a21d7eb3bf3537b7e8327b985c8ad7d4d
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
Gozi
4ddacac68fd062781fece1e92b3f1682d49fe23fc812e721c330f25237f4c20f
Gozi
6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
Gozi
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
Gozi
aef8910dddfc1c5c009db13160c82aae5af66692effb41469c6490e774a420e3
Gozi
e4a5317a1b7c1ab91bb131dba5fea06fdb89e38c291e17f71b5c1634cfddecbe
Gozi
eb44943385bba67eff81794d2f5667817a6761f13775149c615a543c0e78186c
Gozi
+ 427 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7613 banker trojan
Link:
https://tria.ge/reports/220210-jgfv3sgcc3/
Behaviour
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
interlines.top
interlines.space
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
e6f3b5857a2da506a0f5470400655fc4011600ae4253bba3dae85f7e6a9be6c2
MD5 hash:
21e836bd521081f8b97c3e5a31822afe
SHA1 hash:
fec35c2a1f2d362356573b25f0dd4a50c7be842e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/dd2a6dd0-e636-406c-8619-d11daabca8be/
Parent samples :
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
SH256 hash:
831619fb5a9b21c3cd073a901e05a1a94be2f1db95a71751a4c54d6061d9c117
MD5 hash:
67eb78fba57178ed8a19f1cacb04538d
SHA1 hash:
39bdd27dc35920567861066e286e6f3b1928f07d
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/dd2a6dd0-e636-406c-8619-d11daabca8be/
Parent samples :
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
SH256 hash:
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
MD5 hash:
e5c6442649340b5a0778902ecfbe0cec
SHA1 hash:
368859c657c58874ab97167396feaa729304f881
Link:
https://www.unpac.me/results/dd2a6dd0-e636-406c-8619-d11daabca8be/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2036798/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2038538/
  
URLhaus
https://urlhaus.abuse.ch/url/2036834/
Cape
Cape
https://www.capesandbox.com/analysis/240476/
  
URLhaus
https://urlhaus.abuse.ch/url/2039505/
  
URLhaus
https://urlhaus.abuse.ch/url/2039506/

Comments