MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eedda82bcd9d7789aa060262cbcddb7dccc4661e70984ebf31f80954ffc90a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eedda82bcd9d7789aa060262cbcddb7dccc4661e70984ebf31f80954ffc90a7
SHA3-384 hash: e16545e8fd82f7cff1ded59b9feaabf446c5ea2536387bcebda01f9b237610aebf2c1eaf9a10d57b3ee242a7743f3c40
SHA1 hash: feaa2bba1db09163c98908c990dcb04f7d5c19c3
MD5 hash: 2179de33d018271bb8d60334dd1d4ed6
humanhash: delaware-massachusetts-queen-louisiana
File name:wavaj4
Download: download sample
Signature Gozi
Create hunting rule
File size:425'984 bytes
First seen:2021-04-14 14:49:48 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash ef1b489e9b291cb418611244955c35cc (1 x Gozi)
ssdeep 6144:g3FFkYOVg1cV4oprLHiK1oR6NI2K2WVgRZWxxtZM/PWH/xiBiqUjdr:3Y+XV4oB7S6+B2HLW7qW7Xj
TLSH 2894AE2136D1D036C026A675CE35C7F99AEA3C709D21594B3BDC2FBF2F30591962A34A
Reporter fr0s7_
Tags:dll GER Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/134080/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
5 / 100
Link:
https://www.joesandbox.com/analysis/675386
Behaviour
Behavior Graph:
n/a
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4eedda82bcd9d7789aa060262cbcddb7dccc4661e70984ebf31f80954ffc90a7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3w5vav43hlxrgvamatczpg5w7omyrtb44eyj27td6ajkt74sctq._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:4456 banker trojan
Link:
https://tria.ge/reports/210414-fegcptyjkn/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
1.microsoft.com
coolorenuloke.xyz
foolorenuloke.xyz
Unpacked files
SH256 hash:
f6f3e0bbdd7e9713642c98ec4b212751d185ef3fd151f99b2304a319b6be16ff
MD5 hash:
62fe80fc40288de8e40c84e037ea01c0
SHA1 hash:
c2e0da3b929da82de02db8bd33bfeec5aacadd3d
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/20414375-c1ee-4fe1-98d7-715ffacefc02/
SH256 hash:
4eedda82bcd9d7789aa060262cbcddb7dccc4661e70984ebf31f80954ffc90a7
MD5 hash:
2179de33d018271bb8d60334dd1d4ed6
SHA1 hash:
feaa2bba1db09163c98908c990dcb04f7d5c19c3
Link:
https://www.unpac.me/results/20414375-c1ee-4fe1-98d7-715ffacefc02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4eedda82bcd9d7789aa060262cbcddb7dccc4661e70984ebf31f80954ffc90a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/134080/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-15 12:50:13 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0051] File System Micro-objective::Read File
3) [C0052] File System Micro-objective::Writes File
4) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
5) [C0040] Process Micro-objective::Allocate Thread Local Storage
6) [C0041] Process Micro-objective::Set Thread Local Storage Value
7) [C0018] Process Micro-objective::Terminate Process