MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5
SHA3-384 hash: 582507263dcc0bdd93298c5181529de0fe9771954d1d482df1960a6648b81ce2e748131de94af36f36acc17498ba26f3
SHA1 hash: dd1ee07155768a8d4b0cb1ec3fa666b5ac7e2eed
MD5 hash: 92bcb08ab6be032cd4a64ac1292c2d16
humanhash: mars-texas-fanta-apart
File name:sup11_dump.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:61'440 bytes
First seen:2021-01-26 18:42:56 UTC
Last seen:2021-01-26 20:54:14 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8bd3516d6fbaada236bf3f0ea3a6d71f (1 x Gozi)
ssdeep 1536:GXvA5MoNRR/4DwOffSuekSjumPUtjxH8ITDM:GX45MGX/4bcu7tjp8J
Threatray 647 similar samples on MalwareBazaar
TLSH E153E1A28C019692CFD980714F3DCE5DCB9B83653826D96143BADD92C5FEE08F298753
Reporter lazyactivist192
Tags:dll Gozi


Avatar
lazyactivist192
possibly gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113986/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.777.23578.22078.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/591132
Signature
Antivirus / Scanner detection for submitted sample
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344607 Sample: sup11_dump.dll Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 57 c56.lepini.at 2->57 59 resolver1.opendns.com 2->59 61 api3.lepini.at 2->61 73 Multi AV Scanner detection for domain / URL 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 12 other signatures 2->79 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        signatures3 process4 signatures5 81 Suspicious powershell command line found 9->81 14 powershell.exe 9->14         started        18 regsvr32.exe 2 12->18         started        20 cmd.exe 1 12->20         started        process6 file7 53 C:\Users\user\AppData\...\oywbpzxb.cmdline, UTF-8 14->53 dropped 55 C:\Users\user\AppData\Local\...\augdh01w.0.cs, UTF-8 14->55 dropped 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Compiles code for process injection (via .Net compiler) 14->87 89 Creates a thread in another existing process (thread injection) 14->89 22 csc.exe 14->22         started        25 csc.exe 14->25         started        27 conhost.exe 14->27         started        91 Detected Gozi e-Banking trojan 18->91 93 Writes to foreign memory regions 18->93 95 Writes or reads registry keys via WMI 18->95 97 Writes registry values via WMI 18->97 29 control.exe 18->29         started        31 iexplore.exe 2 84 20->31         started        signatures8 process9 dnsIp10 49 C:\Users\user\AppData\Local\...\oywbpzxb.dll, PE32 22->49 dropped 34 cvtres.exe 22->34         started        51 C:\Users\user\AppData\Local\...\augdh01w.dll, PE32 25->51 dropped 36 cvtres.exe 25->36         started        38 rundll32.exe 29->38         started        71 192.168.2.1 unknown unknown 31->71 40 iexplore.exe 155 31->40         started        43 iexplore.exe 29 31->43         started        45 iexplore.exe 29 31->45         started        47 iexplore.exe 31->47         started        file11 process12 dnsIp13 63 img.img-taboola.com 40->63 65 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 40->65 69 7 other IPs or domains 40->69 67 api10.laptok.at 45.138.24.6, 49761, 49762, 49769 SPECTRAIPSpectraIPBVNL Turkey 45->67
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 18:43:05 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
Gozi
2a80deaa083bb554ccc57c0ffd467b4fd1a6e2f1ae6ab1a3de140aab849b19bf
Gozi
2b8c7b7112e8070d01b2f977c360772e05704fff1838bf124780b9c8b699f337
Gozi
361fb6895164e8e130e6fc3f6dc984af355294173c5e385d0ac35d6df61aea60
Gozi
493d258253c3d4b39ae41b07ae583164926731a9d1b17c434cca2b8fa9c80629
Gozi
60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535
Gozi
61774f16549fb39d6d28ea208634bb106294bb2e31e6847d804f74a08a4bc0e2
Gozi
78cb6053d76d453fb3885f47c1634fc28e20862a5a73bcdc1557e5620ae7416f
Gozi
823d3e4a009254382cf9401cffddeb21e5be60ab5bb283ad325734c8c14cd695
Gozi
e3c98c2ca7e4be4d14e9040f22c4a88bc512cb0e8d093af37360d035e45c5678
Gozi
+ 637 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb ransomware
Link:
https://tria.ge/reports/210126-f94bfryldn/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Unpacked files
SH256 hash:
50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5
MD5 hash:
92bcb08ab6be032cd4a64ac1292c2d16
SHA1 hash:
dd1ee07155768a8d4b0cb1ec3fa666b5ac7e2eed
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/26f35f65-980c-4256-a802-69d6830c13e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113986/

Comments