MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84
SHA3-384 hash: 9f9992bd6493559ac7c9cf7cc6f136c742b2984f06e20874be58debea6cee44317c1e7f2c03ee80c113707398bfddcd2
SHA1 hash: 616999ca7eea175abcea017ecd5cd219a2050da7
MD5 hash: 862e22c2c3fad4741c689f93686cec6d
humanhash: apart-pip-venus-carbon
File name:862e22c2c3fad4741c689f93686cec6d
Download: download sample
Signature Gozi
Create hunting rule
File size:438'272 bytes
First seen:2022-06-29 09:24:05 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 90744814dc538303afb767d2b0a66a6b (3 x Gozi)
ssdeep 6144:Qsp9ErD03svy+zGEMrDwyKJPUpge5vyfxN9ROH8C1mdEFQETNdITUC/CK96ouQEF:QPDzzjMnwhJPcgYvyfD9JWTNrC/d1E
TLSH T14494BE5303F66A87F3684EBFD79B337E44A7A4215D1BE18703524ABAA0759E06724333
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:DHL dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
717
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284201/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62bc1aad03fa367ea5883753/reports/518d511a-60e7-4fb9-8cbb-a9896bb85556/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90488530-19f6-4b95-be33-ba6b7b0edd97
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1021758
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=konzh52fhoxhvjf3sygnzkopsdj3stfgjqhjbolojqnrkduehwca._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker trojan
Link:
https://tria.ge/reports/220629-ldmkkaaba3/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
194.76.225.112
194.76.225.113
46.21.153.203
Unpacked files
SH256 hash:
1776f6da8c520fd5753480ed1900040cffaa86edf51220b6b7c45af74c9514ce
MD5 hash:
ababce15b20848b530dfdd65c001d0e3
SHA1 hash:
72c917b56b11635f2b8f2996a48301cab251b78e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/82424c35-0c88-4a2e-8c99-929288fe4a1e/
Parent samples :
7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84
1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3
SH256 hash:
9f926573b0f864e2fb1c3408181e5888bc8904e2f3bbcfc9bc50b31b4cf93ef1
MD5 hash:
81e6649bba9fc7422e9c49be73997558
SHA1 hash:
9980b3a0fa6bb2caded4883502dbb4563d534f73
Link:
https://www.unpac.me/results/82424c35-0c88-4a2e-8c99-929288fe4a1e/
SH256 hash:
539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84
MD5 hash:
862e22c2c3fad4741c689f93686cec6d
SHA1 hash:
616999ca7eea175abcea017ecd5cd219a2050da7
Link:
https://www.unpac.me/results/82424c35-0c88-4a2e-8c99-929288fe4a1e/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/539b93f7453b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284201/

Comments