MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 547825e818905217b56b3aaa6f17dc46e0bf4e1eb36d3347b97846425c552d01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	547825e818905217b56b3aaa6f17dc46e0bf4e1eb36d3347b97846425c552d01
SHA3-384 hash:	38a7cb259cd815659c19135b7b35817b3744823054abdd87b90a0571cceb7fa04f1e51390dbe6e68675991c95a754158
SHA1 hash:	ec094cfd748d1e0eba5e60530d9d94e8b5383c24
MD5 hash:	db199a697a2ae47eed09d60f5f120e4d
humanhash:	connecticut-paris-orange-timing
File name:	SecuriteInfo.com.Trojan.Gozi.877.2315.29418
Download:	download sample
Signature	Gozi Create hunting rule
File size:	524'288 bytes
First seen:	2022-07-29 20:31:36 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	9660bd48bc8440cbf876dba4521e0f83 (1 x Gozi)
ssdeep	6144:VFf5Amu0EmCW0CbgsVIq84m4O4c03Fc9nKVcHJp:VFxRuxLCbg8K4O0WDHT
TLSH	T185B4027732D15631E221D87540A9139FDB6898D9CB2E05EBB639CCA92A403F1913F23F
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	SecuriteInfoCom
Tags:	dll Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

502

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295151/

Detection(s):

SecuriteInfo.com.Trojan.Gozi.877.2315.29418.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62e4445bb7eec656277a43c0/reports/3a6113aa-dcec-4f04-8b45-8bf3aa44fc5e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c01395a-18a5-4ba6-9068-e91c03d43ad1

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1043343

Signature

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Writes or reads registry keys via WMI

Writes registry values via WMI

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/547825e818905217b56b3aaa6f17dc46e0bf4e1eb36d3347b97846425c552d01/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2022-07-26 17:26:36 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kr4cl2aysbjbpnllhkvg6f64i3ql6tq6wnwtgr5zpbdeexcvfuaq._file

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:22222 banker trojan

Link:

https://tria.ge/reports/220729-za9sksdeej/

Behaviour

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

trackingg-protectioon.cdn1.mozilla.net
185.189.151.232
194.76.225.101
185.212.47.30
109.230.199.124
gomegodasto.at

Unpacked files

SH256 hash:

c3e46c447b685092682d8b93bc263c28bb7a958ef41580287149a1e25ba32bcd

MD5 hash:

02f63f18ba18a24291520ac27366d7be

SHA1 hash:

bac0244f39613f56250f2acc106d17d0d313acb3

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/1e478266-5f60-48cf-985d-88cc113d64ca/

SH256 hash:

89393ee3987ce37823ab8c9c727c0c18d533ea24a9728a0eb2f1cfe30444091b

MD5 hash:

4a3ccfd683a3b4b09dd8927e0e0303cd

SHA1 hash:

d1b9f28a0c1453a5d371b6469caa0f44d7c65be2

Link:

https://www.unpac.me/results/1e478266-5f60-48cf-985d-88cc113d64ca/

SH256 hash:

547825e818905217b56b3aaa6f17dc46e0bf4e1eb36d3347b97846425c552d01

MD5 hash:

db199a697a2ae47eed09d60f5f120e4d

SHA1 hash:

ec094cfd748d1e0eba5e60530d9d94e8b5383c24

Link:

https://www.unpac.me/results/1e478266-5f60-48cf-985d-88cc113d64ca/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/547825e81890/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/547825e818905217b56b3aaa6f17dc46e0bf4e1eb36d3347b97846425c552d01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 547825e818905217b56b3aaa6f17dc46e0bf4e1eb36d3347b97846425c552d01

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2262597/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/295151/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample