MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SHA3-384 hash: fba8701dbc3b5238570d67961cf629e3a81a35c86c09aaf0e9b3dd071305054ff1774001b53e318326dd1664d4929cf1
SHA1 hash: af8f21b661c78a0dfa6fc78afe0504efc1a70534
MD5 hash: b65ddd031511351f6b971e657e78ede8
humanhash: salami-oven-helium-delaware
File name:payment_03939.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:243'200 bytes
First seen:2021-03-26 15:12:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19a26fa1d4f67c66683ae2e4fe20653b (2 x Gozi)
ssdeep 3072:R+VBnJqNC8pvLpED1NJ5+nGNJlQbWXde/msfu9oXDcORKYc8jetd3ru7OPhrXGW2:wVhBJ5XFnlXgfyQwTiMPn52YQZ
TLSH 34347D00EBA1C035F5BA11F4897983E8F5297AB06B244DCF62D55EEA26386F0DC31767
Reporter nao_sec
Tags:Gozi RigEK Ursnif


Avatar
nao_sec
Dropped from http[:]//gotanda-clinic[.]xyz/payment_03939.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ctt1.exe
Verdict:
Malicious activity
Analysis date:
2021-03-26 15:02:56 UTC
Tags:
trojan loader smoke gozi ursnif dreambot evasion stealer
Link:
https://app.any.run/tasks/940a0e01-3aa4-4c14-8c98-1f87746bc686

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127044/
Detection(s):
Win.Malware.Generic-9846132-0
Create hunting rule

Win.Packed.Razy-9847307-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Sending a UDP request
Connection attempt
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655722
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb/
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 16:06:49 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvqbgmkcolvhfclyxaqinbcaql4uzmjtl6sps2itcznwpwqichfq._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8005 banker trojan
Link:
https://tria.ge/reports/210326-lsfscs7azj/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
ssddl2.microsoft.com
siberiarrmaskkapsulrttezya.ru
sibedriamasterkkmoderatordstezya.ru
massidfberiatersksilkavayssstezya.ru
dolsggiberiaoserkmikluhasya.chimkent.su
dolsibegriaosersk4ermanderezya.chimkent.su
rdosdripakloserikabyatezya.chimkent.su
rusddripakoloserufinurtdrfezya.chimkent.su
ripakteenrufinishryeuliliezya.ru
rufiteemnisripakhglassdzya.ru
rufinisrufripakhmileronurzya.ru
rurugyrfripakinishtokokusstezya.ru
rufislomnishsripakerdfnstezya.adygeya.su
adav.microsoft.com
stratosferiss.ru
miniklanssstoezya.ru
sbigaschyress.chimkent.su
bigsachyd.abkhazia.su
sbsigachyeytezya.ru
sbigfachykatezya.ru
fgbiggachykvangdikezya.adygeya.su
zstremniagrazaautobanya.club
stremnaarumndadstezya.com
zastremnesddstezya.ru
minstremnstoun.ru
stremnrootttd.ru
stremnntveinee.chimkent.su
zastremnsamohodkakas.agency
Unpacked files
SH256 hash:
d205f030da71f4967a3524eba124e588d7924b13752a8dcf694ab41c5bfe32ef
MD5 hash:
f76936131edbaede06e14867b8fe4873
SHA1 hash:
9f291dd75e48efe7654c152e9972c4573986f006
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/11436064-983b-401a-b709-5cb8df161244/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
298d0ff74e2d7a07d367709d17b599bd3e9f756c866829cf2f262d83f02645ac
MD5 hash:
1f12d6d3bf04a979e540dc0f95fcf87e
SHA1 hash:
2f93e036427dde49417e358467041e26050100c9
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/11436064-983b-401a-b709-5cb8df161244/
Parent samples :
dddf5829a3bdcb2b6562eb194a138f8de5da26eb5dda0bbfacbbf1124ad51ec6
f71d3ac993ef4141a41823255510bbc7238989b7421d15fc1d8b1c9a3cd5f641
aa8a59aaed89dd7c8696a7d63fa2763689be023a4a7692f63d950d8b923b6154
d244338e6e0a61efe813abf4615e185d68cfb960d94c95c579c6ebbff1d9be42
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
SH256 hash:
556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb
MD5 hash:
b65ddd031511351f6b971e657e78ede8
SHA1 hash:
af8f21b661c78a0dfa6fc78afe0504efc1a70534
Link:
https://www.unpac.me/results/11436064-983b-401a-b709-5cb8df161244/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Gozi

Executable exe 57290220f611832cbc11c8b6d4929f1dcb585cb5a4c1b2833dca53c04fe072ba

Gozi

Executable exe 556013314272ea728978b82086844082f94cb1335fa4f96913165b67da0811cb

(this sample)

  
X
https://twitter.com/nao_sec/status/1375465237902553090
  
Dropped by
SHA256 57290220f611832cbc11c8b6d4929f1dcb585cb5a4c1b2833dca53c04fe072ba
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127044/

Comments