MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
SHA3-384 hash: 6e3e61ad1a6552640256dc9416c26c1fdf8ecbf9eab452c198e58fd61ad6b18ef4255919150003cdc00125608c87a3c3
SHA1 hash: 96fcdac225106f13726477d898a4939ccfcd4781
MD5 hash: c40709736c45151601de6db50f379d8b
humanhash: angel-nineteen-idaho-mirror
File name:2790000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:45'056 bytes
First seen:2021-07-06 12:25:12 UTC
Last seen:2021-07-06 12:38:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6e9163c62b29a1ccabed40ce8621a95a (7 x Gozi)
ssdeep 768:nlGZ5Eevswd4RoFgmPsnwx+yXqv4kC9/VWH64A1xbDOhtMhDbPm+K5StOQM80Epp:lGZ5ewOKywnavdM/V+6OzsrJK9Wp
TLSH 9513F1B66E100CB2EB8EA9BD017DA52FC36A0B619724DC47D772F3A435995107C3E722
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169946/
Detection(s):
SecuriteInfo.com.Variant.Razy.862012.16650.31807.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f445472f-126d-4102-bf25-1687c9bca09d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812242
Signature
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: Encoded IEX
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444655 Sample: 2790000.dll Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 75 taybhctdyehfhgthp2.xyz 2->75 77 resolver1.opendns.com 2->77 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Found malware configuration 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 7 other signatures 2->99 9 loaddll32.exe 1 1 2->9         started        12 mshta.exe 2->12         started        14 mshta.exe 2->14         started        16 mshta.exe 2->16         started        signatures3 process4 signatures5 115 Writes to foreign memory regions 9->115 117 Modifies the context of a thread in another process (thread injection) 9->117 119 Maps a DLL or memory area into another process 9->119 123 2 other signatures 9->123 18 iexplore.exe 1 105 9->18         started        20 control.exe 9->20         started        23 regsvr32.exe 9->23         started        32 2 other processes 9->32 121 Suspicious powershell command line found 12->121 25 powershell.exe 12->25         started        28 powershell.exe 14->28         started        30 powershell.exe 16->30         started        process6 file7 34 iexplore.exe 18->34         started        37 iexplore.exe 18->37         started        39 iexplore.exe 18->39         started        47 17 other processes 18->47 101 Changes memory attributes in foreign processes to executable or writable 20->101 103 Modifies the context of a thread in another process (thread injection) 20->103 105 Maps a DLL or memory area into another process 20->105 107 Creates a thread in another existing process (thread injection) 20->107 109 Writes or reads registry keys via WMI 23->109 111 Writes registry values via WMI 23->111 63 C:\Users\user\AppData\...\rzslcw3n.cmdline, UTF-8 25->63 dropped 113 Compiles code for process injection (via .Net compiler) 25->113 41 csc.exe 25->41         started        49 2 other processes 25->49 65 C:\Users\user\AppData\Local\...\mqjlkxcv.0.cs, UTF-8 28->65 dropped 51 2 other processes 28->51 53 2 other processes 30->53 44 rundll32.exe 32->44         started        signatures8 process9 dnsIp10 79 img.img-taboola.com 34->79 81 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49761, 49762 YAHOO-DEBDE United Kingdom 34->81 89 10 other IPs or domains 34->89 83 taybhctdyehfhgthp2.xyz 45.90.58.179, 49866, 49867, 49868 GREENFLOID-ASUA Bulgaria 37->83 67 C:\Users\user\AppData\Local\...\rzslcw3n.dll, PE32 41->67 dropped 55 cvtres.exe 41->55         started        125 Writes registry values via WMI 44->125 85 taybhctdyehfhgthp2.xyz 47->85 87 taybhctdyehfhgthp2.xyz 47->87 91 37 other IPs or domains 47->91 69 C:\Users\user\AppData\Local\...\rpyoew2f.dll, PE32 49->69 dropped 57 cvtres.exe 49->57         started        71 C:\Users\user\AppData\Local\...\pkkmtuzt.dll, PE32 51->71 dropped 59 cvtres.exe 51->59         started        73 C:\Users\user\AppData\Local\...\xwrbq4ie.dll, PE32 53->73 dropped 61 cvtres.exe 53->61         started        file11 127 Performs DNS queries to domains with low reputation 87->127 signatures12 process13
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 12:25:22 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k24zqremjtjcidw46bcgzc6h3jkpivulvgor6n3uyq5peavkzgkq._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5456
Link:
https://tria.ge/reports/210706-glj62t8tmn/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
outlook.com
mail.com
taybhctdyehfhgthp2.xyz
thyihjtkylhmhnypp2.xyz
Unpacked files
SH256 hash:
56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
MD5 hash:
c40709736c45151601de6db50f379d8b
SHA1 hash:
96fcdac225106f13726477d898a4939ccfcd4781
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/b3379bcd-c131-4be1-a03d-667625adb2f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169946/

Comments