MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 576413cc88f47adde6685639f88d17d495fff4475c89603fe83078f81ee20846. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 576413cc88f47adde6685639f88d17d495fff4475c89603fe83078f81ee20846
SHA3-384 hash: 085a8e4874730f43787a41a934588c23a91d18f8c7c31e809fb22692f67d51b7755982245dd3584cf7c602221fbd27fc
SHA1 hash: e8e054a8c8aa27120909bb89725b36f5a7136d98
MD5 hash: fb46a45c032fb8b5798f00878af54464
humanhash: earth-grey-georgia-vegan
File name:1f0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:44'544 bytes
First seen:2022-10-18 07:59:49 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 768:FTmE+L5AkTXKMaqD4leJiArJBFkK527nhoZ3eGiJ18MGXFlkq9k34d:FTmE+L5AkTixchBOKinCZ3eGa18MGTRx
Threatray 576 similar samples on MalwareBazaar
TLSH T10313AE12F6F94CF2D7A25EB06620F6F467FE8A3121389441EB1359CA1EA0953D53E30B
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321277/
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/634e5d078a8cb5d2d4a9de03/reports/ae2bcadc-adfc-41fe-a3b3-4290cb1365e3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04f403ef-cf5d-41aa-ac50-99424ede27ec
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1092538
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725157 Sample: 1f0000.dll Startdate: 18/10/2022 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 Yara detected  Ursnif 2->17 19 Machine Learning detection for sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/576413cc88f47adde6685639f88d17d495fff4475c89603fe83078f81ee20846/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 08:00:10 UTC
File Type:
PE (Dll)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5sbhtei6r5n3ztiky47rdix2sk775chlsewap7igb4pqhxcbbda._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2fffec7d345d16c2480ea2f3f2e046e220488486c81cf7e1c14adfab890ec0b1
Gozi
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
Gozi
61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be
Gozi
72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8
Gozi
7fb112c3da88d1cec6b56d4503337efc9a55210736c25f6e5a59811ad5846f9b
Gozi
f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711
Gozi
+ 566 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:10103
Link:
https://tria.ge/reports/221018-jvzkcafac8/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
trackingg-protectioon.cdn1.mozilla.net
siwdmfkshsgw.com
188.127.224.114
weiqeqwns.com
weiqeqwens.com
weiqewqwns.com
iujdhsndjfks.com
ijduwhsbvk.com
Unpacked files
SH256 hash:
576413cc88f47adde6685639f88d17d495fff4475c89603fe83078f81ee20846
MD5 hash:
fb46a45c032fb8b5798f00878af54464
SHA1 hash:
e8e054a8c8aa27120909bb89725b36f5a7136d98
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/057abf77-c049-4cf5-8216-682b58a9a0f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/576413cc88f47adde6685639f88d17d495fff4475c89603fe83078f81ee20846

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321277/

Comments