MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549
SHA3-384 hash: faff73d12e510aff7655f27c4de596f353ccd7a05a5dfcfaa0a09bf70ea1b8bd6c6358589a191e01723e353fe54b330d
SHA1 hash: 9a8d7e481878044d2ac73740406e0ea9d4e1c341
MD5 hash: 093e3e04badb64b09c6803ef152c7903
humanhash: ink-nineteen-black-batman
File name:f3a0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:232'960 bytes
First seen:2022-09-06 10:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:X5hinZgCo+NjJWSsznC2OCyzjFIz4V1T/JDR1vHBB78C752cj2v5e:X+nZ1o+NJWbn2CMFIzSTRDR1vHR5u
Threatray 73 similar samples on MalwareBazaar
TLSH T1DB345C9AA3E51995ED6BC6B6CD53D227EBF234092B14D30F5370CAA66F17722B11C302
TrID 28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25)
28.3% (.EXE) Generic Win/DOS Executable (2002/3)
28.3% (.EXE) DOS Executable Generic (2000/1)
14.2% (.SCORE) Music Craft Score (1007/6)
0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter 0x746f6d6669
Tags:exe Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f3a0000.dll
Verdict:
No threats detected
Analysis date:
2022-09-06 10:16:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d903e08-ba2a-41cd-bcc2-de4a8f20f4c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308144/
Detection(s):
Win.Malware.Ursnif-9884005-0
Create hunting rule

Win.Malware.Ursnif-9886559-0
Create hunting rule

Win.Malware.Ursnif-9892796-0
Create hunting rule

Win.Malware.Ursnif-9896448-0
Create hunting rule

Win.Malware.Ursnif-9917123-0
Create hunting rule

Win.Malware.Ursnif-9937854-0
Create hunting rule

Win.Malware.GoziISFB-9940853-1
Create hunting rule

SecuriteInfo.com.Generic.Ursnif.3.1.1CADF70D.17341.21393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63171de831a6d28c0ce583f0/reports/6e2fcacc-42d9-4c17-8716-f2af878df000/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9fd367e-b6dc-4cd6-8bfa-806b120cb23d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1065549
Signature
Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698075 Sample: f3a0000.dll.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 56 15 Antivirus / Scanner detection for submitted sample 2->15 17 Yara detected  Ursnif 2->17 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549/
Threat name:
Win64.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 10:16:08 UTC
File Type:
PE+ (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgxmvburvu656gwsef4tr5kdqiixtoq33nyzbzimhx4gauyuwveq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
459ae352ddf8d4b69efbad05bba5b03d2a54d810407ec3f85b42b7175af90689
Gozi
488925a89527506e1e40d24e0599e758bcf44bdd788f9da852823c27898d164e
Gozi
54eed1d4eb8679e67541c1102e743a1d636b90860bdea3ace0e9fd7a2d4309ee
Gozi
86b1f0e8e8d97005fb1d6671fbd424a8296762c4023f03365d04897b87b75cca
Gozi
8c37fb14f34e6633008e6ef4e3a37265c61c367783cb7f4a6666608011eeed3b
Gozi
d622b3fa4d9db13eda3872919fef4285547af86ed38f6b51afeb412535b25003
Gozi
daa3e551c98f62aa1a278205be361a4bf5b193f1540527ff2ceec0b1e3612f38
Gozi
+ 63 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:11111
Link:
https://tria.ge/reports/220906-massvagdgk/
Malware Config
C2 Extraction:
trackin1g-protection.cdnn.mozilla.net
176.10.119.80
194.76.224.245
31.214.157.77
chnkdgpopupser.at
185.158.250.220
185.158.250.234
194.76.224.181
Unpacked files
SH256 hash:
59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549
MD5 hash:
093e3e04badb64b09c6803ef152c7903
SHA1 hash:
9a8d7e481878044d2ac73740406e0ea9d4e1c341
Link:
https://www.unpac.me/results/bf66f279-bda4-46a2-8e08-fe1e2fc4251d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/59aeca8691ad3ddf1ad2217938f543821179ba1bdb7190e50c3df8605314b549

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308144/

Comments