MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ead9dc2ee1f22e08c72c162a379c51b364c6e8fb51328b8bc25d4d2e971ad14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	5ead9dc2ee1f22e08c72c162a379c51b364c6e8fb51328b8bc25d4d2e971ad14
SHA3-384 hash:	be730151f48944ca1e6dc6b6d5c86050ff816d7af1546cf0082372f013ead61eb7b16a040fe313b9b3f6e5a309298e45
SHA1 hash:	537a6292742640cd7d32d0ad7a6ba48f66ea7963
MD5 hash:	59399a271b3b30f849c0828bc3c48b2f
humanhash:	november-happy-pasta-sad
File name:	5c70000.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	233'472 bytes
First seen:	2022-11-17 10:43:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:N534X5elaqMGCR2Ak9P56TLz8xb9h+b35eZc:Nt4XAlabG62Ak9P5aP8hr+bac
Threatray	108 similar samples on MalwareBazaar
TLSH	T141346C6AA3E51995E96BD5B6CD53D217EBF334092B24D30F53B0CA966F17322B21C302
TrID	28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25) 28.3% (.EXE) Generic Win/DOS Executable (2002/3) 28.3% (.EXE) DOS Executable Generic (2000/1) 14.2% (.SCORE) Music Craft Score (1007/6) 0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter	0x746f6d6669
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5c70000.dll

Verdict:

No threats detected

Analysis date:

2022-11-17 10:45:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9d88bc69-01b9-4aa5-b4ad-bd036ef30173

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/335285/

Detection(s):

Win.Malware.Ursnif-9884005-0

Win.Malware.Ursnif-9886559-0

Win.Malware.Ursnif-9892796-0

Win.Malware.Ursnif-9896448-0

Win.Malware.Ursnif-9917123-0

Win.Malware.Ursnif-9937854-0

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed setupapi.dll shell32.dll ursnif

Link:

https://www.filescan.io/uploads/637610736fda73cab64e3303/reports/6b02a29c-0ceb-474f-8741-714c1f4ab289/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/024a3b96-0940-4b90-8bf9-9efa255ec1e3

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1115663

Signature

Antivirus / Scanner detection for submitted sample

Yara detected Ursnif

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ead9dc2ee1f22e08c72c162a379c51b364c6e8fb51328b8bc25d4d2e971ad14/

Threat name:

Win64.Trojan.Ursnif

Status:

Malicious

First seen:

2022-11-17 10:44:07 UTC

File Type:

PE+ (Dll)

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l2wz3qxod4robddsyfrkg6ofdm3ey3upwujsrof4exknf2lrvuka._file

Verdict:

malicious

Label(s):

gozi

Gozi

1c127c223ece190ab8982cb8b55cb2d78754b1e8e51775aa276e85587a1311e4

Gozi

3e099b9a4d2092444a335dad2a3ad688b4c981b1a5e4e522f489c59a3e6f4e6a

Gozi

555df9df7ab7a1edf7764add9ff88b1266a078d48ee1cc00f21f0131a6b30b84

Gozi

b8ede90d77745ec6121d2ce8e06e85710855df06fe192788081f2b6ef6abb1d9

Gozi

cf043012ad2be371b8f945ac4952f79d9484f74d8e5fe9a08970d0df748927ab

Gozi

d7c21a2d7356de716a0d38bd83ca240c7c12b3830494ffde30e3599fa2243b5c

Gozi

dc641a85150af5ede0e9a4ab23144a578889bbee7163addf9e97b5fab7d09fc8

Gozi

+ 98 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:5 isfb

Link:

https://tria.ge/reports/221117-mss7bseb89/

Malware Config

C2 Extraction:

lentaphoto.at
iujdhsndjfks.ru
gameindikdowd.ru
jhgfdlkjhaoiu.su

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/13cf2169-1885-4a18-8bdb-115669604999

Unpacked files

SH256 hash:

5ead9dc2ee1f22e08c72c162a379c51b364c6e8fb51328b8bc25d4d2e971ad14

MD5 hash:

59399a271b3b30f849c0828bc3c48b2f

SHA1 hash:

537a6292742640cd7d32d0ad7a6ba48f66ea7963

Detections:

ISFB_Main

win_dreambot_auto

Link:

https://www.unpac.me/results/230d31fd-0d77-4214-849a-c40cc845e33d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5ead9dc2ee1f22e08c72c162a379c51b364c6e8fb51328b8bc25d4d2e971ad14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dreambot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.dreambot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/335285/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample