MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
SHA3-384 hash: 8b9b2b7952a161b68b7fb94e5bf66efa44948009e288856b4fc8d807992dc337785226dd302add4efa3c3eae8a7d23cb
SHA1 hash: 90a17a059b290a2d5becbff3ec9fe4dabdfc06ae
MD5 hash: d6d4942cd0282dbbb0e34276706e6bab
humanhash: october-bravo-lake-south
File name:register.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:761'856 bytes
First seen:2021-04-26 12:47:47 UTC
Last seen:2021-04-30 14:49:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6429c18a3abaea96e49f5b3f9ab317ee (1 x Gozi)
ssdeep 12288:4GzKiFJSk5OWpk0KQlL7QQDprnF0xfHHlsTRRZC7Emy/Kt28nxub/lgkjK7l6kXC:9+iFJJ5OWpk0KQh8QD8uPZC7EojvkjKa
Threatray 212 similar samples on MalwareBazaar
TLSH C2F49C25B8C2C032E5A320384968E6F45BBDB4301B245BDB77CC2B3F9F716D156365AA
Reporter JAMESWT_WT
Tags:dll geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
5
# of downloads :
367
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144341/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.14712.30907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/697927
Signature
Found malware configuration
Sigma detected: Execute DLL with spoofed extension
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397882 Sample: register.jpg.dll Startdate: 26/04/2021 Architecture: WINDOWS Score: 72 64 Found malware configuration 2->64 66 Yara detected  Ursnif 2->66 68 Sigma detected: Execute DLL with spoofed extension 2->68 10 loaddll32.exe 1 2->10         started        process3 signatures4 70 Writes or reads registry keys via WMI 10->70 72 Writes registry values via WMI 10->72 13 rundll32.exe 10->13         started        16 cmd.exe 1 10->16         started        18 rundll32.exe 10->18         started        20 4 other processes 10->20 process5 signatures6 74 Writes registry values via WMI 13->74 22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        26 rundll32.exe 16->26         started        28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        32 cmd.exe 1 20->32         started        34 cmd.exe 1 20->34         started        process7 process8 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 cmd.exe 1 26->40         started        42 cmd.exe 1 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        process9 52 cmd.exe 1 36->52         started        54 cmd.exe 1 36->54         started        56 conhost.exe 40->56         started        58 conhost.exe 42->58         started        process10 60 conhost.exe 52->60         started        62 conhost.exe 54->62         started       
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 12:47:28 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
43b3014c1627c40c31c724e1a7b1dee4ef51428e2f68adad93c0df95f454275d
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
63bee368085136ef7eed0823b6d8fb25ffecfd6f6d9050ee26f782e2b35df9a4
Gozi
691fdaeb03dfa2b239d82322a3fd47c3b952ae9d47effa0100153fde537dc4e5
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
9be883a15e12a4e3504cb959269855ad8a0cbda99b10b8432fe5e2e0375d5820
Gozi
a2fa5a4d18033e67a7c0477e69acd03a61808c31e24dd9c120106fec161012ef
Gozi
adc95420bda0ec4fcf33c410be8f86f185e95b642c0619a4103c4a64dac52cc6
Gozi
ae1143cc98f29dad7cd956c881606f55b51d8b5789ae670736e6e115519fbccb
Gozi
cd773a8e18731c4d551faf1dcc8eb050c7eac19c9758a145f91c1dfa79361db8
Gozi
+ 202 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7405 banker trojan
Link:
https://tria.ge/reports/210426-2dc87mbywa/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
signin.microsoft.com
login.microsoft.com
linerstats.com
linerstats.bar
infeetic.co
Unpacked files
SH256 hash:
d4761a0e3fed8527753cb78be297ed375f0c6f1904390ffc28af947e5ab614fb
MD5 hash:
81ff5d088bc6dbe72d0e7ff783806736
SHA1 hash:
6ac4a0722b4538b9465e9718e4da7d6f98bc3dc3
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/1b76832e-e827-4cce-b590-930a42cf01e6/
SH256 hash:
5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
MD5 hash:
d6d4942cd0282dbbb0e34276706e6bab
SHA1 hash:
90a17a059b290a2d5becbff3ec9fe4dabdfc06ae
Link:
https://www.unpac.me/results/1b76832e-e827-4cce-b590-930a42cf01e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/144341/
  
URLhaus
https://urlhaus.abuse.ch/url/1171058/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-26 13:05:13 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0026.002] Data Micro-objective::XOR::Encode Data
3) [C0051] File System Micro-objective::Read File
4) [C0052] File System Micro-objective::Writes File
5) [C0007] Memory Micro-objective::Allocate Memory
6) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
7) [C0040] Process Micro-objective::Allocate Thread Local Storage
8) [C0017] Process Micro-objective::Create Process
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process