MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535
SHA3-384 hash: a0dbcc5b6e8478c45db3e8a0e9709ebb71ee032e04a64d0b6cd2166815e03eae8543f281b3ecde9eaae29b384074e5e8
SHA1 hash: dfa3794f06865a91d1fcfebe9176dddab7d66d38
MD5 hash: 428e0c87889570c347967a444e6247a5
humanhash: music-louisiana-snake-robert
File name:4.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:292'352 bytes
First seen:2020-10-06 05:48:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32c041eb227e47674b6d6b75295dd995 (1 x Gozi)
ssdeep 6144:RIFKrv3wVKKS0xxCF9Q5Gh5fh3/uiZJnKtUTikaU4GEt:RIwvgQ3zK5Gh5fhmpUT94Bt
Threatray 161 similar samples on MalwareBazaar
TLSH A8540218B68F0B59D8A9C8B68F72D7F346A9FFBC25650CFDA8573E0254B841FD122085
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68410/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Creating a process with a hidden window
Changing a file
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting of the original file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482303
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293592 Sample: 4.bin Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 10 other signatures 2->75 9 4.exe 3 3 2->9         started        process3 signatures4 79 Writes to foreign memory regions 9->79 81 Allocates memory in foreign processes 9->81 83 Modifies the context of a thread in another process (thread injection) 9->83 85 2 other signatures 9->85 12 control.exe 2 1 9->12         started        process5 signatures6 87 Changes memory attributes in foreign processes to executable or writable 12->87 89 Injects code into the Windows Explorer (explorer.exe) 12->89 91 Writes to foreign memory regions 12->91 93 4 other signatures 12->93 15 explorer.exe 5 21 12->15 injected 19 rundll32.exe 12->19         started        process7 dnsIp8 57 adonis-medicine.at 87.106.18.141, 49751, 80 ONEANDONE-ASBrauerstrasse48DE Germany 15->57 59 11totalzaelooop11.club 15->59 61 Tries to steal Mail credentials (via file access) 15->61 63 Changes memory attributes in foreign processes to executable or writable 15->63 65 Tries to harvest and steal browser information (history, passwords, etc) 15->65 67 6 other signatures 15->67 21 cmd.exe 2 15->21         started        24 cmd.exe 2 15->24         started        26 cmd.exe 1 15->26         started        28 6 other processes 15->28 signatures9 process10 signatures11 77 Uses nslookup.exe to query domains 21->77 30 nslookup.exe 1 21->30         started        33 conhost.exe 21->33         started        35 nslookup.exe 1 24->35         started        37 conhost.exe 24->37         started        39 conhost.exe 26->39         started        41 conhost.exe 28->41         started        43 conhost.exe 28->43         started        process12 dnsIp13 45 222.222.67.208.in-addr.arpa 30->45 47 resolver1.opendns.com 30->47 49 myip.opendns.com 30->49 51 222.222.67.208.in-addr.arpa 35->51 53 resolver1.opendns.com 35->53 55 myip.opendns.com 35->55
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2019-04-04 17:55:40 UTC
File Type:
PE (Exe)
AV detection:
38 of 48 (79.17%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fefdfbc442c4667670b1b9001f1b586dbf7d7eeb13bcaf21af53984d5ad14a6
Gozi
2a80deaa083bb554ccc57c0ffd467b4fd1a6e2f1ae6ab1a3de140aab849b19bf
Gozi
361fb6895164e8e130e6fc3f6dc984af355294173c5e385d0ac35d6df61aea60
Gozi
4036ac805089ec47bd45e9b8b98aa5ee48a7f856d796f48b38250bde536895f9
Gozi
63a8687b9f3d1ef090cbd4f3c78edb9ff645ead16c5eacb05debf14e418596f4
Gozi
78cb6053d76d453fb3885f47c1634fc28e20862a5a73bcdc1557e5620ae7416f
Gozi
7d56b15beb55a2a77afce882394f2ca64a5477ae0ba35536309b19a785d688d3
Gozi
acdbf9fccd6e9fef6459322fb9ea0b1767815413a9a9d91407b87c7834ae77a0
Gozi
b9a9208aafc5b7d73bf9af9ced0b9be8d77a0a4b952391e15b61325ad3be3d9f
Gozi
e3c98c2ca7e4be4d14e9040f22c4a88bc512cb0e8d093af37360d035e45c5678
Gozi
+ 151 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201006-hgevcw5e1e/
Unpacked files
SH256 hash:
60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535
MD5 hash:
428e0c87889570c347967a444e6247a5
SHA1 hash:
dfa3794f06865a91d1fcfebe9176dddab7d66d38
Link:
https://www.unpac.me/results/416b75fa-dbde-4a38-b9fc-b831492b851a/
SH256 hash:
fe7a69453027219bf42fe1967e037ad5e22d5055c0aefaa1f35cc1a398e2eee0
MD5 hash:
674330a9de3886a180730bb2624680e0
SHA1 hash:
a9445bc75723f06bd3ff297da0382bae8d9cf8c5
Detections:
win_isfb_a4
Create hunting rule
Link:
https://www.unpac.me/results/416b75fa-dbde-4a38-b9fc-b831492b851a/
SH256 hash:
2a0a23e4984df8b463d60d56e4a001353b9c87115f89fac3fb1302c20c47b4bd
MD5 hash:
6b1916c1fcc6f90ec5861329d2e57547
SHA1 hash:
8cfdfd94cac8c6de9290b482c3dbb6118876e7b3
Link:
https://www.unpac.me/results/416b75fa-dbde-4a38-b9fc-b831492b851a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:win_dreambot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_isfb_a4
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68410/
  
URLhaus
https://urlhaus.abuse.ch/url/171464/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/171466/

Comments