MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a
SHA3-384 hash: 0f29eb3dbb6bfd857a62af9c0896eb0dea083bdac94e72d6ca4201f7389c30b9b646d408b0c550292bdd4b8a97cf8110
SHA1 hash: 11e327255056c2aa0b8dfba55b903203762f0646
MD5 hash: 59f87ca5936f1a0d570c3d7836f48ef1
humanhash: tennis-nevada-bacon-monkey
File name:2023-07-12-Gozi.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:613'888 bytes
First seen:2023-07-15 06:25:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b49b447537c9dcb5dcd94d4248ca55e2 (1 x Gozi)
ssdeep 12288:mqCARqPxn1ABP3zws5MZ0aAipNy8WxzJTrKhajICA:mzIqZeBPEsyiaAeNy8WTvS8A
Threatray 201 similar samples on MalwareBazaar
TLSH T1D5D49D43F57AC779E0B65738C2256E3644BC984114F5A8A6D291FB93FEA1B11232333B
TrID 55.3% (.SCR) Windows screen saver (13097/50/3)
19.0% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
8.4% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/419711/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68155495.22829.8916.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control gozi greyware lolbin packed ryuk
Link:
https://www.filescan.io/uploads/64b23bfbc7643f862f33bbed/reports/0bc55fae-2c90-46b9-9043-872a855ad7e9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6caa78c4-9c8f-4cf5-83f6-37aec32d8614
Result
Threat name:
Ursnif, Strela Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273511
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Disables SPDY (HTTP compression, likely to perform web injects)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Yara detected Strela Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273511 Sample: 2023-07-12-Gozi.dll Startdate: 15/07/2023 Architecture: WINDOWS Score: 100 124 Snort IDS alert for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 9 other signatures 2->130 9 mshta.exe 19 2->9         started        11 loaddll32.exe 7 2->11         started        15 mshta.exe 2->15         started        17 mshta.exe 2->17         started        process3 dnsIp4 19 powershell.exe 9->19         started        118 diwdjndsfnj.ru 11->118 174 Found evasive API chain (may stop execution after checking system information) 11->174 176 Found API chain indicative of debugger detection 11->176 178 Writes or reads registry keys via WMI 11->178 180 Writes registry values via WMI 11->180 23 regsvr32.exe 6 11->23         started        26 rundll32.exe 1 6 11->26         started        28 cmd.exe 1 11->28         started        34 3 other processes 11->34 30 powershell.exe 15->30         started        32 powershell.exe 17->32         started        signatures5 process6 dnsIp7 96 C:\Users\user\AppData\...\bdci0xse.cmdline, Unicode 19->96 dropped 134 Injects code into the Windows Explorer (explorer.exe) 19->134 136 Writes to foreign memory regions 19->136 138 Modifies the context of a thread in another process (thread injection) 19->138 140 Found suspicious powershell code related to unpacking or dynamic code loading 19->140 36 explorer.exe 19->36 injected 40 csc.exe 19->40         started        43 csc.exe 19->43         started        45 conhost.exe 19->45         started        142 Allocates memory in foreign processes 23->142 144 Maps a DLL or memory area into another process 23->144 146 Writes or reads registry keys via WMI 23->146 148 Writes registry values via WMI 23->148 47 control.exe 23->47         started        116 diwdjndsfnj.ru 151.248.117.244, 49690, 49691, 49692 AS-REGRU Russian Federation 26->116 49 control.exe 26->49         started        51 rundll32.exe 28->51         started        150 Creates a thread in another existing process (thread injection) 30->150 53 3 other processes 30->53 55 3 other processes 32->55 file8 signatures9 process10 dnsIp11 110 188.127.224.25, 49698, 49702, 9955 DHUBRU Russian Federation 36->110 112 91.199.147.95, 49697, 49701, 80 DHUBRU unknown 36->112 114 2 other IPs or domains 36->114 152 System process connects to network (likely due to code injection or exploit) 36->152 154 Tries to steal Mail credentials (via file / registry access) 36->154 156 Changes memory attributes in foreign processes to executable or writable 36->156 168 5 other signatures 36->168 57 cmd.exe 36->57         started        60 cmd.exe 36->60         started        62 cmd.exe 36->62         started        70 12 other processes 36->70 98 C:\Users\user\AppData\Local\...\bdci0xse.dll, PE32 40->98 dropped 158 Writes or reads registry keys via WMI 40->158 64 cvtres.exe 40->64         started        100 C:\Users\user\AppData\Local\...\t1lkp0sz.dll, PE32 43->100 dropped 66 cvtres.exe 43->66         started        160 Writes to foreign memory regions 47->160 162 Allocates memory in foreign processes 47->162 164 Modifies the context of a thread in another process (thread injection) 47->164 68 rundll32.exe 47->68         started        166 Writes registry values via WMI 51->166 102 C:\Users\user\AppData\Local\...\qkwnqikl.dll, PE32 53->102 dropped 104 C:\Users\user\AppData\Local\...\4s2stykp.dll, PE32 53->104 dropped 72 2 other processes 53->72 106 C:\Users\user\AppData\Local\...\z4ks2r3h.dll, PE32 55->106 dropped 108 C:\Users\user\AppData\Local\...\h5omcj23.dll, PE32 55->108 dropped 74 2 other processes 55->74 file12 signatures13 process14 signatures15 170 Uses nslookup.exe to query domains 57->170 172 Performs a network lookup / discovery via net view 57->172 76 conhost.exe 57->76         started        92 2 other processes 57->92 78 nslookup.exe 60->78         started        81 conhost.exe 60->81         started        83 systeminfo.exe 62->83         started        86 conhost.exe 62->86         started        88 rundll32.exe 66->88         started        90 conhost.exe 70->90         started        94 10 other processes 70->94 process16 dnsIp17 120 8.8.8.8.in-addr.arpa 78->120 122 1.0.0.127.in-addr.arpa 78->122 132 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 83->132 signatures18
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a/
Threat name:
Win32.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 03:00:43 UTC
File Type:
PE (Dll)
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mif4dyawrb6xoymqpkc5jgdqvazlodqdid2ztndsx3akcg33my5a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Gozi
0b3d641004b2a730cd86a3131f6ae569e6692c03368dd1ac17f14bfd395e5bcb
Gozi
7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
Gozi
894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
Gozi
c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
f59b112154fa7b5d054be2543b3ece90ba0c1eb828edc2636602368f2213aadc
Gozi
+ 191 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:2100 banker isfb persistence trojan
Link:
https://tria.ge/reports/230715-g66rpahb35/
Behaviour
Checks SCSI registry key(s)
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Modifies Installed Components in the registry
Gozi
Malware Config
C2 Extraction:
diwdjndsfnj.ru
iwqdndomdn.su
mnvxcjieifad.su
jdsncjxjujdww.ru
Unpacked files
SH256 hash:
84fcb3b8ee2af71f833d3e9dd4c9d73173f20dcd073668fe1bac94efa1692747
MD5 hash:
cbef52af0fed9c5da5c6d4ab78e8d24d
SHA1 hash:
43d43d90833b91a86633b37ccb7761bafe4e6686
Link:
https://www.unpac.me/results/c717337c-a59b-4ba3-96f1-ef9c9d961b7c/
SH256 hash:
ad1a7d4e47acd4fd45f823934d2cb4b536f8e21abba6939d9cc35bd01d153789
MD5 hash:
0b08534a46dd27fafd0b888c093529d0
SHA1 hash:
140f07b998159e66c5b5a924ffcc8df61be9537e
Link:
https://www.unpac.me/results/c717337c-a59b-4ba3-96f1-ef9c9d961b7c/
SH256 hash:
620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a
MD5 hash:
59f87ca5936f1a0d570c3d7836f48ef1
SHA1 hash:
11e327255056c2aa0b8dfba55b903203762f0646
Link:
https://www.unpac.me/results/c717337c-a59b-4ba3-96f1-ef9c9d961b7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.malware-traffic-analysis.net/2023/07/12/index.html
Cape
Cape
https://www.capesandbox.com/analysis/419711/

Comments