MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
SHA3-384 hash: f35d056c3ea2978ab6a014a653c99a82c506f86eb609e3bf1110dd930776ee11d00fd8f593090a0d1dafaea5d619cdce
SHA1 hash: c7f449ab51a47791a8f3041f0a0dce7c6feb06c4
MD5 hash: c6bfea479b46b9eb7a69667e0165179f
humanhash: ten-helium-alabama-kentucky
File name:60e40fb428612.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:381'440 bytes
First seen:2021-07-06 08:11:39 UTC
Last seen:2021-07-06 09:03:26 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4c29865e356872ef0757b58734cbbb11 (3 x Gozi)
ssdeep 6144:vC8nRa6tXFOspzA7n6NZVeC8i795fubASK9beZTX3l8Eo:J0SVOsphVWi7PWoBeZTX36
Threatray 530 similar samples on MalwareBazaar
TLSH 6F847A00BA80E031D6F212724F29E585536C78A80B715ADFB3D82E5F5F798E36635B93
Reporter JAMESWT_WT
Tags:dll enel EnelEnergia geo Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
839
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169909/
Detection(s):
SecuriteInfo.com.Artemis.12307.22866.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/893458cb-2da2-4e2a-bf7b-3fa4dbe97d5b
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/812137
Signature
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444548 Sample: 60e40fb428612.dll Startdate: 06/07/2021 Architecture: WINDOWS Score: 68 28 vuredosite.club 2->28 30 www.redtube.com 2->30 32 17 other IPs or domains 2->32 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Yara detected  Ursnif 2->44 8 loaddll32.exe 1 2->8         started        10 iexplore.exe 2 83 2->10         started        12 iexplore.exe 2->12         started        signatures3 process4 process5 14 rundll32.exe 8->14         started        17 cmd.exe 1 8->17         started        19 rundll32.exe 8->19         started        24 2 other processes 8->24 21 iexplore.exe 25 10->21         started        dnsIp6 46 Writes registry values via WMI 14->46 26 rundll32.exe 17->26         started        34 FRA-efz.ms-acdc.office.com 40.101.18.18, 443, 49738, 49739 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->34 36 outlook.com 40.97.116.82, 443, 49732, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->36 38 5 other IPs or domains 21->38 signatures7 process8
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mln744rrs5bquoxr5sjgf7gsuxbl7shidol4geyqd4ffhcgvq76a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
Gozi
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Gozi
5831ebc72dc810c036fa0c1dc85e17490ebfe2f7379b9573f99d47817b9eb42c
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
a5e4df4eb5cde68b4fa36dffdfe687ce95b926ac3761cb5b13f5fa886991ba24
Gozi
af56b9dcb12b4400edbb076430ccf0ecc8c33a1a413a70bdfb1ad7b1cbdf580f
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
bdb26c5860ed5657c9b29eae09079c950159ccc2ebc56f2dffc190d90e33efa4
Gozi
e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Gozi
+ 520 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210706-lbsj6lxyhe/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
auredosite.club
vuredosite.club
Unpacked files
SH256 hash:
378f6aceb090b12b6439bff28e53ac4893f2f924288f86811ac87700f22bdae9
MD5 hash:
4e3db7ed711b6d5a8f49a7fc82d913a4
SHA1 hash:
789c1c0af5f27f6bd8e93ab9adffa5d376ef39ad
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f77261f-8fc5-43c0-807a-1a3b6362519b/
SH256 hash:
a8532a8d63671aeee943a1ba68cee37bbc9de7bdf0ce9ea7967fc34628637b19
MD5 hash:
87d3f04f49ad87ae969fc2aa647bb1de
SHA1 hash:
b5e1aeee04c2cabc454cb5e214cb29ff89a67db0
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f77261f-8fc5-43c0-807a-1a3b6362519b/
SH256 hash:
62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
MD5 hash:
c6bfea479b46b9eb7a69667e0165179f
SHA1 hash:
c7f449ab51a47791a8f3041f0a0dce7c6feb06c4
Link:
https://www.unpac.me/results/0f77261f-8fc5-43c0-807a-1a3b6362519b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169909/

Comments