MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
SHA3-384 hash: a502e9ee42421575d35f158742bdb51d77e46314e2206418d1bd5469f5bbea06afcdb3a2b025a0bf85f1fc5731953c19
SHA1 hash: 44d9de1f9b6374984ec4e6b9f2a531efef05b95a
MD5 hash: dc190a4f56c3971c6af753d02d633b37
humanhash: oranges-mars-california-mars
File name:dc190a4f56c3971c6af753d02d633b37.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:367'624 bytes
First seen:2021-03-29 15:38:52 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 77af713b1f2916ea138f9bb7258cf849 (5 x Gozi)
ssdeep 1536:bepG5ACCny8GenidAHcz92ZIx9FxIl+YkSVoZlP1usBVEwnoxJashnXcX:36lGeExx9FmSSkfBt8
TLSH 3F74AE053BB0C5D9D2A521B44ECD8EA4E924FCAA1F20D21372D975DCBDF9F89262D381
Reporter abuse_ch
Tags:dll Gozi isfb Ursnif


Avatar
abuse_ch
Gozi ISFB C2s:
http://fdjjasdoeoriefjd.live/freedrive/
185.82.219.58:443
195.123.219.199:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127718/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.796.1290.28386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Searching for the window
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/657173
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377513 Sample: k73zocKvlO.dll Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 84 resolver1.opendns.com 2->84 112 Found malware configuration 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 Yara detected  Ursnif 2->116 118 4 other signatures 2->118 10 loaddll32.exe 1 2->10         started        12 mshta.exe 2->12         started        15 mshta.exe 2->15         started        signatures3 process4 signatures5 17 regsvr32.exe 1 10->17         started        20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        120 Suspicious powershell command line found 12->120 24 powershell.exe 12->24         started        27 powershell.exe 15->27         started        process6 file7 98 Writes to foreign memory regions 17->98 100 Modifies the context of a thread in another process (thread injection) 17->100 102 Maps a DLL or memory area into another process 17->102 110 2 other signatures 17->110 29 control.exe 17->29         started        32 rundll32.exe 20->32         started        34 iexplore.exe 1 80 22->34         started        80 C:\Users\user\AppData\...\1c4os0kf.cmdline, UTF-8 24->80 dropped 104 Compiles code for process injection (via .Net compiler) 24->104 106 Creates a thread in another existing process (thread injection) 24->106 36 explorer.exe 24->36 injected 38 csc.exe 24->38         started        41 csc.exe 24->41         started        43 conhost.exe 24->43         started        82 C:\Users\user\AppData\Local\...\rskupyi4.0.cs, UTF-8 27->82 dropped 108 Injects code into the Windows Explorer (explorer.exe) 27->108 45 csc.exe 27->45         started        47 2 other processes 27->47 signatures8 process9 file10 122 Changes memory attributes in foreign processes to executable or writable 29->122 124 Injects code into the Windows Explorer (explorer.exe) 29->124 126 Allocates memory in foreign processes 29->126 49 rundll32.exe 29->49         started        128 Detected Gozi e-Banking trojan 32->128 130 Writes registry values via WMI 32->130 51 control.exe 32->51         started        53 iexplore.exe 154 34->53         started        56 iexplore.exe 34->56         started        66 9 other processes 34->66 132 Tries to steal Mail credentials (via file access) 36->132 134 Tries to harvest and steal browser information (history, passwords, etc) 36->134 136 Writes to foreign memory regions 36->136 138 4 other signatures 36->138 58 RuntimeBroker.exe 36->58 injected 72 C:\Users\user\AppData\Local\...\1c4os0kf.dll, PE32 38->72 dropped 60 cvtres.exe 38->60         started        74 C:\Users\user\AppData\Local\...\u533rp0b.dll, PE32 41->74 dropped 62 cvtres.exe 41->62         started        76 C:\Users\user\AppData\Local\...\i3sldcea.dll, PE32 45->76 dropped 64 cvtres.exe 45->64         started        78 C:\Users\user\AppData\Local\...\rskupyi4.dll, PE32 47->78 dropped signatures11 process12 dnsIp13 68 rundll32.exe 51->68         started        86 img.img-taboola.com 53->86 88 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49748, 49749 YAHOO-DEBDE United Kingdom 53->88 94 10 other IPs or domains 53->94 70 cvtres.exe 56->70         started        90 fdjjasdoeoriefjd.live 82.118.22.245, 49780, 49781, 49782 GREENFLOID-ASUA Ukraine 66->90 92 192.168.2.1 unknown unknown 66->92 96 3 other IPs or domains 66->96 process14
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmstfzgfqtn2zxodmxsg2lhiwim7d5sdhleny3kr3r5ctindnu2q._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5566 banker trojan
Link:
https://tria.ge/reports/210329-qsgs8h36ss/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
bing.com
update4.microsoft.com
fdjjasdoeoriefjd.live
paralikulat.website
Unpacked files
SH256 hash:
cb4475124262bc50962a10e63683b3113ae4ef8008110c995c36edc04460fe41
MD5 hash:
d5e5806a67c22dc1ff4432ac7f74afe9
SHA1 hash:
b8f94f843c875941987edee13173baeda35177ac
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e05a75e2-3369-4afd-9a09-8770fa5cb83f/
Parent samples :
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
SH256 hash:
220f635b3a747e133170eb0dbf2c63c91646b460f4315498a31a176498ca215b
MD5 hash:
4df4258bb725b92568e441970439dff5
SHA1 hash:
8673bd2ab0eb5e60a787c0b75c5b6baeda4cec91
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e05a75e2-3369-4afd-9a09-8770fa5cb83f/
Parent samples :
5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
a67282c6f37a82765eeadefaf4245a2dacba3f6def9c5bf8460e01e38cfff70c
312a9a4de6d94deacc421063457c830453499c5848ec6c0aefc388c530cfb8f3
46eeef418745fe61c1c5bdf6f828339a5cabc45215fe961a9ce235360dc65f3a
2669050ec7f2d8f1def908e09030bc6a0fafcff4ed60c9254f40425a6fb1f887
SH256 hash:
632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35
MD5 hash:
dc190a4f56c3971c6af753d02d633b37
SHA1 hash:
44d9de1f9b6374984ec4e6b9f2a531efef05b95a
Link:
https://www.unpac.me/results/e05a75e2-3369-4afd-9a09-8770fa5cb83f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_dreambot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 632532e4c584dbacddc365e46d2ce8b219f1f6433ac8dc6d51dc7a29a1a36d35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1098497/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127718/

Comments