MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64d2a023b1208a01375af17e3b02ff7eebae76d3a35ece915c52e5d7a021edc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64d2a023b1208a01375af17e3b02ff7eebae76d3a35ece915c52e5d7a021edc9
SHA3-384 hash: 2eeadcdc76e2dd74a27d4766f27553a7f99d466c4fde7c5f332ba5bb201aeafd6a9c7caf9612fee7bfacff4aa630f3d6
SHA1 hash: d6a37d21ea7bf956a086c03ccbeeb84ffeb758a3
MD5 hash: e84631873c87ac0af8a0a0802afaafb3
humanhash: dakota-harry-fanta-network
File name:5343f42db6381300f2c970f86feaa7f4
Download: download sample
Signature Gozi
Create hunting rule
File size:231'936 bytes
First seen:2022-06-30 07:09:38 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c68fb03bd785dfa898b592b23012d88c (1 x Gozi)
ssdeep 6144:wnE+Pf/CH/XpoywwVMh0myTVq641e3Ub:wnnH/oPeh0md9b
Threatray 566 similar samples on MalwareBazaar
TLSH T1A6349FA1EC4D60F3EAEBBB34D621903309DEA7913F2B8C6F46A09D6DD3744C18275649
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:DHL dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
705
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284514/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gozi greyware ursnif
Link:
https://www.filescan.io/uploads/62bd4c87acd3455959451797/reports/0deffb42-45d8-40dc-8dc6-3ed111991d7b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/962a3b54-2643-4276-9dcb-9614e90841d9
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022405
Signature
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found stalling execution ending in API Sleep call
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/64d2a023b1208a01375af17e3b02ff7eebae76d3a35ece915c52e5d7a021edc9/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 19:11:11 UTC
File Type:
PE (Dll)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtjkai5recfacn226f7dwax7p3v245wtunpm5ek4kls5pibb5xeq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
00f830a0748680a63981f427ece7c3f4a989d97431dc1f4e78706eb8987a8286
Gozi
1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3
Gozi
539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84
Gozi
60064e7969abecfaab8fedd58e0277e9253f5f59d4f60e8a414af290d90ac6df
Gozi
7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
Gozi
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
Gozi
ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96
Gozi
+ 556 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker suricata trojan
Link:
https://tria.ge/reports/220630-hzcqpsggcj/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
config.edge.skype.com
194.76.225.112
194.76.225.113
46.21.153.203
Unpacked files
SH256 hash:
b6f13ff8ab57c425ac74932137f8d1cbd83137e9e7332d2e36321b6bfacc9ced
MD5 hash:
c1641330bad6a0b7434920f9c5ea31b9
SHA1 hash:
17f6c9bd9907bec39f561d0570f4a7626d4b91b2
Link:
https://www.unpac.me/results/626f8ea8-9e92-4f5d-b438-72e90fc9e050/
SH256 hash:
64d2a023b1208a01375af17e3b02ff7eebae76d3a35ece915c52e5d7a021edc9
MD5 hash:
e84631873c87ac0af8a0a0802afaafb3
SHA1 hash:
d6a37d21ea7bf956a086c03ccbeeb84ffeb758a3
Link:
https://www.unpac.me/results/626f8ea8-9e92-4f5d-b438-72e90fc9e050/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64d2a023b120/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64d2a023b1208a01375af17e3b02ff7eebae76d3a35ece915c52e5d7a021edc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 64d2a023b1208a01375af17e3b02ff7eebae76d3a35ece915c52e5d7a021edc9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/284514/
  
URLhaus
https://urlhaus.abuse.ch/url/2252377/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2252380/
  
URLhaus
https://urlhaus.abuse.ch/url/2252378/
  
URLhaus
https://urlhaus.abuse.ch/url/2252379/

Comments