MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6700cc014e9ef5473a909a0c10d644661ccd0750ca942abd458cec91e32bf551. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6700cc014e9ef5473a909a0c10d644661ccd0750ca942abd458cec91e32bf551
SHA3-384 hash: 2aef36f8c89defcc008bcb05a758f4166b2fdf46fa8ff1f6fb34e61ae4384d989ce59492fa364d6043764d0e6ccde792
SHA1 hash: bfd82e8164088d905576f66f2010e5f1fb1e892f
MD5 hash: 7fb81b98bb77b54c2f69ab7c19d8bc25
humanhash: six-table-freddie-table
File name:crypt_1001.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:620'032 bytes
First seen:2021-08-26 19:00:57 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d1717eaefe1fb17487eba111c4bda688 (1 x Gozi)
ssdeep 12288:/edbxfx8d3fbkRXgeSVpZJosJe9ln3KuUliVjjP:/e3fYYRk/Xw9t3KniV
TLSH T142D4AE11B692E064E4FD16BA8FB0C8E5662878215B7894CF39E03B6F1F691E3D834753
Reporter James_inthe_box
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182744/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a window
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afc914b4-82a0-4951-8535-41341d6c40ed
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840022
Signature
Compiles code for process injection (via .Net compiler)
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell run code from registry
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472453 Sample: crypt_1001.dll Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Sigma detected: Powershell run code from registry 2->71 73 10 other signatures 2->73 8 loaddll32.exe 13 2->8         started        12 mshta.exe 19 2->12         started        14 mshta.exe 2->14         started        process3 dnsIp4 49 bogoleruno.website 8->49 51 yahoo.com 8->51 53 2 other IPs or domains 8->53 75 Writes or reads registry keys via WMI 8->75 77 Writes registry values via WMI 8->77 16 rundll32.exe 8->16         started        19 cmd.exe 1 8->19         started        21 rundll32.exe 8->21         started        79 Suspicious powershell command line found 12->79 23 powershell.exe 31 12->23         started        signatures5 process6 file7 61 System process connects to network (likely due to code injection or exploit) 16->61 63 Writes registry values via WMI 16->63 26 rundll32.exe 12 19->26         started        41 C:\Users\user\AppData\Local\...\rjifmeu0.0.cs, UTF-8 23->41 dropped 43 C:\Users\user\AppData\...\h0srtmdu.cmdline, UTF-8 23->43 dropped 65 Compiles code for process injection (via .Net compiler) 23->65 30 csc.exe 3 23->30         started        33 csc.exe 3 23->33         started        35 conhost.exe 23->35         started        signatures8 process9 dnsIp10 55 bogoleruno.website 91.90.121.96, 443, 49714, 49721 DPNETBucharestInsulei4RO Romania 26->55 57 new-fp-shed.wg1.b.yahoo.com 87.248.100.216, 443, 49708, 49710 YAHOO-IRDGB United Kingdom 26->57 59 3 other IPs or domains 26->59 81 System process connects to network (likely due to code injection or exploit) 26->81 45 C:\Users\user\AppData\Local\...\h0srtmdu.dll, PE32 30->45 dropped 37 cvtres.exe 1 30->37         started        47 C:\Users\user\AppData\Local\...\rjifmeu0.dll, PE32 33->47 dropped 39 cvtres.exe 33->39         started        file11 signatures12 process13
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6700cc014e9ef5473a909a0c10d644661ccd0750ca942abd458cec91e32bf551/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-26 19:00:14 UTC
File Type:
PE (Dll)
AV detection:
6 of 27 (22.22%)
Threat level:
  5/5
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:1001 banker trojan
Link:
https://tria.ge/reports/210826-pf2k52tpdn/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
yahoo.com
bogoleruno.website
gogoleruno.website
microsoft.com/windows
91.90.121.98
84.252.95.46
fargowich.website
cogoleruno.site
togoleruno.site
rogoleruno.site
Unpacked files
SH256 hash:
f7553705a0f1681523c3345853fef1506f88cd82c23c0ef0d7ca9d370248fa25
MD5 hash:
67b710e88c79781692c250ed981dbff8
SHA1 hash:
92419d1726bb5a731f4bfbe80073b8d32de4fb01
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ee068bd0-cbaf-44e8-b317-7d86aa3d1cc0/
SH256 hash:
6700cc014e9ef5473a909a0c10d644661ccd0750ca942abd458cec91e32bf551
MD5 hash:
7fb81b98bb77b54c2f69ab7c19d8bc25
SHA1 hash:
bfd82e8164088d905576f66f2010e5f1fb1e892f
Detections:
win_unidentified_023_auto
Create hunting rule
Link:
https://www.unpac.me/results/ee068bd0-cbaf-44e8-b317-7d86aa3d1cc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6700cc014e9ef5473a909a0c10d644661ccd0750ca942abd458cec91e32bf551

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_unidentified_023_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_023.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/182744/
  
URLhaus
https://urlhaus.abuse.ch/url/1567464/

Comments