MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff
SHA3-384 hash: 42b177c91242c9fddd94eaa3dc7d81f3e5829fc80027cf2ce5550b14b06533e3dd44391b86aa6135fe5b9eb5796cc7c4
SHA1 hash: 7a7b3294628bd170ae0ca85ec533be7e0d409053
MD5 hash: 07684da40ad79495b5db6ddcf723bd8e
humanhash: eight-lemon-diet-queen
File name:611237846402f.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:581'632 bytes
First seen:2021-08-10 08:24:37 UTC
Last seen:2021-08-10 17:48:57 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 495dbada16b5f25b6891e0b1f202ae2e (1 x Gozi)
ssdeep 12288:1fIK0Xnn2SAXZUgKPLWg4+cLeWNTOg2d1yrvF:J4XnnzAX+zPqzLL3l2jyr
Threatray 443 similar samples on MalwareBazaar
TLSH T1F7C48D163559AD36C1E362320B46A145635E30B42B3451CF37FC7AAE2FA55E33A3A34B
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177852/
Detection(s):
SecuriteInfo.com.W32.Agent.BQN.genEldorado.20702.21646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/092c0152-2c7d-4292-8dbb-e6b1d10fe93e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/830005
Signature
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=na7re5d4ceawm2pzu5atxclvyyk7hhjnkmfrqjpp7crwi6pdap7q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
171c18f740641ffc0e1ce486feacabb367292d01627a7103cd614e9a746a9b9c
Gozi
310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070
Gozi
9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e
Gozi
cb7c95db9ce05d2304a4a98687a4b92f85081e1b7397820a52487b277ee1f2e1
Gozi
+ 433 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210810-z8yj12qqlx/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
boyuleruner.online
coyuleruner.online
Unpacked files
SH256 hash:
4e85f3c8a2a1d2b92ab763ff9175402b4ce5b83fafcc1caeda9862ba893a03eb
MD5 hash:
f94dde935403d04fef9c9451b525b421
SHA1 hash:
b9d35f0a05f8409a2dc15cd95a68e6a0e5fbfdcf
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/dc4e3f7f-47de-4b3a-8d35-255cddad076c/
SH256 hash:
683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff
MD5 hash:
07684da40ad79495b5db6ddcf723bd8e
SHA1 hash:
7a7b3294628bd170ae0ca85ec533be7e0d409053
Link:
https://www.unpac.me/results/dc4e3f7f-47de-4b3a-8d35-255cddad076c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177852/

Comments