MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
SHA3-384 hash: c7989d4cfc92eece63fe2c763a35758d8deb2c38e212b77d0fe3f08989e8d02267f75b5602cabd0fa92f71a5d4ba6c00
SHA1 hash: 281d8dc9f545771cf98f8712b12170a52a0a08c6
MD5 hash: fc3bfcbea189128d395bd97fd0a24433
humanhash: fillet-eleven-mobile-quiet
File name:image.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:302'080 bytes
First seen:2022-02-10 13:39:28 UTC
Last seen:2022-02-10 15:29:50 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1c859fc09e7dd8ae36985c58f1251eab (3 x Gozi)
ssdeep 6144:CIbrrbWK62iBdKsiZYnRExTYD1LODuSiY0FalCuhr1f0b/cSArXNWK:CIbrrbWKli6siZkRExTqOPh0Qr1swdU
Threatray 438 similar samples on MalwareBazaar
TLSH T12C540AE3EE15E506D15AC074A368FFB66C421B7367299456E340BD88A23C4E5CA3B70F
Reporter JAMESWT_WT
Tags:agenziaentrate dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240646/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2413.22613.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/620515ba54047500bb3b264e/reports/6da53bca-37ea-48a8-94e5-a1fbbbcc66c1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9cf5ddf4-589f-41e5-92f9-b6933b53481d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937645
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 570124 Sample: image.dll Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected  Ursnif 2->26 28 3 other signatures 2->28 7 loaddll32.exe 1 2->7         started        process3 signatures4 32 Found evasive API chain (may stop execution after checking system information) 7->32 34 Found API chain indicative of debugger detection 7->34 36 Writes or reads registry keys via WMI 7->36 38 Writes registry values via WMI 7->38 10 regsvr32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 2 other processes 7->17 process5 signatures6 40 Writes or reads registry keys via WMI 10->40 42 Writes registry values via WMI 10->42 19 rundll32.exe 13->19         started        process7 signatures8 30 Writes registry values via WMI 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 13:39:43 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlllgizi3nanwwn3wgrxvmzaethcw2ixh7n5cilh2mko7bxcj3ja._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
210943dc00e09514fe7d9a433596e78a21d7eb3bf3537b7e8327b985c8ad7d4d
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
Gozi
4ddacac68fd062781fece1e92b3f1682d49fe23fc812e721c330f25237f4c20f
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
Gozi
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
Gozi
aef8910dddfc1c5c009db13160c82aae5af66692effb41469c6490e774a420e3
Gozi
eb44943385bba67eff81794d2f5667817a6761f13775149c615a543c0e78186c
Gozi
+ 428 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7613 banker trojan
Link:
https://tria.ge/reports/220210-qyj3dsghd6/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
interlines.top
interlines.space
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
e6f3b5857a2da506a0f5470400655fc4011600ae4253bba3dae85f7e6a9be6c2
MD5 hash:
21e836bd521081f8b97c3e5a31822afe
SHA1 hash:
fec35c2a1f2d362356573b25f0dd4a50c7be842e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f6e1c06-85af-498a-8cdd-186476d2685e/
Parent samples :
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
SH256 hash:
831619fb5a9b21c3cd073a901e05a1a94be2f1db95a71751a4c54d6061d9c117
MD5 hash:
67eb78fba57178ed8a19f1cacb04538d
SHA1 hash:
39bdd27dc35920567861066e286e6f3b1928f07d
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f6e1c06-85af-498a-8cdd-186476d2685e/
Parent samples :
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
e452ff5c5820666acd2ed6e4f428cd1c6d6bcbcb717899452bdbf0a714457dc3
SH256 hash:
6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2
MD5 hash:
fc3bfcbea189128d395bd97fd0a24433
SHA1 hash:
281d8dc9f545771cf98f8712b12170a52a0a08c6
Link:
https://www.unpac.me/results/0f6e1c06-85af-498a-8cdd-186476d2685e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 6ad6b32328db40db59bbb1a37ab32024ce2b69173fdbd12167d314ef86e24ed2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/240646/
  
URLhaus
https://urlhaus.abuse.ch/url/2038538/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2039506/
  
URLhaus
https://urlhaus.abuse.ch/url/2036798/
  
URLhaus
https://urlhaus.abuse.ch/url/2039505/
  
URLhaus
https://urlhaus.abuse.ch/url/2036834/
  
URLhaus
https://urlhaus.abuse.ch/url/2038631/

Comments