MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c4a29e89016b49c854eaf4d7cf8ee4bcf8e58e1f7ccf4ced62df6a57e0b60ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c4a29e89016b49c854eaf4d7cf8ee4bcf8e58e1f7ccf4ced62df6a57e0b60ff
SHA3-384 hash: 856b6c23f84d2b998d1c1f88a0694713bee8429da75a7294e93fb17bae0d0e5f758d1cac62826ac540072fd4ead874c3
SHA1 hash: 1e52ed3fca888a3d703159627e0fe9178f5b0c03
MD5 hash: 6b5eb3636da46c933fda988c47b9eb22
humanhash: floor-arizona-wolfram-fanta
File name:46c0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:44'544 bytes
First seen:2022-01-20 11:04:05 UTC
Last seen:2022-01-20 13:03:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 768:3qntVn0N9DLjasP8a03mUPATPOL+EAJg5QsKhGWiKaO4l8KCHQqc:a4LjasP8a03mUIT6+EAJg5/+GWzaO4ei
Threatray 434 similar samples on MalwareBazaar
TLSH T10A138D01B6F50CF7C7E30D747614FAFAA3EE4630267151519B13A9CA1AA4963E63E30B
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221045/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.850.26348.7111.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e941ad0f8c757253d03d3d/reports/2584f3a3-d4c2-447b-92e4-b5ef25081ae7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a58ee25-3769-4631-9d2f-d8dd37270c5b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/924285
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556766 Sample: 46c0000.dll Startdate: 20/01/2022 Architecture: WINDOWS Score: 60 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Sigma detected: Suspicious Call by Ordinal 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c4a29e89016b49c854eaf4d7cf8ee4bcf8e58e1f7ccf4ced62df6a57e0b60ff/
Threat name:
Win32.Trojan.UrsnifAGen
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 11:05:10 UTC
File Type:
PE (Dll)
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrfct2eqc22jzbkov5gxz6hojphy4whb67gpjtwwfx3kk7qlmd7q._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
171c18f740641ffc0e1ce486feacabb367292d01627a7103cd614e9a746a9b9c
Gozi
3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff
Gozi
7739c03843a133370371b72a5552ba6a5cb36d5defbfb0b10b9580bb9c62a798
Gozi
9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e
Gozi
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
Gozi
c45c6faa94764a703ef64098046ffbb24eebd81bc360f31f441b884a8cddae5f
Gozi
+ 424 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7576
Link:
https://tria.ge/reports/220120-m6bt7shfgj/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
museumistat.bar
nnnnnn.bar
nnnnnn.casa
Unpacked files
SH256 hash:
6c4a29e89016b49c854eaf4d7cf8ee4bcf8e58e1f7ccf4ced62df6a57e0b60ff
MD5 hash:
6b5eb3636da46c933fda988c47b9eb22
SHA1 hash:
1e52ed3fca888a3d703159627e0fe9178f5b0c03
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/e089c420-2185-4bf3-883c-7051b11d77f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c4a29e89016b49c854eaf4d7cf8ee4bcf8e58e1f7ccf4ced62df6a57e0b60ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221045/

Comments