MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63
SHA3-384 hash: 15e969da35e6e12b46117a2424d472ae383e71253f7797ae634ce68180f1949396aace759802252a6d3720f559f32dc0
SHA1 hash: 66a0a4f55ad9ef6a190c40f107be30e7e367237c
MD5 hash: 979d9b4b65141f1ba3ce89b96a9f16bc
humanhash: foxtrot-kilo-cat-september
File name:signin.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:501'248 bytes
First seen:2021-03-30 05:16:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2205f3f36b780a98bcba0a7d38575da9 (1 x Gozi)
ssdeep 12288:YwjHBt6R1/4EZe5givWOHpHGjtJP4pPmyIzY5xf0y:bjU1/vZe5gcWSEJPKLIU50
TLSH 93B48D606D56D9F9FAA7A87FE8588AA0D54C5F05BFD4E0CB230E32D0BC7A3808577059
Reporter JAMESWT_WT
Tags:dll Gozi inps isfb pwallegato21 Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
signin.jpg.dll
Verdict:
No threats detected
Analysis date:
2021-03-30 05:20:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/867af797-404d-43f6-92fb-88e70a533ea0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127880/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.15871.23530.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cd26007-fd9b-4548-9628-3811be36b437
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/657941
Signature
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execute DLL with spoofed extension
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Register DLL with spoofed extension
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377901 Sample: signin.jpg.dll Startdate: 30/03/2021 Architecture: WINDOWS Score: 100 49 interwind.co 2->49 51 8.8.8.8.in-addr.arpa 2->51 53 2 other IPs or domains 2->53 81 Found malware configuration 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected  Ursnif 2->85 87 6 other signatures 2->87 9 loaddll32.exe 1 2->9         started        11 mshta.exe 2->11         started        signatures3 process4 signatures5 14 cmd.exe 1 9->14         started        16 regsvr32.exe 9->16         started        19 cmd.exe 1 9->19         started        95 Suspicious powershell command line found 11->95 21 powershell.exe 11->21         started        process6 file7 24 iexplore.exe 3 108 14->24         started        69 Writes or reads registry keys via WMI 16->69 71 Writes registry values via WMI 16->71 27 rundll32.exe 19->27         started        43 C:\Users\user\AppData\...\qokxpoas.cmdline, UTF-8 21->43 dropped 45 C:\Users\user\AppData\Local\...\1gsh0k4d.0.cs, UTF-8 21->45 dropped 73 Modifies the context of a thread in another process (thread injection) 21->73 75 Maps a DLL or memory area into another process 21->75 77 Compiles code for process injection (via .Net compiler) 21->77 79 Creates a thread in another existing process (thread injection) 21->79 29 csc.exe 21->29         started        32 conhost.exe 21->32         started        signatures8 process9 file10 89 Modifies the context of a thread in another process (thread injection) 24->89 91 Maps a DLL or memory area into another process 24->91 34 iexplore.exe 5 154 24->34         started        37 iexplore.exe 24->37         started        39 iexplore.exe 24->39         started        41 5 other processes 24->41 93 Writes registry values via WMI 27->93 47 C:\Users\user\AppData\Local\...\qokxpoas.dll, PE32 29->47 dropped signatures11 process12 dnsIp13 55 img.img-taboola.com 34->55 57 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49743, 49744 YAHOO-DEBDE United Kingdom 34->57 65 10 other IPs or domains 34->65 59 interwind.co 31.41.44.20, 49766, 49767, 49768 ASRELINKRU Russian Federation 37->59 61 192.168.2.1 unknown unknown 41->61 63 prda.aadg.msidentity.com 41->63 67 5 other IPs or domains 41->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 05:17:05 UTC
File Type:
PE (Dll)
Extracted files:
19
AV detection:
5 of 47 (10.64%)
Threat level:
  5/5
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:2233 botnet:3322 banker trojan
Link:
https://tria.ge/reports/210330-4vf8s56tr2/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
signin.microsoft.com
login.microsoft.com
interwind.co
telewind.co
vote.microsoft.com
like.microsoft.com
autoblogs.bar
autoblogs.casa
autosblogs.co
autosblogs.com
blogsautos.com
blogsautos.info
lineautos.com
livesautos.com
autoslives.com
autoforums.eu
Unpacked files
SH256 hash:
14c17db216d81d339681b4b1eeabb569b911b74a3ee6786e46dd3c829d949824
MD5 hash:
400dde74d3ec0237d91036bfbd6365f5
SHA1 hash:
2ec7ddf165f574f178333a7d9db02fe6adc494bb
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d74fd82a-01c9-4bd7-8a75-973f933ec103/
Parent samples :
6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63
85d535a2051a60c54a1f2f43ce8854f51a784e87a7a9a5a337567fe3296d81a6
SH256 hash:
6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63
MD5 hash:
979d9b4b65141f1ba3ce89b96a9f16bc
SHA1 hash:
66a0a4f55ad9ef6a190c40f107be30e7e367237c
Link:
https://www.unpac.me/results/d74fd82a-01c9-4bd7-8a75-973f933ec103/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1099004/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1099005/
  
URLhaus
https://urlhaus.abuse.ch/url/1099008/
Cape
Cape
https://www.capesandbox.com/analysis/127880/
  
URLhaus
https://urlhaus.abuse.ch/url/1099104/
  
URLhaus
https://urlhaus.abuse.ch/url/1099103/

Comments