MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
SHA3-384 hash: 8d983d32caab03dd958f9a1525a84eb1e8f9c64666e5ecf4ac2319fea07648777da204ad1a49456e6751ba67e0736fe4
SHA1 hash: 0eecae31f60cd08a6634b14c694ef0ea1a18e363
MD5 hash: 5382ef90ef9a33baca2ed2119059154f
humanhash: red-wolfram-cat-winter
File name:62bc19db957d8.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:438'272 bytes
First seen:2022-06-29 09:23:19 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 90744814dc538303afb767d2b0a66a6b (3 x Gozi)
ssdeep 6144:QPp9ErD03svy+zGEMrDwyKJPUpge5vyfxN9ROH8CBmdhFQETNdITUC/CK96ouQEF:QiDzzjMnwhJPcgYvyfD9pTTNrC/d1E
Threatray 621 similar samples on MalwareBazaar
TLSH T16E94BE5303F66A87F3684EBFD79B337E44A7A4215D1BE18703524ABAA0759E06724333
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:DHL dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
686
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284199/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet gozi greyware packed
Link:
https://www.filescan.io/uploads/62bc1a352ce3827836e38c69/reports/48f814b8-8ed7-46bd-b588-98eac79902fc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da89a3fb-d1c3-44c1-be35-0b45e5573557
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1021760
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 09:24:07 UTC
File Type:
PE (Dll)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oeuie3om5hfocihgnradu3bkn5ck2iqvegswwesrkgalbdgompta._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
00f830a0748680a63981f427ece7c3f4a989d97431dc1f4e78706eb8987a8286
Gozi
60064e7969abecfaab8fedd58e0277e9253f5f59d4f60e8a414af290d90ac6df
Gozi
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
Gozi
ce3d465a139b6c7ca2b3414a08230b50b1e2e341310113ada498c2aecdce1d96
Gozi
e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d
Gozi
f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
Gozi
+ 611 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000 banker suricata trojan
Link:
https://tria.ge/reports/220629-lc12kagdfp/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
config.edge.skype.com
194.76.225.112
194.76.225.113
46.21.153.203
xmhomestilesh.at
geodezhols.at
46.21.153.221
194.76.224.26
Unpacked files
SH256 hash:
1776f6da8c520fd5753480ed1900040cffaa86edf51220b6b7c45af74c9514ce
MD5 hash:
ababce15b20848b530dfdd65c001d0e3
SHA1 hash:
72c917b56b11635f2b8f2996a48301cab251b78e
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff62f733-f3f9-42d5-9c6b-a002b40d21a7/
Parent samples :
7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
539b93f7453bae7aa4bb960cdca9cf90d3b94ca64c0e90b96e4c1b150e843d84
1dffa8653b7363ab77ecc095d268a8116c00f538eb5ad079f39fc6b6239676a3
SH256 hash:
683fd1258fcbb43def8bcf92c8abc12037e95feeb79c10c419f4a45c427c2f49
MD5 hash:
7a47be83d594291cecd519d00f1f309a
SHA1 hash:
7df1e0c47ea8e400e97eb15dc9b4605eb4c0443d
Link:
https://www.unpac.me/results/ff62f733-f3f9-42d5-9c6b-a002b40d21a7/
SH256 hash:
7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6
MD5 hash:
5382ef90ef9a33baca2ed2119059154f
SHA1 hash:
0eecae31f60cd08a6634b14c694ef0ea1a18e363
Link:
https://www.unpac.me/results/ff62f733-f3f9-42d5-9c6b-a002b40d21a7/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7128826dcce9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7128826dcce9cae120e66c403a6c2a6f44ad221521a56b12515180b08cce63e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284199/

Comments