MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7203bb5ec300ca74ec9dc8577737a204cb2e7a992f420f92395a2c6f85037d07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	7203bb5ec300ca74ec9dc8577737a204cb2e7a992f420f92395a2c6f85037d07
SHA3-384 hash:	374925bdcfc21c65329ee1e7dff1708be675f3b1706225c2a0b486a3575f8719670f837df48df73bd6759f58a62e94cb
SHA1 hash:	28a422d69165872e2e6e41639ad7b437b5a7528e
MD5 hash:	6a5b2a82fd76eae337397c3bfb163544
humanhash:	utah-arizona-winner-tennis
File name:	bcd0000.dll
Download:	download sample
Signature	Gozi Create hunting rule
File size:	234'496 bytes
First seen:	2023-08-03 14:23:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:iX72v82Wldh1KeRFSbaWrxls9cPor5b5G:iL2v8znYSSeWr497
Threatray	113 similar samples on MalwareBazaar
TLSH	T12E345B6AA3E51995ED6AD5B6CE53D217EBF334491B24C30F5370CA9A6F07722B21C302
TrID	28.8% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25) 28.3% (.EXE) Generic Win/DOS Executable (2002/3) 28.3% (.EXE) DOS Executable Generic (2000/1) 14.2% (.SCORE) Music Craft Score (1007/6) 0.2% (.DBF) Sybase iAnywhere database files (19/3)
Reporter	0x746f6d6669
Tags:	exe Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bcd0000.dll

Verdict:

No threats detected

Analysis date:

2023-08-03 14:26:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9eea052a-0f1d-44db-ac3c-0f83767c8530

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/440096/

Detection(s):

Win.Malware.Ursnif-9884005-0

Win.Malware.Ursnif-9886559-0

Win.Malware.Ursnif-9892796-0

Win.Malware.Ursnif-9896448-0

Win.Malware.Ursnif-9917123-0

Win.Malware.Ursnif-9937854-0

Win.Malware.GoziISFB-9940853-2

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin masquerade packed setupapi shell32

Link:

https://www.filescan.io/uploads/64cbb88394fb102ea38c5662/reports/de9a7a9f-000b-4e90-bf33-fdf461f6c104/overview

Verdict:

Malicious

Labled as:

Ursnif.3.1.Generic

Link:

https://www.hybrid-analysis.com/sample/7203bb5ec300ca74ec9dc8577737a204cb2e7a992f420f92395a2c6f85037d07

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e989458b-bd6e-4334-aeff-9b569c447d26

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

3 / 100

Link:

https://www.joesandbox.com/analysis/1285160

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7203bb5ec300ca74ec9dc8577737a204cb2e7a992f420f92395a2c6f85037d07/

Threat name:

Win64.Trojan.Ursnif

Status:

Malicious

First seen:

2023-08-03 14:24:05 UTC

File Type:

PE+ (Dll)

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oib3wxwdadfhj3e5zblxon5catfs46uzf5ba7erzliwg7bidpudq._file

Verdict:

malicious

Label(s):

gozi

Gozi

2f4f1afcef4095b8e8e70d66c2d2866d27db31698079ad854a5922ed5fac67f3

Gozi

5e4ed5eebf8da36175d276643ac56c45d0d0e6b41bafc5add664771b4af56e14

Gozi

5ead9dc2ee1f22e08c72c162a379c51b364c6e8fb51328b8bc25d4d2e971ad14

Gozi

a5bd8d4044ccbd2bd9f240cd64c922af89a7d43bcece9eddade2e91f3403793a

Gozi

b8ede90d77745ec6121d2ce8e06e85710855df06fe192788081f2b6ef6abb1d9

Gozi

cf043012ad2be371b8f945ac4952f79d9484f74d8e5fe9a08970d0df748927ab

Gozi

+ 103 additional samples on MalwareBazaar

Result

Malware family:

gozi

Score:

10/10

Tags:

family:gozi botnet:555000 isfb

Link:

https://tria.ge/reports/230803-rqn7taef9v/

Malware Config

C2 Extraction:

http://185.212.44.76
http://79.132.135.249
http://45.155.249.47
http://45.11.180.178
https://lyc.l.ly3cos.com
https://updates.ya3hoo.yah4oo.com
http://45.11.181.28
https://forum4ate.ad.b1ing.com
http://94.247.42.124
https://updat4es.yahoo.yah1oo.com
http://45.155.249.94
https://updates.yahoo.yah1oo.com
http://79.132.135.228
https://updates.yahoo.yah4oo.com
http://79.132.130.234

Unpacked files

SH256 hash:

7203bb5ec300ca74ec9dc8577737a204cb2e7a992f420f92395a2c6f85037d07

MD5 hash:

6a5b2a82fd76eae337397c3bfb163544

SHA1 hash:

28a422d69165872e2e6e41639ad7b437b5a7528e

Detections:

ISFB_Main

win_dreambot_auto

Link:

https://www.unpac.me/results/1b31fb16-e6ee-41d6-9245-f1f31857998d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ursnif3

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7203bb5ec300ca74ec9dc8577737a204cb2e7a992f420f92395a2c6f85037d07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ursnif Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_dreambot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.dreambot.

Rule name:	win_ursnif_patterns_oct_2022 Create hunting rule
Author:	Embee_Research @ Huntress

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/440096/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample