MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d
SHA3-384 hash: 1fce919ff4ec86c13b1edc3777ccb51ece31106975cf9995900d353fce74a3fd1c31c0a3efd0d357ba44f24147a9edc4
SHA1 hash: d7a399ace98716325d336e10b71049ed2bb7cc97
MD5 hash: da4fab67f5cdf49208bb9065d7b7d1e7
humanhash: artist-seventeen-violet-item
File name:41e0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:40'960 bytes
First seen:2022-01-20 11:04:02 UTC
Last seen:2022-01-20 13:03:39 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash abb1b968d91c75e2b3eff2ef40b80997 (2 x Gozi)
ssdeep 768:QpWPY4HN7q7vSPkVmkFtgDjem94Uk5kXXvi5i2NggLTH:QpngN7BwmDCGkGXXvEi2+gPH
Threatray 552 similar samples on MalwareBazaar
TLSH T1FB03E1141E59557AFB36CEB5212D313C6A5483022B69904E9FD23E7F8D61E483CBF352
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221044/
Detection(s):
SecuriteInfo.com.Variant.Razy.862012.23164.4931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e941acd32385db630e626e/reports/a54f64d5-c4d6-457e-a3ff-42a02bd2df91/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6839b6ca-2b82-4306-b819-47eb7a2ed7e5
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924289
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556767 Sample: 41e0000.dll Startdate: 20/01/2022 Architecture: WINDOWS Score: 100 42 www.nnnnnn.bar 2->42 44 nnnnnn.bar 2->44 46 parkingpage.namecheap.com 2->46 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Found malware configuration 2->80 82 6 other signatures 2->82 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 2->12         started        14 iexplore.exe 2->14         started        16 4 other processes 2->16 signatures3 process4 dnsIp5 70 www.nnnnnn.casa 8->70 72 www.nnnnnn.bar 8->72 74 4 other IPs or domains 8->74 94 Found evasive API chain (may stop execution after checking system information) 8->94 96 Found API chain indicative of debugger detection 8->96 98 Writes or reads registry keys via WMI 8->98 100 Writes registry values via WMI 8->100 18 regsvr32.exe 6 8->18         started        22 cmd.exe 1 8->22         started        24 rundll32.exe 6 8->24         started        32 3 other processes 12->32 34 3 other processes 14->34 26 iexplore.exe 31 16->26         started        28 iexplore.exe 31 16->28         started        30 iexplore.exe 16->30         started        36 2 other processes 16->36 signatures6 process7 dnsIp8 50 3 other IPs or domains 18->50 84 System process connects to network (likely due to code injection or exploit) 18->84 86 Writes or reads registry keys via WMI 18->86 88 Writes registry values via WMI 18->88 38 rundll32.exe 6 22->38         started        52 4 other IPs or domains 24->52 48 museumistat.bar 26->48 54 3 other IPs or domains 28->54 56 2 other IPs or domains 30->56 58 3 other IPs or domains 32->58 60 5 other IPs or domains 34->60 62 4 other IPs or domains 36->62 signatures9 process10 dnsIp11 64 www.nnnnnn.casa 38->64 66 nnnnnn.casa 38->66 68 2 other IPs or domains 38->68 90 System process connects to network (likely due to code injection or exploit) 38->90 92 Writes registry values via WMI 38->92 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 11:04:13 UTC
File Type:
PE (Dll)
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omiyy4sobvwlttrqollg6lja7n7isgewth5pmayvhfnnrgykdjgq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
Gozi
171c18f740641ffc0e1ce486feacabb367292d01627a7103cd614e9a746a9b9c
Gozi
29886509fe1c9628fa5227a052e98e5b7cd7bc04cab15f498eb884d588654b1f
Gozi
2da8961e57698bcd2dbe9c4311181352ccb1047dbbca9814bf2183a6fe0dd904
Gozi
3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
7313c2675f4a3c247fc8fe50ed0d7cd4885454151de712f026e9830de0cd04e1
Gozi
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
Gozi
+ 542 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7576 persistence
Link:
https://tria.ge/reports/220120-m6abdahfe2/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Sets service image path in registry
Malware Config
C2 Extraction:
museumistat.bar
nnnnnn.bar
nnnnnn.casa
Unpacked files
SH256 hash:
da9e5bcff0ad496dd7a8be8f8aac3d3105cc27f66b439822b9068964121aee6f
MD5 hash:
b234a6165764650f7d1efebe8209f569
SHA1 hash:
d6760b7834899d69b575f7f4e8a404aa5c90c56f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c7fa229a-7dda-4d55-8447-52fb20c3bcc8/
Parent samples :
02bb7e5eda106943c37400103a651d11d1ebfd5f4b0a550874328c2c82340923
73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d
SH256 hash:
73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d
MD5 hash:
da4fab67f5cdf49208bb9065d7b7d1e7
SHA1 hash:
d7a399ace98716325d336e10b71049ed2bb7cc97
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c7fa229a-7dda-4d55-8447-52fb20c3bcc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/73118c724e0d6cb9ce3072d66f2d20fb7e89189699faf60315395ad89b0a1a4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221044/

Comments