MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
SHA3-384 hash: 20364137f6428d87d2a9233a743fd2e61cd3016e06191b95705964c695e21be7616a7dd15df8e58c4ba13156100dd423
SHA1 hash: 13067b9c1960784a184a81b94d7b37bcd957ade7
MD5 hash: e2fa6a1238bcbe673cfc4191159f351c
humanhash: connecticut-quebec-harry-artist
File name:xspcd10
Download: download sample
Signature Gozi
Create hunting rule
File size:220'160 bytes
First seen:2020-12-03 13:06:48 UTC
Last seen:2020-12-03 15:24:55 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e52c56c636c7f737590c4c91e79b2a8e (5 x Gozi)
ssdeep 3072:tO+b0Q1QZQ6QuQP1pNOtcR1sGFHlx5QN0SGrgv+iwTfH9ZZSTPCEyS+Vja8ziryL:txD1bOaR1Hbg0vr2+3fZSDCFZW8u2
Threatray 75 similar samples on MalwareBazaar
TLSH 4B24C0643194C07AE40714B58C06C7A196B93D706B66AECB7BC9AE3B9F305A5BF343C1
Reporter JAMESWT_WT
Tags:dll Gozi isfb pw 5236721 Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106593/
Detection(s):
SecuriteInfo.com.Generic.mg.e2fa6a1238bcbe67.31224.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/554616
Signature
Creates a COM Internet Explorer object
Found malware configuration
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326406 Sample: xspcd10 Startdate: 03/12/2020 Architecture: WINDOWS Score: 76 26 Found malware configuration 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected  Ursnif 2->30 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 2 68 2->9         started        process3 signatures4 32 Writes or reads registry keys via WMI 6->32 34 Writes registry values via WMI 6->34 36 Creates a COM Internet Explorer object 6->36 11 rundll32.exe 6->11         started        14 rundll32.exe 6->14         started        16 rundll32.exe 6->16         started        18 iexplore.exe 36 9->18         started        20 iexplore.exe 29 9->20         started        22 iexplore.exe 30 9->22         started        24 iexplore.exe 29 9->24         started        process5 signatures6 38 Writes registry values via WMI 11->38 40 Creates a COM Internet Explorer object 11->40
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 13:03:11 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
07a73fb70fa63ff53d091c68cb1e5728314ff7b479ca695050173faf3f8f5ea2
Gozi
1302b4037bd0759b5eac425cf3b4333621d2357c8d7d26f910a3473d8618b739
Gozi
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
31ace401668e11cf7874612cc2ce412dcb2ea96428e14f55364cde9214826023
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478
Gozi
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
Gozi
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
+ 65 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201203-1rhcjghqss/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Modifies Internet Explorer settings
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
29b8c2a1e0adebb6d756ffa1e2f62dc5fe8c27e088c4a0235072038d801397bd
MD5 hash:
c416f29b6afbf066b3d611016974d498
SHA1 hash:
912ca6278d904fc93993cf781890ec3a1c0316d3
Link:
https://www.unpac.me/results/c2b1bc9d-9d9e-472f-a2cd-6e3dd67edd2f/
SH256 hash:
565b18e17db98d9820dfd504ad5239806734c7e434fe605e5caaf2b4619036fd
MD5 hash:
32552af170552def743ad513a911babf
SHA1 hash:
18d330e627cc64dccec350d61581c6ddf3c07c6f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c2b1bc9d-9d9e-472f-a2cd-6e3dd67edd2f/
Parent samples :
89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1
SH256 hash:
7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
MD5 hash:
e2fa6a1238bcbe673cfc4191159f351c
SHA1 hash:
13067b9c1960784a184a81b94d7b37bcd957ade7
Link:
https://www.unpac.me/results/c2b1bc9d-9d9e-472f-a2cd-6e3dd67edd2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106593/

Comments