MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7739c03843a133370371b72a5552ba6a5cb36d5defbfb0b10b9580bb9c62a798. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7739c03843a133370371b72a5552ba6a5cb36d5defbfb0b10b9580bb9c62a798
SHA3-384 hash: c5df4155a9b797c04e9f48a6b5d56ee72481490a876040d2d8e8a829b165e2b6bff602a77366f7c5b1bd5bd62cb25afb
SHA1 hash: 7d71f3c3878bcea1210333c7aa339e51d8f5eff1
MD5 hash: 55226c32dfa1ea5560cece567316f999
humanhash: friend-east-missouri-indigo
File name:1f0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:44'544 bytes
First seen:2022-01-13 12:49:12 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 768:pqntVn0N9DLjasP8a03mUPATPOL+EAJg5QsKhGWi4aOOtl8KCHQqc:U4LjasP8a03mUIT6+EAJg5/+GWpaOaei
Threatray 432 similar samples on MalwareBazaar
TLSH T16F139D01B6F54CF3C6E30E347614EAF663EE4631267151519B13A9CA2AB49A3E63D30B
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219001/
Detection(s):
SecuriteInfo.com.Variant.Razy.411226.11460.32691.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e02001f2e8ec86fef7f158/reports/26900130-d45c-497c-b474-8561343583ce/overview
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77f5ea77-8575-407d-ab24-dc04bb896585
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/920063
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552543 Sample: 1f0000.dll Startdate: 13/01/2022 Architecture: WINDOWS Score: 60 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Sigma detected: Suspicious Call by Ordinal 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7739c03843a133370371b72a5552ba6a5cb36d5defbfb0b10b9580bb9c62a798/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 12:50:10 UTC
File Type:
PE (Dll)
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o444aocdueztoa3rw4vfkuv2njolg3k55673bmilswalxhdcu6ma._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
171c18f740641ffc0e1ce486feacabb367292d01627a7103cd614e9a746a9b9c
Gozi
3fff4baf83e75e39c51a2484ca04763852b6d6bf0a24ecb341e65dd2724711a0
Gozi
45f11d97a8ed1a9215e9c6c8d44335229e17bd63bb0a48abcc8c2a02dca241c4
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
683f12747c11016669f9a7413b8975c615f39d2d530b1825eff8a36479e303ff
Gozi
9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070
Gozi
9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e
Gozi
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
Gozi
c45c6faa94764a703ef64098046ffbb24eebd81bc360f31f441b884a8cddae5f
Gozi
+ 422 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:2001
Link:
https://tria.ge/reports/220113-p2yjhsacer/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
update.kaspersky.com
plunger.in
update.fortinet.com
blancs.ws
piepes.in
csite.ws
Unpacked files
SH256 hash:
7739c03843a133370371b72a5552ba6a5cb36d5defbfb0b10b9580bb9c62a798
MD5 hash:
55226c32dfa1ea5560cece567316f999
SHA1 hash:
7d71f3c3878bcea1210333c7aa339e51d8f5eff1
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/a1becd64-5393-49e4-bb3f-abf09812db1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7739c03843a133370371b72a5552ba6a5cb36d5defbfb0b10b9580bb9c62a798

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219001/

Comments