MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de
SHA3-384 hash: abd02b217ef4fa387425ef1b7ad893c6fe9674ed6c982a2103beab4221e2d34c40ab4a49ddd12dfefab0f5eb2f9252a0
SHA1 hash: b1f1887771e629935cf08d2021aad803fa92d165
MD5 hash: 7903c6c6b06c652bdcf5dad6126258ba
humanhash: jupiter-july-wolfram-quebec
File name:77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de
Download: download sample
Signature Gozi
Create hunting rule
File size:406'016 bytes
First seen:2020-11-11 11:33:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a47bf8d6ef13b3fef9e73edef2c18705 (4 x Gozi)
ssdeep 6144:F7sw+BGSKlWkpLc95mEOHV6cj/8GdKSy/bmVR2zuGnhhDiWUHBDs:F7vcClZg5W16cj/8tkMzxnh5+O
Threatray 3 similar samples on MalwareBazaar
TLSH 3B84AC7367D717F2E6B108374D15C281EE66A2A634E218D9E7F31C82354F752FAA2390
Reporter seifreed
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Launching a process
DNS request
Sending an HTTP GET request
Creating a window
Changing a file
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/532374
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Contain functionality to detect virtual machines
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected Gozi e-Banking trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315288 Sample: mIHAt2J1jc Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus / Scanner detection for submitted sample 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 8 other signatures 2->103 12 mIHAt2J1jc.exe 1 7 2->12         started        16 AJRovrcp.exe 2 2->16         started        process3 file4 53 C:\Users\user\AppData\...\AJRovrcp.exe, data 12->53 dropped 143 Detected Gozi e-Banking trojan 12->143 145 Detected unpacking (changes PE section rights) 12->145 147 Detected unpacking (overwrites its own PE header) 12->147 157 2 other signatures 12->157 18 cmd.exe 1 12->18         started        149 Writes to foreign memory regions 16->149 151 Allocates memory in foreign processes 16->151 153 Modifies the context of a thread in another process (thread injection) 16->153 155 Maps a DLL or memory area into another process 16->155 20 svchost.exe 1 6 16->20         started        signatures5 process6 dnsIp7 24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        65 192.168.2.1 unknown unknown 20->65 67 www.gnu.org 20->67 69 wildebeest.gnu.org 20->69 119 Modifies the context of a thread in another process (thread injection) 20->119 121 Maps a DLL or memory area into another process 20->121 123 Creates a thread in another existing process (thread injection) 20->123 signatures8 process9 process10 28 AJRovrcp.exe 2 24->28         started        signatures11 135 Detected Gozi e-Banking trojan 28->135 137 Detected unpacking (changes PE section rights) 28->137 139 Detected unpacking (overwrites its own PE header) 28->139 141 6 other signatures 28->141 31 svchost.exe 1 6 28->31         started        process12 dnsIp13 85 wildebeest.gnu.org 209.51.188.148, 49733, 49736, 49737 FREEASINFREEDOMUS United States 31->85 87 www.gnu.org 31->87 89 Detected Gozi e-Banking trojan 31->89 91 Injects code into the Windows Explorer (explorer.exe) 31->91 93 Writes to foreign memory regions 31->93 95 3 other signatures 31->95 35 explorer.exe 2 31->35 injected signatures14 process15 dnsIp16 59 programuserandussource.ru 35->59 61 www.gnu.org 35->61 63 wildebeest.gnu.org 35->63 111 Changes memory attributes in foreign processes to executable or writable 35->111 113 Writes to foreign memory regions 35->113 115 Allocates memory in foreign processes 35->115 117 4 other signatures 35->117 39 AJRovrcp.exe 2 35->39         started        42 RuntimeBroker.exe 35->42 injected 45 RuntimeBroker.exe 30 35->45 injected 47 4 other processes 35->47 signatures17 process18 dnsIp19 125 Writes to foreign memory regions 39->125 127 Allocates memory in foreign processes 39->127 129 Modifies the context of a thread in another process (thread injection) 39->129 133 2 other signatures 39->133 49 svchost.exe 6 39->49         started        71 www.gnu.org 42->71 73 wildebeest.gnu.org 42->73 131 Detected Gozi e-Banking trojan 42->131 75 www.gnu.org 45->75 77 wildebeest.gnu.org 45->77 79 www.gnu.org 47->79 81 www.gnu.org 47->81 83 6 other IPs or domains 47->83 signatures20 process21 dnsIp22 55 www.gnu.org 49->55 57 wildebeest.gnu.org 49->57 105 Modifies the context of a thread in another process (thread injection) 49->105 107 Maps a DLL or memory area into another process 49->107 109 Creates a thread in another existing process (thread injection) 49->109 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 11:37:28 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6u52cd53lvcrqsishkuejlfufk5aosoeapey6vqcriczaszndpa._file
Verdict:
malicious
Similar samples:
73a0eff4b25b824af4b6600db0f637f991b45b0945c9385fd6e7eca289b7e5ed
Gozi
b0d9f78957650a0bc42b0bf646e3d158f713de64ee5e6ab395cf777e93a7a240
Gozi
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba
Gozi
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201111-lan7gafeh2/
Unpacked files
SH256 hash:
77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de
MD5 hash:
7903c6c6b06c652bdcf5dad6126258ba
SHA1 hash:
b1f1887771e629935cf08d2021aad803fa92d165
Link:
https://www.unpac.me/results/81e35957-a5b4-467e-9895-5cfe756b4034/
SH256 hash:
cde8521f59ca2a6ea25ab064c9ac5d76903dfafd1a0b6332afe9fbf006b1efff
MD5 hash:
6cb1128ba868b2c8576e4ac6bf36ffaf
SHA1 hash:
e57cb056816f897607ffc3373c05dbe27fc76c7f
Detections:
win_dreambot_a0
Create hunting rule
win_isfb_a4
Create hunting rule
Link:
https://www.unpac.me/results/81e35957-a5b4-467e-9895-5cfe756b4034/
SH256 hash:
823995a26afbe5cd3bb36065ef99fa15e8f430b7b2f48e8359e8f4145a1d03ac
MD5 hash:
37a9edb18b806c34e5b79a023fe60ecd
SHA1 hash:
aaf3ce3076de7fce5714fdd3d5ffc0890e46b381
Detections:
win_isfb_a4
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/81e35957-a5b4-467e-9895-5cfe756b4034/
Parent samples :
77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de
a39f088d2176b2545060cbe750158a53388b10c9abbb27581e3cb7abd9fd343d
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments