MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61
SHA3-384 hash: ed2d8c2d997611017de38bac15c1ff065e8a307839794c7baf8c1a0a0a06639c99dfe446779578cd78f68116cdb460e5
SHA1 hash: bc3db6af596f304b1b4f03117587148897ab67cf
MD5 hash: e77b724a59e7acc345bbb96925491c5b
humanhash: seven-avocado-bakerloo-muppet
File name:SecuriteInfo.com.W32.AIDetect.malware1.9324.25842
Download: download sample
Signature Gozi
Create hunting rule
File size:290'304 bytes
First seen:2021-02-26 09:57:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b9d977cdb96a86271ca820249444adc (1 x Gozi, 1 x Quakbot)
ssdeep 6144:ASYWIv6ZMnqLr5snwOaUV7+fRqtjMlLrZK:AIu6ZMnArCwOaUUfRs8
TLSH 30546C21ABB1C034F6F326B859B55378653E79B1BB3480FF12C526EA5A356E0AD30713
Reporter SecuriteInfoCom
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a581b527e44fdebb3f62b184e4df5a4d.exe
Verdict:
Malicious activity
Analysis date:
2021-02-26 06:30:40 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/be344f34-cfde-48ee-bf73-e370f7c85a52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119366/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.9324.25842.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/619537
Signature
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Detected Gozi e-Banking trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358764 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 26/02/2021 Architecture: WINDOWS Score: 100 53 8.8.8.8.in-addr.arpa 2->53 55 1.0.0.127.in-addr.arpa 2->55 57 2 other IPs or domains 2->57 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected  Ursnif 2->67 69 8 other signatures 2->69 9 mshta.exe 19 2->9         started        12 SecuriteInfo.com.W32.AIDetect.malware1.9324.exe 2->12         started        14 iexplore.exe 1 53 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 79 Suspicious powershell command line found 9->79 18 powershell.exe 9->18         started        81 Detected Gozi e-Banking trojan 12->81 83 Detected unpacking (changes PE section rights) 12->83 85 Detected unpacking (overwrites its own PE header) 12->85 87 4 other signatures 12->87 22 iexplore.exe 29 14->22         started        25 iexplore.exe 29 14->25         started        27 iexplore.exe 31 16->27         started        29 iexplore.exe 35 16->29         started        process6 dnsIp7 45 C:\Users\user\AppData\...\c22qlluf.cmdline, UTF-8 18->45 dropped 47 C:\Users\user\AppData\Local\...\30f4kpnu.0.cs, UTF-8 18->47 dropped 71 Injects code into the Windows Explorer (explorer.exe) 18->71 73 Writes to foreign memory regions 18->73 75 Modifies the context of a thread in another process (thread injection) 18->75 77 3 other signatures 18->77 31 explorer.exe 18->31 injected 34 csc.exe 18->34         started        37 csc.exe 18->37         started        39 conhost.exe 18->39         started        59 darwikalldkkalsld.xyz 185.186.245.62, 49739, 49740, 49742 WZCOM-US Netherlands 27->59 61 192.168.2.1 unknown unknown 29->61 file8 signatures9 process10 file11 89 Tries to steal Mail credentials (via file access) 31->89 91 Tries to harvest and steal browser information (history, passwords, etc) 31->91 93 Modifies the context of a thread in another process (thread injection) 31->93 95 3 other signatures 31->95 49 C:\Users\user\AppData\Local\...\c22qlluf.dll, PE32 34->49 dropped 41 cvtres.exe 34->41         started        51 C:\Users\user\AppData\Local\...\30f4kpnu.dll, PE32 37->51 dropped 43 cvtres.exe 37->43         started        signatures12 process13
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61/
Threat name:
Win32.Ransomware.Vega
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 06:36:06 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7r27lwbw6yjdz7r7u537ldkuzjbnzqnnnxtzbtdasite6chb5qq._file
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:6565 banker trojan
Link:
https://tria.ge/reports/210226-9lt1s4wmlx/
Behaviour
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Discovers systems in the same network
Enumerates processes with tasklist
Enumerates physical storage devices
Suspicious use of SetThreadContext
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
updates.microsoft.com
klounisoronws.xyz
darwikalldkkalsld.xyz
c1.microsoft.com
ctldl.windowsupdate.com
195.123.209.122
185.82.218.23
5.34.183.180
bloombergdalas.xyz
groovermanikos.xyz
kadskasdjlkewrjk.xyz
Unpacked files
SH256 hash:
19fce4e5db71c4e25a29333540c6ca90a88fc0587f3a2543b320286f36171e57
MD5 hash:
80085d874401d0db6cb20dcb30e8b054
SHA1 hash:
61e34f8f01868ccd56fa175a547275059cc40204
Link:
https://www.unpac.me/results/923d0561-b75f-45f2-ba8b-428b775b34b7/
SH256 hash:
ba63c14d0972a3bed8b8813954b4ddeaa8ef733afac9ed3a86372bfc87a2aa97
MD5 hash:
01bbf9a59beeb52288bdec21980db6e7
SHA1 hash:
ca85f5df9b2572f5a1606eeabee646dc871a9712
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/923d0561-b75f-45f2-ba8b-428b775b34b7/
Parent samples :
77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61
33b931c8f19d3ef8b354cc7ca24ebfbb2cdf2b83e5717b1dd7c81cef80238591
9d40d8e5b54507f1e857aaa2c16fd22b7e3eb3c87a72d33a649bd9bc382a21b4
e789b72e2160d3c51e6ab89c99d8bb1075f380f875e8a7bfc8dae20eff3e8388
f7c8f22c944ad9bcf149348cbbe8f404fc69b58fe15977245fc2413f6e327e09
267d3265b48b05aeb6ea82ca0f6ba1766108ecab9d7e2a5803c92ea055c53428
1592f542473e48b5a4ceac2f276254d0e8c4c7f820e500979f2a787bb6e32507
SH256 hash:
77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61
MD5 hash:
e77b724a59e7acc345bbb96925491c5b
SHA1 hash:
bc3db6af596f304b1b4f03117587148897ab67cf
Link:
https://www.unpac.me/results/923d0561-b75f-45f2-ba8b-428b775b34b7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 77e3afaec1b7b091e7f1fd3bbfac6aa65216e60d6b6f3c866304913278470f61

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/119366/
  
URLhaus
https://urlhaus.abuse.ch/url/1030978/
  
Delivery method
Distributed via web download

Comments