MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef
SHA3-384 hash: d134b71d8106949b7b70982aff5f6d66409685a44c8a9fed6c092671a4c62b42a7cec86dadebfcbf96cecd0f5fdb1749
SHA1 hash: 6e2d8fb9198b1b03d1edd95b1245bc0aeb1011a7
MD5 hash: 5b1a2e5c1ad156d5a1179be2af118901
humanhash: montana-batman-island-uncle
File name:20230306_unpacked_gozi.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:44'544 bytes
First seen:2023-03-06 10:42:15 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash ef075d26b728b78a932306e24062e80c (7 x Gozi)
ssdeep 768:20gsqVXye2rS/Q4VYXQIVpCHlNBmQWGk2j+A6ewBvu7gpzhK3D1Gc4d:29sq8S/QEYXQIVWlvmYp6ewNu7hD1GcC
Threatray 395 similar samples on MalwareBazaar
TLSH T18B139E01F6F94CF6C7A31EB06720FBA9A7FAD53122785151AF1369CA1E60913E13D20B
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Viuleeenz
Tags:dll Gozi unpacked Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371913/
Detection(s):
Win.Malware.Ursnif-9975502-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/6405c3b793921fa04236c2f8/reports/75ae5328-7e22-4ca1-a2ec-5166a0364d55/overview
Verdict:
Malicious
Labled as:
Ursnif.1.Generic
Link:
https://www.hybrid-analysis.com/sample/7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3557a68-7b84-4bb4-951e-5e955661fa66
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1187703
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820585 Sample: 20230306_unpacked_gozi.bin.dll Startdate: 06/03/2023 Architecture: WINDOWS Score: 76 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 11:04:32 UTC
File Type:
PE (Dll)
AV detection:
25 of 25 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjqbogrdm26hzuxks7wfbvgzbtyv5c34fbxtqqdgdlv6zh43oxxq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
896c5898ce95f078e8246f62ccd4b7da07959b2884362fa9c1933712aedeb553
Gozi
9cc3318cdf29c5b6a1c170facbd0e7849b674ecd2072d9741424709e0931f8cf
Gozi
9d1e71b94eab825c928377e93377feb62e02a85b7d750b883919207119a56e0d
Gozi
a42fad7a44006d21404affed1fb90a67ecf5e2bc6436dc3729705ca29b4f91e4
Gozi
cff404581196accfce86e8ba7a5b8f63b686ef831e384d95e46a04f908e0987a
Gozi
dcc33bc510228ff4cf4dc286e5902be5a262e3def4189960c702d27b83da84b2
Gozi
df9bc10545b7066ec3bc8868a9e20379aa9a7cbb38928902520eea8fdd3ac2a7
Gozi
f0606eb18477cfec7939d20432ba7999ac9044dfbc936a0071cbe920d02a7e1c
Gozi
+ 385 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:7710 isfb
Link:
https://tria.ge/reports/230306-mr866abh33/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
checklist.skype.com
62.173.140.103
31.41.44.63
46.8.19.239
185.77.96.40
46.8.19.116
31.41.44.48
62.173.139.11
62.173.138.251
Unpacked files
SH256 hash:
7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef
MD5 hash:
5b1a2e5c1ad156d5a1179be2af118901
SHA1 hash:
6e2d8fb9198b1b03d1edd95b1245bc0aeb1011a7
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/35a1a269-4b29-4431-8d1a-cffe8adb97c9/
Parent samples :
a7244954aa33a3d0bbdc5bf098d546135f1b90545ad649f83eb0fe96b741c296
7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef
3af96098ccb1063f1538e255f328e78f9556e29cd0563c53d2a73569759b5d0e
7c854a125b0d2613bbfcd1fb3664c03c61bc3787ec8bde6be11a2f75692da268
957b7f7039ef6b3c84f374b6b602466cb196e50e477a37e012423b7a9d72aa7f
236f2a9fcc1176a802946828029465d054626f92d258015f8abccdc52d2365e7
ad738ad2b402c8918bdfcf0b90c9d3aad7802a62cea735d522351bca5bf8d1d7
fc3e7ff40a45bccd83617ea952eccdfc93301c6673cce8de33b4bf924b8957d9
47e870e2d1a123b74c470b0e01ed75ef196c714aeed8739f77ac6e56430dba35
a9f25933eb0dc82972d77854034dbc86220088eff4758a7df4e65f87ee1745e1
fc74e8faf8772293f2947c803c5309c64310c38d8e3f8efe18271004a9b96bba
19a9a43b36d2ed6516e4b1d8368cb3af64362507d2b30f4cb742fbe50780ee89
0c1d1a60a0fc143c9fc830be48c53d488b414921cf4d97d66466ff2a628d1b4d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a60171a2366bc7cd2ea97ec50d4d90cf15e8b7c286f3840661aebec9f9b75ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371913/

Comments