MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce
SHA3-384 hash: 6ef15b727577d1ee48b90338a773ffad3e108377ad8ed44f93e7c437e51f7d8e8c03126fd1842186b12da9297d0649c0
SHA1 hash: d3b4222a0a7a1b5271bbc0d016020c6a73850f68
MD5 hash: 7272aaeea39e988faaf3a5aebc6c7867
humanhash: juliet-bakerloo-april-neptune
File name:fizzy.sql
Download: download sample
Signature Gozi
Create hunting rule
File size:593'920 bytes
First seen:2022-12-15 16:45:46 UTC
Last seen:2022-12-15 18:29:19 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 461a59c4abc9890b10f9b02b39c02ac9 (1 x Gozi)
ssdeep 12288:oqH1vzAJ8RyddM/ZZwp7ZhOwJxfgOBtP/Wl:fboPdMzwtZhzBgOrW
TLSH T12FC4C09AE27041AFECBD04BC7872971549FBA4C6CF576AC3C64AB57824326C036B4BD1
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:50000 dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346720/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.7749.10092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639b4f4d4aee845f49e52378/reports/d794e1da-91ee-461c-816c-f5cdfe3d2b96/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56b63594-84f7-4f76-9918-39f98b4d698b
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1135183
Signature
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 767913 Sample: fizzy.sql.dll Startdate: 15/12/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 4 other signatures 2->75 9 mshta.exe 19 2->9         started        11 loaddll32.exe 1 2->11         started        process3 process4 13 powershell.exe 30 9->13         started        17 cmd.exe 1 11->17         started        19 WerFault.exe 3 9 11->19         started        21 WerFault.exe 4 9 11->21         started        23 conhost.exe 11->23         started        file5 63 C:\Users\user\AppData\...\dbbqg2i2.cmdline, Unicode 13->63 dropped 97 Modifies the context of a thread in another process (thread injection) 13->97 99 Creates a thread in another existing process (thread injection) 13->99 25 explorer.exe 13->25 injected 28 csc.exe 3 13->28         started        31 csc.exe 3 13->31         started        33 conhost.exe 13->33         started        35 rundll32.exe 1 6 17->35         started        signatures6 process7 dnsIp8 85 Tries to steal Mail credentials (via file / registry access) 25->85 87 Self deletion via cmd or bat file 25->87 38 cmd.exe 25->38         started        41 cmd.exe 25->41         started        43 RuntimeBroker.exe 25->43 injected 59 C:\Users\user\AppData\Local\...\dbbqg2i2.dll, PE32 28->59 dropped 45 cvtres.exe 1 28->45         started        61 C:\Users\user\AppData\Local\...\ydb3li4b.dll, PE32 31->61 dropped 47 cvtres.exe 31->47         started        65 108.61.165.145, 49703, 80 AS-CHOOPAUS United States 35->65 67 confisg.edges.skype.com 35->67 89 System process connects to network (likely due to code injection or exploit) 35->89 91 Writes to foreign memory regions 35->91 93 Modifies the context of a thread in another process (thread injection) 35->93 95 2 other signatures 35->95 49 control.exe 35->49         started        file9 signatures10 process11 signatures12 77 Uses ping.exe to sleep 38->77 79 Uses ping.exe to check the status of other devices and networks 38->79 51 conhost.exe 38->51         started        53 PING.EXE 38->53         started        55 conhost.exe 41->55         started        81 Modifies the context of a thread in another process (thread injection) 49->81 83 Creates a thread in another existing process (thread injection) 49->83 57 rundll32.exe 49->57         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2022-12-15 16:46:08 UTC
File Type:
PE (Dll)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=plinxhnbykhg2eucnocg5y6ifpngjhqa24l4wlck57vo2vxkjdha._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:50000 banker isfb trojan
Link:
https://tria.ge/reports/221215-t9ylpsch22/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
http://confisg.edges.skype.com
http://108.61.165.145
http://37.120.222.23
http://194.76.224.234
http://176.10.111.47
https://confisg.edges.skype.com
http://79.132.128.146
http://176.10.119.229
http://176.10.111.45
http://79.132.128.151
Unpacked files
SH256 hash:
7bad5055221930bb50fd9f8b5feb66e47c6edfbaa95de2a2f70be4af771c547d
MD5 hash:
6fb0fe486a5669389233ff965ea1e105
SHA1 hash:
1c950f4ea06c2c5a16d4e58543400b0738a7c683
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/60b34b58-6792-4802-a670-c9289b392439/
SH256 hash:
16e222f8fc1c52dff68911316e5e752f560732a0ea4c4c704f4c6633716973e0
MD5 hash:
5e8de170397ec0374888057488b441a0
SHA1 hash:
aeb48f85a632fca9b63c3ea9079db9816300806f
Link:
https://www.unpac.me/results/60b34b58-6792-4802-a670-c9289b392439/
SH256 hash:
7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce
MD5 hash:
7272aaeea39e988faaf3a5aebc6c7867
SHA1 hash:
d3b4222a0a7a1b5271bbc0d016020c6a73850f68
Link:
https://www.unpac.me/results/60b34b58-6792-4802-a670-c9289b392439/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ad0db9da1c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/346720/

Comments