MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
SHA3-384 hash: 5032a59867cbab832685e171b8003e366edf1eb1fda9ae7139fb26de6bfb8e0215b1dad169d81e79dc263385774d154e
SHA1 hash: 4cbaf1ecb48629b163f4387605c8a9011e89183c
MD5 hash: 545f38fbb74881142712052a5b6eabce
humanhash: mockingbird-west-hot-zulu
File name:drfone.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:202'768 bytes
First seen:2020-12-24 07:59:52 UTC
Last seen:2020-12-24 10:09:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1d290f8f35b21b6194302eff438be07 (1 x Gozi)
ssdeep 6144:35g8bReBDsflri9JwuGTgV4FSRT+7yn4+g62:pg8ostrswbEuFKg62
Threatray 3'317 similar samples on MalwareBazaar
TLSH D214D11A72C1C873D86A437088F38B77655A2D29EB5029D7EFCCBE0E58B11D1953B12B
Reporter JAMESWT_WT
Tags:Gozi isfb OOO Nova soft signed Ursnif

Code Signing Certificate

Organisation:OOO Nova soft
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 25 00:00:00 2020 GMT
Valid to:Oct 25 23:59:59 2021 GMT
Serial number: D9D419C9095A79B1F764297ADDB935DA
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: A08A153749093DD11A39660099A202C46F1E2DA62F3838BF10DE1902BEAE56C8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
733
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
drfone.exe
Verdict:
Malicious activity
Analysis date:
2020-12-24 08:00:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f799760-8509-42d1-8393-a1a8f0e20db8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109298/
Detection(s):
SecuriteInfo.com.Generic.mg.545f38fbb7488114.12376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a system process
Result
Verdict:
0
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569612
Signature
Compiles code for process injection (via .Net compiler)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a COM Internet Explorer object
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333865 Sample: drfone.exe Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected  Ursnif 2->70 72 Sigma detected: Dot net compiler compiles file from suspicious location 2->72 74 6 other signatures 2->74 10 cmd.exe 2->10         started        12 drfone.exe 1 2->12         started        15 iexplore.exe 2 98 2->15         started        process3 signatures4 17 forfiles.exe 10->17         started        19 conhost.exe 10->19         started        86 Detected unpacking (changes PE section rights) 12->86 88 Detected unpacking (overwrites its own PE header) 12->88 90 Injects code into the Windows Explorer (explorer.exe) 12->90 92 5 other signatures 12->92 21 conhost.exe 12->21         started        23 iexplore.exe 29 15->23         started        26 iexplore.exe 28 15->26         started        28 iexplore.exe 27 15->28         started        30 6 other processes 15->30 process5 dnsIp6 32 cmd.exe 17->32         started        35 conhost.exe 17->35         started        62 hapynewyear.xyz 45.133.216.84, 443, 49729, 49730 CLOUDSOLUTIONSRU Russian Federation 23->62 process7 signatures8 66 Encrypted powershell cmdline option found 32->66 37 powershell.exe 32->37         started        process9 file10 54 C:\Users\user\AppData\...\xqhvpwja.cmdline, UTF-8 37->54 dropped 56 C:\Users\user\AppData\Local\...\r1g0ykja.0.cs, C++ 37->56 dropped 76 Injects code into the Windows Explorer (explorer.exe) 37->76 78 Sets debug register (to hijack the execution of another thread) 37->78 80 Writes to foreign memory regions 37->80 82 3 other signatures 37->82 41 explorer.exe 37->41 injected 45 csc.exe 37->45         started        48 csc.exe 37->48         started        signatures11 process12 dnsIp13 64 babsgans.website 45.142.215.100, 443, 49767, 49768 CLOUDSOLUTIONSRU Russian Federation 41->64 84 System process connects to network (likely due to code injection or exploit) 41->84 58 C:\Users\user\AppData\Local\...\xqhvpwja.dll, PE32 45->58 dropped 50 cvtres.exe 45->50         started        60 C:\Users\user\AppData\Local\...\r1g0ykja.dll, PE32 48->60 dropped 52 cvtres.exe 48->52         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 01:08:52 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pohph4de2dpayj6vn72n67jwb4gvi3jsvk557fvhi25llscco7wa._file
Verdict:
malicious
Similar samples:
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
Gozi
7389677e946cac4226da9b84eca90b94b59d46cf2bf4541ea58d96d39e6669d5
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93
Gozi
8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264
Gozi
94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3
Gozi
9e0cfd00991a3d387a78770a7748418b4d0ab978717f84a399d766b19a971df0
Gozi
adef1e98019e2b2fcac75f287caf986ab16153cd40e45b803db0c2a3dd122559
Gozi
be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2
Gozi
c788a7e6d4c74e709845a01627e3cd7bb596dabbafb75aaf3929315e4b58e3e1
Gozi
+ 3'307 additional samples on MalwareBazaar
Result
Malware family:
ursnif_rm3
Create hunting rule
Score:
  10/10
Tags:
family:ursnif_rm3 banker trojan
Link:
https://tria.ge/reports/201224-p53mst8e3j/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Ursnif RM3
Unpacked files
SH256 hash:
7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
MD5 hash:
545f38fbb74881142712052a5b6eabce
SHA1 hash:
4cbaf1ecb48629b163f4387605c8a9011e89183c
Link:
https://www.unpac.me/results/23f63d6e-bc38-4433-95a3-68d855016856/
SH256 hash:
30e50223da93e38a2bf04e46ef036f67472d355c25b9bd867eff69280a335a7f
MD5 hash:
6aa4470d3762163fa3d3a0550fb0055f
SHA1 hash:
de59787d98ae5d22ae27e61d641c986a9b5ab540
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/23f63d6e-bc38-4433-95a3-68d855016856/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/109298/
  
URLhaus
https://urlhaus.abuse.ch/url/941452/
  
Delivery method
Distributed via web download

Comments