MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038
SHA3-384 hash: 6c6e9725bf22a203bd84fc723c461f3d39250f4c6054055b06cbb5543f97399edcfd5f31e8dfaebb1dfa69c6e1fcd2df
SHA1 hash: 1a838d9c609606aba508374cf24816dda866e255
MD5 hash: de70f5acc7b23ea77f7169fe4167135b
humanhash: speaker-winner-arkansas-illinois
File name:6466312632494[1].dll
Download: download sample
Signature Gozi
Create hunting rule
File size:729'088 bytes
First seen:2023-05-18 19:52:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 346c3c122515d86c5e58a22762d9ff5b (1 x Gozi)
ssdeep 12288:n/ztvIKgHfrCbmibM0uiGwHtFhyaAAGdoo:/xKfea17i53hy3AG
TLSH T136F4AFD2717FE596D2FD87BDB065F9EB6D890410C06A2818CB1088F9257AB8579FB00F
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter joewise34
Tags:5050 dll Gozi Ursnif


Avatar
joewise34
https://tria.ge/230518-xb31badd44/behavioral2

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.32612.29869.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6466821ec65707af6442ff59/reports/7098a6aa-c3f7-457f-bcf1-a58d52e67cc0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c20ca92-6f27-4e1c-af69-9a37204f6aff
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236334
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Uses whoami command line tool to query computer and username
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869329 Sample: 6466312632494[1].dll Startdate: 18/05/2023 Architecture: WINDOWS Score: 100 108 Snort IDS alert for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 4 other signatures 2->114 11 loaddll32.exe 1 7 2->11         started        15 mshta.exe 19 2->15         started        17 mshta.exe 19 2->17         started        process3 dnsIp4 92 twinean.com 11->92 136 Writes to foreign memory regions 11->136 138 Writes or reads registry keys via WMI 11->138 140 Writes registry values via WMI 11->140 19 cmd.exe 1 11->19         started        21 control.exe 1 11->21         started        23 conhost.exe 11->23         started        94 192.168.2.1 unknown unknown 15->94 25 powershell.exe 30 15->25         started        29 powershell.exe 17->29         started        signatures5 process6 file7 31 rundll32.exe 6 19->31         started        35 rundll32.exe 21->35         started        90 C:\Users\user\AppData\...\vvdomayd.cmdline, Unicode 25->90 dropped 126 Injects code into the Windows Explorer (explorer.exe) 25->126 128 Writes to foreign memory regions 25->128 130 Modifies the context of a thread in another process (thread injection) 25->130 37 csc.exe 3 25->37         started        40 csc.exe 25->40         started        42 conhost.exe 25->42         started        132 Maps a DLL or memory area into another process 29->132 134 Creates a thread in another existing process (thread injection) 29->134 44 csc.exe 29->44         started        46 csc.exe 29->46         started        48 conhost.exe 29->48         started        signatures8 process9 dnsIp10 98 twinean.com 91.215.85.164, 49709, 49710, 49711 PINDC-ASRU Russian Federation 31->98 100 Writes to foreign memory regions 31->100 102 Modifies the context of a thread in another process (thread injection) 31->102 104 Maps a DLL or memory area into another process 31->104 106 Writes registry values via WMI 31->106 50 control.exe 31->50         started        82 C:\Users\user\AppData\Local\...\vvdomayd.dll, PE32 37->82 dropped 53 cvtres.exe 37->53         started        84 C:\Users\user\AppData\Local\...\tzu2sp00.dll, PE32 40->84 dropped 55 cvtres.exe 40->55         started        86 C:\Users\user\AppData\Local\...\1sdhsp1x.dll, PE32 44->86 dropped 57 cvtres.exe 44->57         started        88 C:\Users\user\AppData\Local\...\t3stcwif.dll, PE32 46->88 dropped 59 cvtres.exe 46->59         started        file11 signatures12 process13 signatures14 116 Changes memory attributes in foreign processes to executable or writable 50->116 118 Injects code into the Windows Explorer (explorer.exe) 50->118 120 Writes to foreign memory regions 50->120 122 4 other signatures 50->122 61 explorer.exe 50->61 injected 65 rundll32.exe 50->65         started        process15 dnsIp16 96 twinean.com 61->96 142 System process connects to network (likely due to code injection or exploit) 61->142 144 Tries to steal Mail credentials (via file / registry access) 61->144 146 Changes memory attributes in foreign processes to executable or writable 61->146 148 6 other signatures 61->148 67 cmd.exe 61->67         started        70 cmd.exe 61->70         started        72 RuntimeBroker.exe 61->72 injected 74 3 other processes 61->74 signatures17 process18 signatures19 124 Uses whoami command line tool to query computer and username 67->124 76 conhost.exe 67->76         started        78 whoami.exe 67->78         started        80 conhost.exe 70->80         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 19:53:05 UTC
File Type:
PE (Dll)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppws7myxm4ll2xyka56prjtq63n57hmq2aer3rakex34pp2kwa4a._file
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb trojan
Link:
https://tria.ge/reports/230518-ylyn1scf3z/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Gozi
Malware Config
C2 Extraction:
https://config.edge.skype.com
twinean.com
Unpacked files
SH256 hash:
7053fb81a6352a4c60ea64cf35bced1b6dfaa7a1c64205d093bf030f41793ea6
MD5 hash:
b386d856871dea7395b6c54b6f0f48da
SHA1 hash:
0f1d609ff04c53898e8b4530d57809af38490f76
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/da4f658a-2eda-40f2-985e-2842ce62348b/
SH256 hash:
ef0111089e2a9e67a3184d32469b118da6b504a5673d8b68f1ca9ca1fb1eb68d
MD5 hash:
ec2d6eada3e1c73501dd64304157cf61
SHA1 hash:
5d11349e2e09dce7f288e875ef9f0fd8ba0d0fa6
Link:
https://www.unpac.me/results/da4f658a-2eda-40f2-985e-2842ce62348b/
SH256 hash:
7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038
MD5 hash:
de70f5acc7b23ea77f7169fe4167135b
SHA1 hash:
1a838d9c609606aba508374cf24816dda866e255
Link:
https://www.unpac.me/results/da4f658a-2eda-40f2-985e-2842ce62348b/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7bed2fb31767/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Gozi

Java Script (JS) js 02cd4ea997bbaad37b7aa99971c2b623a1ff9ee615c47b35ecd641ae950c1988

Gozi

DLL dll 7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038

(this sample)

  
Link
https://tria.ge/230518-xb31badd44/behavioral2
  
Dropped by
SHA256 02cd4ea997bbaad37b7aa99971c2b623a1ff9ee615c47b35ecd641ae950c1988
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
MD5 98ee3c498fa4ef69a09b7f84f092cbdd

Comments