MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478
SHA3-384 hash: a5706b59d7f98a58214781e48232a8439a28e9a2ae3f51d20996b4cc17ffd5c5dab8abc286e5f36c3ff1ee0c14bab8a1
SHA1 hash: ad18e810016841dad044d32992396f0950848bbb
MD5 hash: 7c104281fed4b9d6e39f56cef9ed178b
humanhash: hot-jig-black-autumn
File name:xspcd1
Download: download sample
Signature Gozi
Create hunting rule
File size:476'672 bytes
First seen:2020-12-03 09:32:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e4c110f7d46db84405aee6d183393378 (4 x Gozi)
ssdeep 12288:O889c25L/1y99ykpSm9Zu0KX1nfv9mDQqXehwOq1:O88c2N/1c9im2X1tPqS/q1
Threatray 114 similar samples on MalwareBazaar
TLSH F1A4F1257BA1D530C403D8754809DB61EB7D3D607F25608B7CEEAEBB2F706A16A3D10A
Reporter JAMESWT_WT
Tags:dll Gozi isfb pw 5236721 Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106567/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/554503
Signature
Creates a COM Internet Explorer object
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326350 Sample: xspcd1 Startdate: 03/12/2020 Architecture: WINDOWS Score: 60 19 Yara detected  Ursnif 2->19 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 1 72 2->9         started        process3 signatures4 21 Writes or reads registry keys via WMI 6->21 23 Writes registry values via WMI 6->23 25 Creates a COM Internet Explorer object 6->25 11 rundll32.exe 6->11         started        13 rundll32.exe 6->13         started        15 rundll32.exe 6->15         started        17 iexplore.exe 35 9->17         started        process5
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 09:33:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1b3b5a0f763692e182e4ec002a871aa61c91341a448dd3241ff7c5d0be094f66
Gozi
2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Gozi
2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309
Gozi
733cbecbe9469a90f40dc38448866df368238aac203fa9c986cd6b45d8057aa7
Gozi
7f78709da704f5fe0f08e67661f668381028e7649ec06028b89fb43947ee4d8d
Gozi
c4e6f5cfecd2f30e47b684e5e57a6a9c9b03853546959baaf39e5948b7c9e15b
Gozi
d365d2272c6be7f3420d9083251496bfa2f48e4b2ac2f3563b65c3b246714a18
Gozi
defd6d5bb8cd5cbd01d7e805d2b0ae7d36a12da501e3dafd9a46baded1fe402d
Gozi
e32ad2423fd1079505a65a44d9e0a4ea2c60821336b27e52930feaf5382a3536
Gozi
f3f8d996ff8837734356f73ef5794917eaa81829018db1eefcdf4e0c043e5c45
Gozi
+ 104 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201203-457fcndwr2/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478
MD5 hash:
7c104281fed4b9d6e39f56cef9ed178b
SHA1 hash:
ad18e810016841dad044d32992396f0950848bbb
Link:
https://www.unpac.me/results/34737b0b-1ab1-49d5-a454-d6a2b22f2775/
SH256 hash:
169a758884c7782c6dd6d524a542677e46c0748e61401683d53024ad9cc49314
MD5 hash:
e5a89cfa7cab617ac86309a59da373a4
SHA1 hash:
196cc41f47508fe636cced31da10adfeb70fab52
Link:
https://www.unpac.me/results/34737b0b-1ab1-49d5-a454-d6a2b22f2775/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca733ebb2fc1c0fc99bb61736c8c5a2b619110ef0ce8119207157247ecee478

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106567/

Comments