MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
SHA3-384 hash: 8ff7eb921076f93b98abca8615f9e2ef754a20218a5d783e6b49b71e2bcd96f51cb1a9c5533ab32eeb6a620003182d06
SHA1 hash: f143fb4f0b339fecff40838b43a645fc0b056c5a
MD5 hash: b7419ae99bdf4bb0d53ac560e308565e
humanhash: georgia-oxygen-fish-september
File name:readme.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:467'968 bytes
First seen:2022-03-21 07:57:02 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fb1f8e7f8db967a7b56f775d8d3c6c8d (1 x Gozi)
ssdeep 12288:GXNEWSzLHeHktZ2VWzBoCMr4PoBmomfWSTF7s:GXOLzSEtZ2VWlOGoczW
Threatray 535 similar samples on MalwareBazaar
TLSH T1AAA47C22F2E08437D1731A3C9C5B97A498397E513D38AC4E3BE81E4C4F797817A66297
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter JAMESWT_WT
Tags:agenziaentrate dll Gozi isfb mise Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253333/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.67780.18341.10994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger
Link:
https://www.filescan.io/uploads/62382fd2b94fb38cb4c134d5/reports/4baf7ff4-c617-4e5e-9d9a-b849fe2eb798/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ed9e304-2838-4c57-9f73-1dbfb9fbbce5
Result
Threat name:
Ursnif CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960493
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592970 Sample: readme.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 6 other signatures 2->54 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 1 73 2->12         started        14 iexplore.exe 1 50 2->14         started        16 2 other processes 2->16 process3 dnsIp4 42 sistemliner.top 8->42 44 premiumlists.ru 8->44 46 linkspremium.ru 8->46 56 Found evasive API chain (may stop execution after checking system information) 8->56 58 Found API chain indicative of debugger detection 8->58 60 Writes or reads registry keys via WMI 8->60 62 2 other signatures 8->62 18 cmd.exe 1 8->18         started        20 iexplore.exe 31 12->20         started        23 iexplore.exe 31 14->23         started        25 iexplore.exe 33 16->25         started        27 iexplore.exe 16->27         started        signatures5 process6 dnsIp7 29 rundll32.exe 18->29         started        34 linkspremium.ru 62.173.149.135, 49750, 49751, 49752 SPACENET-ASInternetServiceProviderRU Russian Federation 20->34 36 sistemliner.top 31.41.46.120, 80 ASRELINKRU Russian Federation 20->36 38 premiumlists.ru 45.128.184.132, 49755, 49756, 49771 MGNHOST-ASRU Russian Federation 25->38 40 127.0.0.1 unknown unknown 25->40 process8 signatures9 64 Found evasive API chain (may stop execution after checking system information) 29->64 66 Found API chain indicative of debugger detection 29->66 68 Contains functionality to detect sleep reduction / modifications 29->68 32 WerFault.exe 23 9 29->32         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-03-19 23:43:53 UTC
File Type:
PE (Dll)
Extracted files:
92
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
141ac687d4e9843e30b3687f5a7a95f70ed48808070c816d4881e87998840f86
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
d61ee5e7b17684983ea9049f719beb05978a813638f53f7625e970bae1c2abd7
Gozi
+ 525 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7625 banker trojan
Link:
https://tria.ge/reports/220321-js9mjaadhj/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
sistemliner.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
6fb42a57c8dcc56f467290ab3754b512d0074fd1445284b3998b7161372cf4a0
MD5 hash:
a023cde5343b81586aea9ed8e8b62f79
SHA1 hash:
c883826d569b2bdd5e71f3fc39b15a183381464a
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5329f3df-84f6-4bef-bf84-9d0702a1d8e7/
Parent samples :
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
SH256 hash:
ab2fad795e531fbfc0c3ebef645522fdc7fa058d905634e5512987348ec79783
MD5 hash:
a62dfacb00cc2b502154e3b77e35dd6c
SHA1 hash:
c5482a53d940c22af20bb475364d8e4bce187b81
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5329f3df-84f6-4bef-bf84-9d0702a1d8e7/
Parent samples :
9c815841be71a4aafec48f38dcb04b94fcf7b13a21ffbb834f77951ed615f9c4
3a97651f970c4aecf446aa67fe4daab235e0dc35860b1440d413ee91a27dad27
7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
SH256 hash:
7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886
MD5 hash:
b7419ae99bdf4bb0d53ac560e308565e
SHA1 hash:
f143fb4f0b339fecff40838b43a645fc0b056c5a
Link:
https://www.unpac.me/results/5329f3df-84f6-4bef-bf84-9d0702a1d8e7/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7cbb379e78c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 7cbb379e78c7c547cfd1957ccaa0be899cb97df3d001605c9bd51cd70d975886

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2103348/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/253333/

Comments