MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
SHA3-384 hash: d8dcabe670ab7d687ca1fb46bc0cb875a165ea19b1e40166935fb1aacd199523f576cf375b05655ce5013c588b3da1f0
SHA1 hash: b18e6acc088aa14838fa55d7fdab6bfac9060fc8
MD5 hash: 7d40abe634e84f584ddde10fc231abcc
humanhash: aspen-network-massachusetts-fish
File name:7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:596'480 bytes
First seen:2023-07-04 09:10:06 UTC
Last seen:2023-07-04 12:11:19 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash fef75c12870ae749ff204e9c29112359 (2 x Gozi)
ssdeep 6144:YQGndQjlcFNA7U+vb3otsAdyqOk0afo2pmV7O07nJD9VqZIYu0DSb4RKp998ulAK:SKUqb3ot9/tkEYHgXSDl
Threatray 203 similar samples on MalwareBazaar
TLSH T186C43B47AC41DF77C65D42BACAAF0E9AC2654702FF03BBAAB11D8150758325227E734E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter obfusor
Tags:brt dll Gozi ITA Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
HK HK
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/406329/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.32231.24339.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/64a3e227cf99e7a5cfccba16/reports/756af041-e327-4b28-983d-61d6fffdc721/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9d5d6081-1218-4655-b4da-e28e54f4800d
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266491
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1266491 Sample: mPP31jGHL6.dll Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 100 avas1t.de 2->100 122 Snort IDS alert for network traffic 2->122 124 Multi AV Scanner detection for domain / URL 2->124 126 Found malware configuration 2->126 128 6 other signatures 2->128 10 loaddll32.exe 7 2->10         started        14 mshta.exe 19 2->14         started        16 mshta.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 110 itwicenice.com 10->110 112 avas1ta.com 10->112 164 Writes to foreign memory regions 10->164 166 Allocates memory in foreign processes 10->166 168 Modifies the context of a thread in another process (thread injection) 10->168 170 3 other signatures 10->170 20 regsvr32.exe 6 10->20         started        24 control.exe 10->24         started        26 cmd.exe 1 10->26         started        37 2 other processes 10->37 28 powershell.exe 14->28         started        31 powershell.exe 16->31         started        33 powershell.exe 18->33         started        35 powershell.exe 18->35         started        signatures6 process7 dnsIp8 102 avas1ta.com 20->102 130 System process connects to network (likely due to code injection or exploit) 20->130 132 Allocates memory in foreign processes 20->132 134 Maps a DLL or memory area into another process 20->134 146 2 other signatures 20->146 39 control.exe 20->39         started        104 192.168.2.1 unknown unknown 24->104 42 rundll32.exe 6 26->42         started        80 C:\Users\user\AppData\...\lut23zs4.cmdline, Unicode 28->80 dropped 136 Injects code into the Windows Explorer (explorer.exe) 28->136 138 Writes to foreign memory regions 28->138 140 Modifies the context of a thread in another process (thread injection) 28->140 142 Found suspicious powershell code related to unpacking or dynamic code loading 28->142 45 explorer.exe 28->45 injected 48 csc.exe 28->48         started        52 2 other processes 28->52 144 Creates a thread in another existing process (thread injection) 31->144 54 3 other processes 31->54 56 3 other processes 33->56 58 3 other processes 35->58 106 itwicenice.com 91.212.166.44, 49695, 49696, 49697 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 37->106 108 avas1ta.com 37->108 50 control.exe 37->50         started        file9 signatures10 process11 dnsIp12 148 Writes to foreign memory regions 39->148 150 Allocates memory in foreign processes 39->150 152 Modifies the context of a thread in another process (thread injection) 39->152 114 itwicenice.com 42->114 116 avas1ta.com 42->116 154 Writes registry values via WMI 42->154 60 control.exe 42->60         started        118 itwicenice.com 45->118 120 avas1t.de 45->120 82 C:\Users\user\AppData\...\UtilDiagram.dll, PE32 45->82 dropped 156 System process connects to network (likely due to code injection or exploit) 45->156 158 Benign windows process drops PE files 45->158 160 Tries to steal Mail credentials (via file / registry access) 45->160 162 4 other signatures 45->162 72 3 other processes 45->72 84 C:\Users\user\AppData\Local\...\lut23zs4.dll, PE32 48->84 dropped 62 cvtres.exe 48->62         started        64 rundll32.exe 50->64         started        86 C:\Users\user\AppData\Local\...\sgur03kp.dll, PE32 52->86 dropped 66 cvtres.exe 52->66         started        88 C:\Users\user\AppData\Local\...\wd3su2tk.dll, PE32 54->88 dropped 90 C:\Users\user\AppData\Local\...\4fc5zmfk.dll, PE32 54->90 dropped 68 cvtres.exe 54->68         started        70 cvtres.exe 54->70         started        92 C:\Users\user\AppData\Local\...\hl22n1gm.dll, PE32 56->92 dropped 94 C:\Users\user\AppData\Local\...\01wyubuh.dll, PE32 56->94 dropped 74 2 other processes 56->74 96 C:\Users\user\AppData\Local\...\pos0uczh.dll, PE32 58->96 dropped 98 C:\Users\user\AppData\Local\...\cnyhssnb.dll, PE32 58->98 dropped 76 2 other processes 58->76 file13 signatures14 process15 process16 78 rundll32.exe 60->78         started       
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 09:11:05 UTC
File Type:
PE (Dll)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=puft6npusfxhxgelsetrlyxafpcj6zqd36twlji3qzrfcgdiyjna._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Gozi
06b3f14f359d4286bf5323824f637e082e876b9c1de0002109ff23e336ff9062
Gozi
0b3d641004b2a730cd86a3131f6ae569e6692c03368dd1ac17f14bfd395e5bcb
Gozi
c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
ebd73a3f010aa3cf01059a4c08f9f70d0d7d4d671e76d024e5dfd60b27e92a66
Gozi
+ 193 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb persistence trojan
Link:
https://tria.ge/reports/230704-k5la5sbg46/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
https://avas1ta.com/in/login/
itwicenice.com
https://avas1t.de/in/loginq/
Unpacked files
SH256 hash:
519c44c95e65fb6b291cdf6efdf3703f85061925733150973ce1b0e19a1d84ff
MD5 hash:
17defd94844b26f2d91fa79686297f66
SHA1 hash:
9bbfb75421fa495ee64e16ea27c8cd32f3a268cc
Link:
https://www.unpac.me/results/8e0462f1-46b9-4289-b752-2bc56c0bf209/
SH256 hash:
7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
MD5 hash:
7d40abe634e84f584ddde10fc231abcc
SHA1 hash:
b18e6acc088aa14838fa55d7fdab6bfac9060fc8
Link:
https://www.unpac.me/results/8e0462f1-46b9-4289-b752-2bc56c0bf209/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d0b3f35f491/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:bumblebee_win_generic
Create hunting rule
Author:_kphi
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/406329/
  
URLhaus
https://urlhaus.abuse.ch/url/2676453/
  
Delivery method
Distributed via web download

Comments