MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50
SHA3-384 hash:	647f014865301be5b9de09ff85aeff9b80b16d9827b524cae9868346b9c0c8a7647718766967e8438e70d9dff90bc7b3
SHA1 hash:	59b6b81e70ed37a51c284d86adbb5ac7509fbc9b
MD5 hash:	c8d36bed14933b4f4349a7be71b06c22
humanhash:	tennis-wisconsin-mockingbird-princess
File name:	SecuriteInfo.com.Trojan.Gozi.793.26724.8220
Download:	download sample
Signature	Gozi Create hunting rule
File size:	391'168 bytes
First seen:	2021-03-15 18:56:04 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	65a443b7932fd9eb2ea467f5b70b9704 (1 x Gozi)
ssdeep	6144:F0TcG2Wne/LiHMM9VmWuusFu1+qRrzBRGQ1cDtRBw+WO42AOxCRTTebT4:F0TcG2Wne/o9JuusF6xMicKqCk34
Threatray	143 similar samples on MalwareBazaar
TLSH	72848C307E9D8031FE26E93F4464AB740768F8910B705EEB63C719EA5A2F3C15570AE6
Reporter	SecuriteInfoCom
Tags:	Gozi

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Gozi.793.26724.8220.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6554adb3-2551-4717-86a3-1dd9c86f63f9

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/639975

Signature

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50/

Threat name:

Win32.Trojan.Gozi

Status:

Malicious

First seen:

2021-02-25 01:46:29 UTC

File Type:

PE (Dll)

AV detection:

28 of 47 (59.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p3imcvuxzcrbr7kahqa7pxjtmecuc7npvoegutyhsdk7eninnnia._file

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:2200 banker trojan

Link:

https://tria.ge/reports/210315-qcs2nt89g6/

Behaviour

Suspicious use of WriteProcessMemory

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1

Unpacked files

SH256 hash:

8a06f6660355b6b393f3ef0c42e148ad2f94e5677c375ddf415f733b06fcef32

MD5 hash:

f52995516bb061fa7bc7f788b131cb68

SHA1 hash:

b8a808b508e57794aae41dc3e6d9ae64be0c0cce

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/dfed33b1-6e7e-4d6e-9dda-3c551dd0d35b/

Parent samples :

f30b3f53f613d953680fdde8faf35c96a25a1136d0dd6c7aab1cc14ee908702c
51992453cfe179fa3a637985cba9f5a6d5ab495a268e000f480086821c009f3b
b725a6e174cd448a720f179599290d3f014fd2d1521b8de1ddcf28193ba8d09f
1f22836a61a81e1985074d64fcfcf30f7f94bf198b409531cd5632da1c3f2df7
7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50

SH256 hash:

1fd907ef385bc9bafd36aefc0736db266104d7a0ea01da729f7171340e5b39c1

MD5 hash:

77659afcdddd3849747db7b6f6948686

SHA1 hash:

83ac88e8115ff14c79d20e69b1aabc1af762cf69

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/dfed33b1-6e7e-4d6e-9dda-3c551dd0d35b/

SH256 hash:

7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50

MD5 hash:

c8d36bed14933b4f4349a7be71b06c22

SHA1 hash:

59b6b81e70ed37a51c284d86adbb5ac7509fbc9b

Link:

https://www.unpac.me/results/dfed33b1-6e7e-4d6e-9dda-3c551dd0d35b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ursnif3

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ed0c15697c8a218fd403c01f7dd336105417dafab886a4f0790d5f2350d6b50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ursnif3 Create hunting rule
Author:	kevoreilly
Description:	Ursnif Payload

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator