MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb112c3da88d1cec6b56d4503337efc9a55210736c25f6e5a59811ad5846f9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb112c3da88d1cec6b56d4503337efc9a55210736c25f6e5a59811ad5846f9b
SHA3-384 hash: 80318555de855073f78f7f15c9db0d3376b9dc78ebcc5ae3e590049eea1c1d7243af50b82b8c072e8de6d4a4c12de7f9
SHA1 hash: 9dc0793afe5d962bd73be2954dbbe000386f96c6
MD5 hash: 20ebc4efde4da88e146c8e4246f42a5d
humanhash: gee-utah-connecticut-eleven
File name:9b0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:44'544 bytes
First seen:2022-10-06 10:20:03 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 768:6TmE+L5AkTXKMaqD4leJiArJBFkK527nhoZ3eGiLU8MZXFlkq9k7:6TmE+L5AkTixchBOKinCZ3eGMU8MZTRe
Threatray 570 similar samples on MalwareBazaar
TLSH T1A713AF02F6F54CF3D7A29E702620F6F567FE863121389541EB1359CA1EA0963D53E20B
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317246/
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Ursnif.1.320AC961.2777.20835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/633eabd5d5955f6f49d5fbd4/reports/7ece4f7d-1689-4dd1-ba87-83f9fa4a77be/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/deabd433-0a43-424d-847a-d641f6044d4b
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1084818
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717376 Sample: 9b0000.dll Startdate: 06/10/2022 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 Yara detected  Ursnif 2->17 19 Machine Learning detection for sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fb112c3da88d1cec6b56d4503337efc9a55210736c25f6e5a59811ad5846f9b/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2022-10-06 10:21:06 UTC
File Type:
PE (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6yrfq62rdi45rvvnvcqgm367snfkiihg3bf63s2lgarvvmen6nq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
Gozi
61b6f378708dad610ed8d4665cbe460d91ffc2615adc28817c2c3f01352b00be
Gozi
64a6b3f1924ebcd8d162482001721ee6459e23811055b6d9d79c8db2d7af327f
Gozi
72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8
Gozi
893ba03135a5e8e53d4413ae269f85cab2dd56b451bd99cc233064df402d3f84
Gozi
8a7f259ecd7479314c5bd6e449a7b77f76173d4e636075f99a0b8eb765d3573a
Gozi
c0e28d4e88c59688657c839c344e6c1289002ef0ba461ebbf3cd4b75949312e9
Gozi
+ 560 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3000
Link:
https://tria.ge/reports/221006-mc32lahaf2/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
config.edge.skype.com
89.41.26.99
89.45.4.102
interstarts.top
superlist.top
internetcoca.in
Unpacked files
SH256 hash:
7fb112c3da88d1cec6b56d4503337efc9a55210736c25f6e5a59811ad5846f9b
MD5 hash:
20ebc4efde4da88e146c8e4246f42a5d
SHA1 hash:
9dc0793afe5d962bd73be2954dbbe000386f96c6
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef9ae2b7-7e6e-4761-8cf3-eeb583ea0ce7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fb112c3da88d1cec6b56d4503337efc9a55210736c25f6e5a59811ad5846f9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317246/

Comments