MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
SHA3-384 hash: 51f1e3c7d72c0705f495eb7995ef096f2bad34a03f8fe2f7a9e788bb708ec760341ef2ccba7242d4d4d10a5eab48cfcb
SHA1 hash: 5b1dbdbab64ebcb665e91d442a847cc3a9552a38
MD5 hash: c4c0b19091c6edd5fd46867caf99026d
humanhash: maine-helium-yellow-solar
File name:821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476
Download: download sample
Signature Gozi
Create hunting rule
File size:61'440 bytes
First seen:2021-05-11 09:40:24 UTC
Last seen:2021-05-11 10:51:48 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 6e9163c62b29a1ccabed40ce8621a95a (7 x Gozi)
ssdeep 768:JmKbkq07vrxPpdGvmlwblv4NZx+ab03qTwlVaj1eYqFN35zLRUfAf:JmKbn0vJpdUmwb+NfwrIcYqFJ5zLRUo
Threatray 337 similar samples on MalwareBazaar
TLSH 4C53E1927810D8A6D70F9177372D32DA92FF4380016B49F613213EA97BDD88AE4FE455
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb unpacked Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/154994/
Detection(s):
SecuriteInfo.com.Variant.Razy.862012.30341.16251.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/778462
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 410858 Sample: FuiZSHt8Hx Startdate: 11/05/2021 Architecture: WINDOWS Score: 84 33 worunekulo.club 2->33 35 horunekulo.website 2->35 37 26 other IPs or domains 2->37 59 Found malware configuration 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 2 other signatures 2->65 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 67 Writes or reads registry keys via WMI 8->67 69 Writes registry values via WMI 8->69 11 iexplore.exe 3 119 8->11         started        14 regsvr32.exe 8->14         started        17 cmd.exe 1 8->17         started        19 rundll32.exe 8->19         started        process6 dnsIp7 53 vip0x08e.ssl.rncdn5.com 11->53 55 vip0x04f.ssl.rncdn5.com 11->55 57 6 other IPs or domains 11->57 21 iexplore.exe 11->21         started        24 iexplore.exe 11->24         started        26 iexplore.exe 11->26         started        31 9 other processes 11->31 73 Writes or reads registry keys via WMI 14->73 75 Writes registry values via WMI 14->75 28 rundll32.exe 17->28         started        signatures8 process9 dnsIp10 39 worunekulo.club 193.239.84.195, 49788, 49789, 49822 MERITAPL Romania 21->39 41 ht-cdn2.adtng.com.sds.rncdn7.com 64.210.135.70, 443, 49816, 49817 SWIFTWILL2US United States 21->41 45 17 other IPs or domains 21->45 43 a.adtng.com 216.18.168.166, 443, 49834, 49835 REFLECTEDUS United States 24->43 47 5 other IPs or domains 24->47 49 5 other IPs or domains 26->49 71 Writes registry values via WMI 28->71 51 37 other IPs or domains 31->51 signatures11
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 09:39:38 UTC
File Type:
PE (Dll)
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qiprw2gca62b4invdfqqsmooizyzgb6zty7iv2zzpldsbwdqwr3a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
35bef39478577d735b1c8104f5800e95d73487284c89b281283e4c117688bd92
Gozi
3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Gozi
43b3014c1627c40c31c724e1a7b1dee4ef51428e2f68adad93c0df95f454275d
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
Gozi
83d9e62cebb8f222083e6d6670b0ca5e82459c8d7815b0c415c9d1964bd56583
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Gozi
eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Gozi
+ 327 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877
Link:
https://tria.ge/reports/210511-1m9s1dr4v6/
Behaviour
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
outlook.com/login
gmail.com
worunekulo.club
horunekulo.website
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/821f1b68c207b41e21b519610931ce46719307d99e3e8aeb397ac720d870b476

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/aaqeel87/status/1392049784266055682?s=20
Cape
Cape
https://www.capesandbox.com/analysis/154994/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 10:00:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0038] Process Micro-objective::Create Thread
3) [C0039] Process Micro-objective::Terminate Thread