MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
SHA3-384 hash: bbcb5b3bc9cbf4f2757f2444a9a9187170dbe23c28b551a05f6a5c41b9b4239817264e7c2b8d06fbd3842e40dbbc679f
SHA1 hash: 73c470ad9203150629b13d7f077000aa4f335f26
MD5 hash: 9627a223cebc074cefb834370cba058a
humanhash: mirror-football-washington-july
File name:ginumtue.fpi
Download: download sample
Signature Gozi
Create hunting rule
File size:225'280 bytes
First seen:2023-04-25 12:53:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 373b799879b5962a9ab876f5f95697cb (1 x Gozi)
ssdeep 1536:iYrO9JaI9HwxtB3wjCaNhQ8yl6sUdM8FOIUa:2HJ9HQv3wFNh6U6pIUa
Threatray 244 similar samples on MalwareBazaar
TLSH T1A924AE945C3B4892D8A6193998EE62F32E1D68D453E040CB997C5ADDAC33ECA0CF153E
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter k3dg3___
Tags:777777 dll Gozi TA551 Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
US US
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/384798/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.19637.11330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed setupapi.dll
Link:
https://www.filescan.io/uploads/6447cd6a5ff821708a44a64e/reports/bbb9fa7e-3841-4f5e-8765-7e53e25ab71a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cad4b94-2bde-4caa-8ec1-caf32f4ae917
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220703
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 853657 Sample: ginumtue.fpi.dll Startdate: 25/04/2023 Architecture: WINDOWS Score: 100 64 trackingg-protectioon.cdn4.mozilla.net 2->64 72 Snort IDS alert for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 4 other signatures 2->78 12 loaddll32.exe 1 2->12         started        14 mshta.exe 19 2->14         started        signatures3 process4 process5 16 cmd.exe 1 12->16         started        18 conhost.exe 12->18         started        20 powershell.exe 30 14->20         started        file6 24 rundll32.exe 1 6 16->24         started        58 C:\Users\user\AppData\...\ug1dfemy.cmdline, Unicode 20->58 dropped 84 Injects code into the Windows Explorer (explorer.exe) 20->84 86 Writes to foreign memory regions 20->86 88 Modifies the context of a thread in another process (thread injection) 20->88 90 2 other signatures 20->90 28 csc.exe 3 20->28         started        31 csc.exe 3 20->31         started        33 conhost.exe 20->33         started        signatures7 process8 dnsIp9 66 176.10.111.233, 49701, 80 AS-SOFTPLUSCH Switzerland 24->66 68 trackingg-protectioon.cdn4.mozilla.net 24->68 92 System process connects to network (likely due to code injection or exploit) 24->92 94 Writes to foreign memory regions 24->94 96 Modifies the context of a thread in another process (thread injection) 24->96 98 2 other signatures 24->98 35 control.exe 1 24->35         started        60 C:\Users\user\AppData\Local\...\ug1dfemy.dll, PE32 28->60 dropped 38 cvtres.exe 1 28->38         started        62 C:\Users\user\AppData\Local\...\3yw5m1rm.dll, PE32 31->62 dropped 40 cvtres.exe 1 31->40         started        file10 signatures11 process12 signatures13 80 Modifies the context of a thread in another process (thread injection) 35->80 82 Creates a thread in another existing process (thread injection) 35->82 42 explorer.exe 5 18 35->42 injected 46 rundll32.exe 35->46         started        process14 dnsIp15 70 trackingg-protectioon.cdn4.mozilla.net 42->70 100 System process connects to network (likely due to code injection or exploit) 42->100 102 Tries to steal Mail credentials (via file / registry access) 42->102 104 Changes memory attributes in foreign processes to executable or writable 42->104 106 6 other signatures 42->106 48 cmd.exe 42->48         started        50 RuntimeBroker.exe 42->50 injected 52 RuntimeBroker.exe 42->52 injected 54 2 other processes 42->54 signatures16 process17 process18 56 conhost.exe 48->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-04-25 12:54:06 UTC
File Type:
PE (Dll)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qki7sv4srakt4cqycldmkkcwgy2mlra3belmmbxx3c2fitgmhana._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
54e1a7dc75b550786afcb0601020a2c50739347541cc8cb969acf76b90222458
Gozi
65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Gozi
7ad0db9da1c28e6d12826b846ee3c82bda649e00d717cb2c4aefeaed56ea48ce
Gozi
a240d325f163f4dd9e3ea176d85a1f0864b31efe774402f3cd03c27ea15a4ae1
Gozi
b43477f47c385bafdba8ad86f3dc7f01b2ee6076bcc1eb53d3d5219e2952cc9d
Gozi
b56043cc20c91f39773e23f2e34612cf4453df9c650b8014b756dffa850b009e
Gozi
cb3b67a980ba921625ecdf082d518c73a9f80ce1b2d4f428b6e950b20a9688bb
Gozi
e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35
Gozi
+ 234 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:777777 banker isfb trojan
Link:
https://tria.ge/reports/230425-p47j7sad79/
Behaviour
Suspicious use of WriteProcessMemory
Gozi
Malware Config
C2 Extraction:
trackingg-protectioon.cdn4.mozilla.net
176.10.111.233
91.241.93.192
45.155.249.200
45.155.250.216
Unpacked files
SH256 hash:
47060c67ea1cfe8e36c5ad51f79bfe9b1f31b06a0e89e6d0ad6688e109f3c50c
MD5 hash:
b3aa00c4fb7237416b01df2843caa990
SHA1 hash:
01fe42eb59054216dacde07b8ec0d830650b3936
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ac5fdd7e-0ca8-4ac4-988e-e89b85d6c510/
SH256 hash:
8046f9f1127f1ec4e7619e59a3e9c3e8f48f7c069f7eab1c56621138d9153ce9
MD5 hash:
0a1cae87e6a5a93b7dee6538df22bbfa
SHA1 hash:
44a52f4a3436b5fb94037e64f907763c59a9d513
Link:
https://www.unpac.me/results/ac5fdd7e-0ca8-4ac4-988e-e89b85d6c510/
SH256 hash:
8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
MD5 hash:
9627a223cebc074cefb834370cba058a
SHA1 hash:
73c470ad9203150629b13d7f077000aa4f335f26
Link:
https://www.unpac.me/results/ac5fdd7e-0ca8-4ac4-988e-e89b85d6c510/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8291f9579288/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

DLL dll 8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a

(this sample)

  
Link
https://tria.ge/230425-pn3w3sac97/behavioral2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/384798/

Comments