MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 834c9cc222bf8cc79f13c782fec74f2f6c7bb332c0540ef04c9aeb3889b92a87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 834c9cc222bf8cc79f13c782fec74f2f6c7bb332c0540ef04c9aeb3889b92a87
SHA3-384 hash: d3607db4e92ea4281d0de20736ecf8ab205077592bb365e8233cbd2c8ce0c02cb68de4e4072803893165e2212999fee9
SHA1 hash: dd16f41ca56c5d42dd33d3de68ad4ac7a574dfc7
MD5 hash: 16247868042585062a6a150efc44c574
humanhash: five-mockingbird-yankee-neptune
File name:4f30000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:56'320 bytes
First seen:2021-09-24 10:20:38 UTC
Last seen:2021-09-24 10:58:31 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 1536:pQc1pPB0pWW/z32qlalXoWFEwKZjMmmuS:pnpZqWW/z32qlalz9ojM
Threatray 384 similar samples on MalwareBazaar
TLSH T180437E9172E008E1D7925D7029D1B7E7BEFC47306179E081A7730ADA6A62563EE3D30B
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
433
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191142/
Detection(s):
SecuriteInfo.com.Variant.Razy.545832.28095.9872.UNOFFICIAL
Create hunting rule

Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd21edf2-7862-4d37-80b3-41c3fd11aec8
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/857286
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489717 Sample: 4f30000.dll Startdate: 24/09/2021 Architecture: WINDOWS Score: 72 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/834c9cc222bf8cc79f13c782fec74f2f6c7bb332c0540ef04c9aeb3889b92a87/
Threat name:
Win32.Trojan.AgentAGen
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 10:21:05 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qngjzqrcx6gmphyty6bp5r2pf5whxmzsybka54cmtlvtrcnzfkdq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
5831ebc72dc810c036fa0c1dc85e17490ebfe2f7379b9573f99d47817b9eb42c
Gozi
62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
Gozi
a5540f6dd0f7761dd3f7e52f5e1d25332b99d95cccf63401d202406160948750
Gozi
c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Gozi
d7e64f8e65ce586ce2f0a857810b2a23f85140bf5e52e5a824f09787fb2bf45e
Gozi
e5cf7cd1382587ee1b71f4efbde4899b2b370db79a868e5fbabe8fdffaa711f0
Gozi
f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Gozi
fa97cd35d76337ff4a523ebdd7f879359a70432a14b7377f06df29c4679b3f70
Gozi
+ 374 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:1443
Link:
https://tria.ge/reports/210924-mdnnasgfb7/
Behaviour
Suspicious use of WriteProcessMemory
Malware Config
C2 Extraction:
securepubads.g.doubleclick.net
widget-mediator.zopim.com
allazemchenko.xyz
allazemchenkov.xyz
Unpacked files
SH256 hash:
834c9cc222bf8cc79f13c782fec74f2f6c7bb332c0540ef04c9aeb3889b92a87
MD5 hash:
16247868042585062a6a150efc44c574
SHA1 hash:
dd16f41ca56c5d42dd33d3de68ad4ac7a574dfc7
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/85443699-a468-49f3-8bf8-f58eb85c5e10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/834c9cc222bf8cc79f13c782fec74f2f6c7bb332c0540ef04c9aeb3889b92a87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191142/

Comments