MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83d9e62cebb8f222083e6d6670b0ca5e82459c8d7815b0c415c9d1964bd56583. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83d9e62cebb8f222083e6d6670b0ca5e82459c8d7815b0c415c9d1964bd56583
SHA3-384 hash: 9c4c6b4a004b12d1273e7d94d14dcc5667b158e108293a392d08bb9acfb08c8c18ec6c2e46a5c0de6be11321ba415a1a
SHA1 hash: 864445248c2967a09550bd455210159c669766e0
MD5 hash: a952840b01f89473d33440df6aee1fc9
humanhash: beer-jersey-south-twenty
File name:a9.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:898'048 bytes
First seen:2021-05-04 12:32:48 UTC
Last seen:2021-05-04 13:48:59 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 144296335e11e836679bbc0168a3f68e (5 x Gozi)
ssdeep 12288:PvidtsWhSvt4ZWeWQFlBegSwCHO+ExeaIsrscw05c7BBC8emGjRPmW/7/zVjbZw2:PvidKWhy7erlBegS7esa5cDKjeA42
Threatray 229 similar samples on MalwareBazaar
TLSH A415CF2238C1C232D9636438097AD1A08BBCB4241D2697BF73DC7B7E1F7659252359EB
Reporter 0x746f6d6669
Tags:Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Gozi.801.27351.31257.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/710011
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403935 Sample: a9.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 48 62 Multi AV Scanner detection for submitted file 2->62 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 5 other processes 9->17 process5 19 rundll32.exe 11->19         started        22 cmd.exe 1 13->22         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 15->26         started        28 cmd.exe 1 15->28         started        30 cmd.exe 1 17->30         started        32 cmd.exe 1 17->32         started        34 cmd.exe 1 17->34         started        36 3 other processes 17->36 dnsIp6 60 192.168.2.1 unknown unknown 19->60 52 2 other processes 19->52 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        54 3 other processes 36->54 process7 process8 56 conhost.exe 52->56         started        58 conhost.exe 52->58         started       
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/83d9e62cebb8f222083e6d6670b0ca5e82459c8d7815b0c415c9d1964bd56583/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 11:48:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
43b3014c1627c40c31c724e1a7b1dee4ef51428e2f68adad93c0df95f454275d
Gozi
46b5308d058e2dcd8e0868345d77a81abea0db8e0aa32a6b55e264fe18b7f577
Gozi
5d002f8a395fcc9a680a9ef4f78a8674cc0757850b02bf12a8ef4df79e2e4bd3
Gozi
5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326
Gozi
63bee368085136ef7eed0823b6d8fb25ffecfd6f6d9050ee26f782e2b35df9a4
Gozi
691fdaeb03dfa2b239d82322a3fd47c3b952ae9d47effa0100153fde537dc4e5
Gozi
9164fdcb36a96b934a66b23da4101dc5a24ccc8807aeb12760132fe4e64c5a9a
Gozi
9be883a15e12a4e3504cb959269855ad8a0cbda99b10b8432fe5e2e0375d5820
Gozi
a2fa5a4d18033e67a7c0477e69acd03a61808c31e24dd9c120106fec161012ef
Gozi
ae1143cc98f29dad7cd956c881606f55b51d8b5789ae670736e6e115519fbccb
Gozi
+ 219 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:4460 banker trojan
Link:
https://tria.ge/reports/210504-12b918qlxn/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
1.microsoft.com
horulenuke.us
vorulenuke.us
Unpacked files
SH256 hash:
a393eb88b3b37dd7dc4b90c216fe2baa2dc405846d110a5c0cddccfe33d3873c
MD5 hash:
482cdb50c03af3a1490a56a6d3bc6bb9
SHA1 hash:
28bbf9a06cfe018d6e525d05a6d30bf80b3553b0
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/33a6a48d-8774-4349-ad2f-9eae91a4d459/
SH256 hash:
83d9e62cebb8f222083e6d6670b0ca5e82459c8d7815b0c415c9d1964bd56583
MD5 hash:
a952840b01f89473d33440df6aee1fc9
SHA1 hash:
864445248c2967a09550bd455210159c669766e0
Link:
https://www.unpac.me/results/33a6a48d-8774-4349-ad2f-9eae91a4d459/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83d9e62cebb8f222083e6d6670b0ca5e82459c8d7815b0c415c9d1964bd56583

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 13:03:39 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0026.002] Data Micro-objective::XOR::Encode Data
3) [C0051] File System Micro-objective::Read File
4) [C0052] File System Micro-objective::Writes File
5) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
6) [C0040] Process Micro-objective::Allocate Thread Local Storage
7) [C0017] Process Micro-objective::Create Process
8) [C0038] Process Micro-objective::Create Thread
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process