MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 852f3d58b0bce11b1ab5017d215b9d805f02ac8e932a39558c75f2166dd7d488. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 852f3d58b0bce11b1ab5017d215b9d805f02ac8e932a39558c75f2166dd7d488
SHA3-384 hash: 9dd882c53e3f0510f3fe2b3c2b57539d73095c43320d39cf5e23fbe0417bfdb0378a4b909990f9c8cff509d2f9d76c43
SHA1 hash: 26dafde0e91b71636b17510bc0534d6d6b353b77
MD5 hash: b752e675e6a8f5608e3edf722e80978f
humanhash: echo-purple-oxygen-xray
File name:9f0000.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:44'032 bytes
First seen:2022-02-15 15:26:59 UTC
Last seen:2022-02-15 17:52:41 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 768:57DIq0MrJBk0+1XZtg2+JUqBbqDHqF1I7p4lNimySSO3Wos/QPj11KsySVBnl:S2J9+1Xb7+JNeDqF1I7+lNimD3WDQPBL
Threatray 438 similar samples on MalwareBazaar
TLSH T13F139F01B7F608F3C7A25EB07525FBB5A7E95A3022719044E727AADD2E70853E53D20B
Reporter 0x746f6d6669
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241651/
Detection(s):
SecuriteInfo.com.Variant.Razy.411226.16790.26875.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/620bc649ac8ad0468b42b766/reports/7659f2d2-a88c-4438-9aba-b964fd8b3182/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15e78eb7-c49f-4e82-afd4-48b49543593f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/940194
Signature
Antivirus / Scanner detection for submitted sample
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572671 Sample: 9f0000.dll Startdate: 15/02/2022 Architecture: WINDOWS Score: 52 13 Antivirus / Scanner detection for submitted sample 2->13 15 Sigma detected: Suspicious Call by Ordinal 2->15 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/852f3d58b0bce11b1ab5017d215b9d805f02ac8e932a39558c75f2166dd7d488/
Threat name:
Win32.Trojan.UrsnifAGen
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 15:27:07 UTC
File Type:
PE (Dll)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=quxt2wfqxtqrwgvvaf6scw45qbpqfleosmvdsvmmoxzbm3ox2sea._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0570fd54d98349e62675cf1e53aa2197ed6c0df811350bfae9f64196b0a49278
Gozi
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
28a4d1a4952661364f6f61d18f815dc9cdc9747e8ae014c4ba035145af26f04c
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
aef8910dddfc1c5c009db13160c82aae5af66692effb41469c6490e774a420e3
Gozi
b82a1d06e5650808ae0b9ef1a77cc6047ca0601b13a9afa8cded17a93e27cda9
Gozi
e5ddae0f09c15a7eaebe71a0ccfcb83ccdd629760b612fffaab46d9a4260e662
Gozi
eb44943385bba67eff81794d2f5667817a6761f13775149c615a543c0e78186c
Gozi
+ 428 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:4000
Link:
https://tria.ge/reports/220215-svrdeagdf6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Malware Config
C2 Extraction:
config.edge.skype.com
192.236.147.253
Unpacked files
SH256 hash:
852f3d58b0bce11b1ab5017d215b9d805f02ac8e932a39558c75f2166dd7d488
MD5 hash:
b752e675e6a8f5608e3edf722e80978f
SHA1 hash:
26dafde0e91b71636b17510bc0534d6d6b353b77
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e6c2afc-4b05-48b9-b225-83091b73ed4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/852f3d58b0bce11b1ab5017d215b9d805f02ac8e932a39558c75f2166dd7d488

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241651/

Comments