MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85ef758468c89cd737e77ffafedf036944c74160c4e2200def30c4d9e1fb5108. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85ef758468c89cd737e77ffafedf036944c74160c4e2200def30c4d9e1fb5108
SHA3-384 hash: 056070ef7045b860fa56518035b67152df18891ea3a5c77af523848649922da3dede0a358e3bcb07570164d866907e84
SHA1 hash: 691d7d5badae9c2b494238605f7e816af875eabd
MD5 hash: fb5f2b972a05e32914371539fda3a583
humanhash: kentucky-california-oven-maine
File name:hhW7VpTx.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:335'872 bytes
First seen:2022-04-05 09:56:10 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5d905e148e3ad3a669a13a8ff8f479a1 (1 x Gozi)
ssdeep 6144:rd0H0zG/VWnUyDqGAk2GJkR8YoAzoEGt6Hvsb5M8Y8P:S0q/VWnO8nA4+aP
Threatray 481 similar samples on MalwareBazaar
TLSH T1EC6423785CB17D52EB7339F5CE60AB26103D8A4C4A97548F1C9064FF0B5B8A60C36FA6
Reporter JAMESWT_WT
Tags:agenziaentrate dll Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
784
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260908/
Detection(s):
SecuriteInfo.com.ArtemisFB5F2B972A05.27689.24571.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed setupapi.dll
Link:
https://www.filescan.io/uploads/624c1274aa7e43c6a6bb8256/reports/1634f993-ffc3-4e72-9a8a-d7d863d331ea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ecbb857-b526-4304-b95b-d556ebe1d30e
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970739
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 603226 Sample: hhW7VpTx.bin Startdate: 05/04/2022 Architecture: WINDOWS Score: 100 41 linkspremium.ru 2->41 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 3 other signatures 2->71 8 loaddll32.exe 7 2->8         started        12 iexplore.exe 2 64 2->12         started        14 iexplore.exe 1 53 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 59 premiumlists.ru 8->59 61 portaline.top 8->61 63 linkspremium.ru 8->63 81 Found evasive API chain (may stop execution after checking system information) 8->81 83 Found API chain indicative of debugger detection 8->83 85 Writes or reads registry keys via WMI 8->85 87 Writes registry values via WMI 8->87 18 cmd.exe 1 8->18         started        20 iexplore.exe 32 12->20         started        23 iexplore.exe 29 12->23         started        25 iexplore.exe 32 14->25         started        27 iexplore.exe 32 14->27         started        29 iexplore.exe 16->29         started        31 iexplore.exe 16->31         started        33 iexplore.exe 16->33         started        35 iexplore.exe 16->35         started        signatures6 process7 dnsIp8 37 rundll32.exe 6 18->37         started        43 portaline.top 62.173.149.135, 49763, 49764, 49850 SPACENET-ASInternetServiceProviderRU Russian Federation 20->43 45 31.41.46.120, 49765, 49766, 49767 ASRELINKRU Russian Federation 23->45 47 premiumlists.ru 25->47 49 premiumlists.ru 27->49 51 linkspremium.ru 33->51 53 linkspremium.ru 35->53 process9 dnsIp10 55 premiumlists.ru 37->55 57 portaline.top 37->57 73 System process connects to network (likely due to code injection or exploit) 37->73 75 Found evasive API chain (may stop execution after checking system information) 37->75 77 Found API chain indicative of debugger detection 37->77 79 Writes registry values via WMI 37->79 signatures11
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/85ef758468c89cd737e77ffafedf036944c74160c4e2200def30c4d9e1fb5108/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2022-04-05 09:57:07 UTC
File Type:
PE (Dll)
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxxxlbdizconon7hp75p5xydnfcmoqlaytrcadppgdcntyp3keea._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2603f6890e3c3d47696b37c47516ac2e9f35e6805653f467a0a22de2b88defc8
Gozi
37603cddc36ec9c8b2b6c3d6a0d1a05ee33b1df81befe404ffcc398a6acd1edb
Gozi
388022f82cf14f03e13aac05209d02e26685ae97c45077b64bdbab3e7fa44f17
Gozi
410eb4b06644f073370230650fe0624ce5dc6e18481b2e85930865a5a3984160
Gozi
4eae1c5ebdb7b2021913b37477077bde0177579b6f8d43a49bd8a202b45657f4
Gozi
9eb0bdb45d505a24290b3fe9adb1ac5c856238e91358fcf7e6af73d9a1b9c244
Gozi
9f67885dc039a8378a81b3b4edb035a4e7c0e0a4e128ac4aa60232fff8e67acd
Gozi
9fcaf7ae5e2b5e2a4e7b34c37b5f6f1a539c07bc258379314b7590582b859147
Gozi
+ 471 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:7628 banker trojan
Link:
https://tria.ge/reports/220405-lyxahadad5/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
portaline.top
linkspremium.ru
premiumlists.ru
Unpacked files
SH256 hash:
5f4d748472c2a23c9ce84fc5416c90009a0d8a790fc8830f92c39af544aefe4f
MD5 hash:
557a9393e9bd88f2864c1bb07c10939c
SHA1 hash:
f8782cfb5de1501001fcaca4a1860f324b44ee69
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d88018e2-8369-4042-924c-59d5c6f3fb61/
SH256 hash:
8567154d3f687fdfcdf5a04c597e497c64037dd263d27422d82f3791e8dbde3e
MD5 hash:
ba6f669a27e30c7466ee5dff954a2e4f
SHA1 hash:
0e2fb40bf5d66d47bdaa73a9a1e8bc874e79c6fb
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/d88018e2-8369-4042-924c-59d5c6f3fb61/
SH256 hash:
85ef758468c89cd737e77ffafedf036944c74160c4e2200def30c4d9e1fb5108
MD5 hash:
fb5f2b972a05e32914371539fda3a583
SHA1 hash:
691d7d5badae9c2b494238605f7e816af875eabd
Link:
https://www.unpac.me/results/d88018e2-8369-4042-924c-59d5c6f3fb61/
Malware family:
Ursnif.Dreambot.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/85ef758468c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/85ef758468c89cd737e77ffafedf036944c74160c4e2200def30c4d9e1fb5108

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260908/

Comments