MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gozi

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871
SHA3-384 hash:	2338db7f9e530ff93b051abfc00785375e7ca81defa907e7c126b7a1d808e4a2dbe69824734540b5dcb3e18c2c3b5e20
SHA1 hash:	4750d0d8938f871dd3d53ffa7f5d87643f653251
MD5 hash:	45609988c384183e113e6f827a859c8e
humanhash:	alanine-bulldog-fillet-tennis
File name:	45609988c384183e113e6f827a859c8e
Download:	download sample
Signature	Gozi Create hunting rule
File size:	364'544 bytes
First seen:	2022-07-20 10:03:47 UTC
Last seen:	2022-07-20 10:50:06 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	8b7c827e4e0899de3f6a2cc10e746acf (1 x Gozi)
ssdeep	6144:TLBXoCEewTYRHCf6zPSLErvJkcnDVqlWov0kOdL1trJ+Vw3mOO:TLt3RHCfYSLEDIWov0TdLrrz3m
Threatray	2'804 similar samples on MalwareBazaar
TLSH	T19174E0511A3318B3C9AFE53FE1D433A318D122DB5D9B5D679B3DE9A0A40F8BB25C2105
TrID	59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.3% (.EXE) OS/2 Executable (generic) (2029/13) 7.2% (.EXE) Generic Win/DOS Executable (2002/3) 7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	pr0xylife
Tags:	agenziaentrate agenziariscossione dll Gozi ITA Ursnif

Intelligence

File Origin

# of uploads :

# of downloads :

673

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/292879/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.13358.27654.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a window

Searching for the window

Running batch commands

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62d7d3658fbcdde3605fbf18/reports/e8b943e4-3f4e-470d-93c4-a9eb265f6b6e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Ursnif

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037353

Behaviour

Behavior Graph:

n/a

Detection:

isfb

Link:

https://mwdb.cert.pl/sample/8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2022-07-20 10:04:10 UTC

File Type:

PE (Dll)

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q4yhayjzyzbrrbwolvp6qmdz6br7vapylqucp55tjnhmwmeinbyq._file

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

family:gozi_ifsb botnet:3000 banker trojan

Link:

https://tria.ge/reports/220720-l3xrtsebe9/

Behaviour

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Gozi, Gozi IFSB

Malware Config

C2 Extraction:

config.edge.skype.com
193.27.14.240
94.198.40.39
kimzooxl.at

Unpacked files

SH256 hash:

650e5ef59f5b775ec41895e429d842c22343e7aa92fa14a03c0554f043d043c5

MD5 hash:

a8e571786be0247ba582b94a5cdd9da1

SHA1 hash:

c6e150e950b7914e821942e847e4dc441656e14b

Detections:

win_isfb_auto

Link:

https://www.unpac.me/results/2bce4f8f-57e4-42a8-afac-dab989db7a51/

Parent samples :

ee53ac8909a116494439489590de99162e1e3ceb6bdf839b6e30bdc1686d2a11
8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871
4e199eda08279c7e758ee7a63e44a934866c4b66b99113de3ed095f696054793
da273d385123cc3a1b69a9127e6372305cebde9fcc3e2bc39145a1689b64d58b

SH256 hash:

9cfff914e2f3d07282d4a289665ec168910288b931dc31a884faf44294c6ab24

MD5 hash:

79fd26d1aaeac66bece65cabdd88825c

SHA1 hash:

b20f267d049e760d9b93268c12a62cfd57023264

Link:

https://www.unpac.me/results/2bce4f8f-57e4-42a8-afac-dab989db7a51/

SH256 hash:

8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871

MD5 hash:

45609988c384183e113e6f827a859c8e

SHA1 hash:

4750d0d8938f871dd3d53ffa7f5d87643f653251

Link:

https://www.unpac.me/results/2bce4f8f-57e4-42a8-afac-dab989db7a51/

Malware family:

Ursnif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8730706139c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8730706139c6431886ce5d5fe83079f063fa81f85c2827f7b34b4ecb30886871

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/292879/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample