MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
SHA3-384 hash: 84e69ff4265482c35ccf8421f86f3d6b89cff804941c1678a95c4cf42df8e8862e40ce07d10e27c5af19ecf8cfde99c1
SHA1 hash: 0f661ba97e702021988fa372fde43bd3165f1cfe
MD5 hash: b565aa423ca4ba6e8c6b208c22e5b056
humanhash: solar-august-high-nineteen
File name:b565aa423ca4ba6e8c6b208c22e5b056.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:599'040 bytes
First seen:2023-07-04 12:50:01 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fef75c12870ae749ff204e9c29112359 (2 x Gozi)
ssdeep 6144:2Qs4GPx2zWaTL8pxi5mLgNKz+ODzKaDtdjokutIC54VQQkPBRm2mZOkjnEsWKsGs:Y4sQiMjNa+ODmsWDOWrK1idIGd
Threatray 204 similar samples on MalwareBazaar
TLSH T114D44B47EC419FB7D65D42BACA9E4E4AC2264602FF03BBABF11E8150754325223E738D
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:brt dll Gozi isfb ITA Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/406610/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.8672.1046.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/64a4157c51710bcd8d442768/reports/b63985da-0b4c-45fb-958f-763cd425616d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5148b9e3-76bf-42a9-a777-6d02d4852187
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266597
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to steal Mail credentials (via file / registry access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266597 Sample: Cb4h46UGl3.dll Startdate: 04/07/2023 Architecture: WINDOWS Score: 100 117 Snort IDS alert for network traffic 2->117 119 Found malware configuration 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 5 other signatures 2->123 8 mshta.exe 19 2->8         started        10 loaddll32.exe 7 2->10         started        14 mshta.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 18 powershell.exe 8->18         started        113 itwicenice.com 10->113 115 avas1ta.com 10->115 165 Writes to foreign memory regions 10->165 167 Writes or reads registry keys via WMI 10->167 169 Writes registry values via WMI 10->169 22 cmd.exe 1 10->22         started        24 regsvr32.exe 1 6 10->24         started        27 rundll32.exe 6 10->27         started        35 2 other processes 10->35 29 powershell.exe 14->29         started        31 powershell.exe 16->31         started        33 powershell.exe 16->33         started        signatures5 process6 dnsIp7 77 C:\Users\user\AppData\...\z3fufrxj.cmdline, Unicode 18->77 dropped 125 Injects code into the Windows Explorer (explorer.exe) 18->125 127 Writes to foreign memory regions 18->127 129 Modifies the context of a thread in another process (thread injection) 18->129 131 Found suspicious powershell code related to unpacking or dynamic code loading 18->131 37 explorer.exe 18->37 injected 50 3 other processes 18->50 42 rundll32.exe 6 22->42         started        105 itwicenice.com 91.212.166.44, 49699, 49700, 49701 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 24->105 107 avas1ta.com 24->107 133 Writes or reads registry keys via WMI 24->133 135 Writes registry values via WMI 24->135 44 control.exe 24->44         started        109 avas1ta.com 27->109 46 control.exe 27->46         started        137 Maps a DLL or memory area into another process 29->137 139 Creates a thread in another existing process (thread injection) 29->139 52 3 other processes 29->52 111 192.168.2.1 unknown unknown 31->111 54 3 other processes 31->54 56 3 other processes 33->56 48 rundll32.exe 35->48         started        file8 signatures9 process10 dnsIp11 97 itwicenice.com 37->97 99 avas1t.de 37->99 79 C:\Users\user\AppData\...\UtilDiagram.dll, PE32 37->79 dropped 141 System process connects to network (likely due to code injection or exploit) 37->141 143 Benign windows process drops PE files 37->143 145 Tries to steal Mail credentials (via file / registry access) 37->145 155 4 other signatures 37->155 69 3 other processes 37->69 101 itwicenice.com 42->101 103 avas1ta.com 42->103 147 Writes to foreign memory regions 42->147 149 Allocates memory in foreign processes 42->149 151 Modifies the context of a thread in another process (thread injection) 42->151 153 Writes registry values via WMI 42->153 58 control.exe 42->58         started        61 rundll32.exe 44->61         started        63 rundll32.exe 46->63         started        81 C:\Users\user\AppData\Local\...\z3fufrxj.dll, PE32 50->81 dropped 83 C:\Users\user\AppData\Local\...\bs2w4jve.dll, PE32 50->83 dropped 65 cvtres.exe 50->65         started        67 cvtres.exe 50->67         started        85 C:\Users\user\AppData\Local\...\zxhfxsxp.dll, PE32 52->85 dropped 87 C:\Users\user\AppData\Local\...\oon4suab.dll, PE32 52->87 dropped 71 2 other processes 52->71 89 C:\Users\user\AppData\Local\...\yprgqah3.dll, PE32 54->89 dropped 91 C:\Users\user\AppData\Local\...\oqoh5ngw.dll, PE32 54->91 dropped 73 2 other processes 54->73 93 C:\Users\user\AppData\Local\...\vdq41qhu.dll, PE32 56->93 dropped 95 C:\Users\user\AppData\Local\...\3reu5emh.dll, PE32 56->95 dropped 75 2 other processes 56->75 file12 signatures13 process14 signatures15 157 Writes to foreign memory regions 58->157 159 Allocates memory in foreign processes 58->159 161 Modifies the context of a thread in another process (thread injection) 58->161 163 Maps a DLL or memory area into another process 58->163
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2023-07-04 12:49:31 UTC
File Type:
PE (Dll)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfdgq6i5aytc3ulhiarv7kr3czzofs246fyzktzjvowkiioasjsq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Gozi
06b3f14f359d4286bf5323824f637e082e876b9c1de0002109ff23e336ff9062
Gozi
0b3d641004b2a730cd86a3131f6ae569e6692c03368dd1ac17f14bfd395e5bcb
Gozi
7d0b3f35f4916e7b988b912715e2e02bc49f6603dfa765a51b8662511868c25a
Gozi
c92faf82686dcadc018709ce4180f6e1eeddfa8fa40a190656c187589ca44e24
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
ebd73a3f010aa3cf01059a4c08f9f70d0d7d4d671e76d024e5dfd60b27e92a66
Gozi
+ 194 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:5050 banker isfb persistence trojan
Link:
https://tria.ge/reports/230704-p2yjhsda49/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Gozi
Malware Config
C2 Extraction:
https://avas1ta.com/in/login/
itwicenice.com
https://avas1t.de/in/loginq/
Unpacked files
SH256 hash:
4a905d05461fdf0b0c2523a2dfd334279d80fdb79633e1539d7f16dcb5a5218d
MD5 hash:
2f45c21efbffc3b5e2ddc61c3f94a475
SHA1 hash:
d6474c8d16df4764a4a8756b2cc566c46439f348
Link:
https://www.unpac.me/results/193df04f-8040-44fc-baf1-31935465b6b5/
SH256 hash:
894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
MD5 hash:
b565aa423ca4ba6e8c6b208c22e5b056
SHA1 hash:
0f661ba97e702021988fa372fde43bd3165f1cfe
Link:
https://www.unpac.me/results/193df04f-8040-44fc-baf1-31935465b6b5/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/894668791d06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:bumblebee_win_generic
Create hunting rule
Author:_kphi

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/406610/
  
URLhaus
https://urlhaus.abuse.ch/url/2676449/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2676453/

Comments