MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b
SHA3-384 hash: 6d71dcc20b90e9d69bd2a160996bc515bb91443df9f06c50138022aa3ea837b9e5bf7d8e7908708b9da6989e04d690cf
SHA1 hash: 134b6e9b6fce06dc85b0123c6441c365ad7a93f0
MD5 hash: cec2f415c965ccca17864db799728b23
humanhash: violet-carbon-stream-texas
File name:xspcd9.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:476'672 bytes
First seen:2020-12-03 08:46:20 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e4c110f7d46db84405aee6d183393378 (4 x Gozi)
ssdeep 12288:O889c25L/1y99ykpSm9Zu0KX1nfv9miQqXehwOq1:O88c2N/1c9im2X1tUqS/q1
TLSH 57A4F1257BA1D530C403D8754809DB61EB7D3D607F25608B7CEEAEBB2F706A16A3D10A
Reporter JAMESWT_WT
Tags:dll Gozi pw 5236721 Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106552/
Detection(s):
SecuriteInfo.com.BScope.TrojanSpy.Zbot.14821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/554441
Signature
Creates a COM Internet Explorer object
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 326319 Sample: xspcd9.dll Startdate: 03/12/2020 Architecture: WINDOWS Score: 68 20 prda.aadg.msidentity.com 2->20 22 cdn.onenote.net 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected  Ursnif 2->26 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2 83 2->10         started        signatures3 process4 signatures5 28 Writes or reads registry keys via WMI 7->28 30 Writes registry values via WMI 7->30 32 Creates a COM Internet Explorer object 7->32 12 rundll32.exe 7->12         started        14 rundll32.exe 7->14         started        16 rundll32.exe 7->16         started        18 iexplore.exe 36 10->18         started        process6
Detection:
isfb
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b/
Threat name:
Win32.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 08:45:27 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201203-mjgyndf3n2/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
bffcfbd88b3cd1ed38183a7e0aec63e1494a9bc6e421661aa3b5cfb786342d9d
MD5 hash:
56b9aaa2658efc88a620ebe2d7108762
SHA1 hash:
55ac5314dbc33dd0711c3a28198ba634a157d93d
Link:
https://www.unpac.me/results/80227475-bef3-4dd4-822d-32ccaa8f86a5/
SH256 hash:
565b18e17db98d9820dfd504ad5239806734c7e434fe605e5caaf2b4619036fd
MD5 hash:
32552af170552def743ad513a911babf
SHA1 hash:
18d330e627cc64dccec350d61581c6ddf3c07c6f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/80227475-bef3-4dd4-822d-32ccaa8f86a5/
Parent samples :
89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b
af01b8ece8f568f76bee77c812b47a4c46c7a969a76c3b69b3ffdc86d58654f7
c317c52e7b95e14ae974df6fe99df3e5c976b2186897f19fbef68add5dcc28ea
7721248f6c524da20b6f51b54e486e5d58766b29dfc5664a3e7a692dd2eb6655
2cc1c3bd97262adacd9db09f5f42c0e7203a64f5dc9701bef0affaa75c444bd1
SH256 hash:
89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b
MD5 hash:
cec2f415c965ccca17864db799728b23
SHA1 hash:
134b6e9b6fce06dc85b0123c6441c365ad7a93f0
Link:
https://www.unpac.me/results/80227475-bef3-4dd4-822d-32ccaa8f86a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89c0ff2a9bcbc1e2f6054bfbc9f9325e3b02ee2547ed71fc5803d1889f0f642b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106552/

Comments