MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05
SHA3-384 hash: 9c0b410dd081fae1aab18bf1323c1b9ccf7e76fd9cb3f013cd554581cb4470fc33403cd36ac0655d7e831fbf1ddbc3b1
SHA1 hash: 26c46504c293311f0403bf699f2ddc6cacb63c5b
MD5 hash: 86b877eeaf0482b5e1439ed80a82fffb
humanhash: summer-equal-five-cola
File name:pan0ramic0.jpg.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:225'648 bytes
First seen:2021-01-22 09:15:23 UTC
Last seen:2021-01-22 09:37:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 399658d2b8f7d22bc3143e49f6f9461c (1 x Gozi)
ssdeep 6144:zD8oRf4zevEkXAsWBlYu3J8FAhbOqhGipCN:n8oZ4CvEkQJxScOSGipo
TLSH 0D24AE14544864B2E6B384FDA9ACE7EBDBEFC2361F9B6D023F680DE18DC25011435EA5
Reporter Anonymous
Tags:dll enigaseluce Gozi Ursnif

Code Signing Certificate

Organisation:VeriSign Time Stamping Services Signer - G2
Issuer:VeriSign Time Stamping Services CA
Algorithm:sha1WithRSAEncryption
Valid from:Jun 15 00:00:00 2007 GMT
Valid to:Jun 14 23:59:59 2012 GMT
Serial number: 3825D7FAF861AF9EF490E726B5D65AD5
Intelligence: 44 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8815DFF787F21FA8106760CB89C5B4493F4BD45E2CE801D2A4FE1F61DEE0C039
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
385
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pan0ramic0.jpg.dll
Verdict:
No threats detected
Analysis date:
2021-01-22 09:18:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6bc2d443-ab50-4899-a208-ce76968da7c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113476/
Detection(s):
SecuriteInfo.com.BScope.Malware-Cryptor.2622.27354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/588135
Signature
Machine Learning detection for sample
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343092 Sample: pan0ramic0.jpg.dll Startdate: 22/01/2021 Architecture: WINDOWS Score: 64 25 gstatuslog.com 2->25 35 Yara detected  Ursnif 2->35 37 Machine Learning detection for sample 2->37 39 PE file has a writeable .text section 2->39 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 9->11         started        14 cmd.exe 1 9->14         started        signatures6 41 Writes or reads registry keys via WMI 11->41 43 Writes registry values via WMI 11->43 16 iexplore.exe 1 61 14->16         started        process7 process8 18 iexplore.exe 146 16->18         started        21 iexplore.exe 25 16->21         started        23 iexplore.exe 29 16->23         started        dnsIp9 27 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49744, 49745 FASTLYUS United States 18->27 29 www.msn.com 18->29 33 7 other IPs or domains 18->33 31 ocsp.sca1b.amazontrust.com 13.224.195.167, 49767, 49768, 80 AMAZON-02US United States 21->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-22 09:16:07 UTC
File Type:
PE (Dll)
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rox7xixnm4tapyktlxf7zrd2ezhhxckb6y6pdambjvzwl2dcpucq._file
Verdict:
unknown
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker ransomware trojan
Link:
https://tria.ge/reports/210122-vtr8qktyhx/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05
MD5 hash:
86b877eeaf0482b5e1439ed80a82fffb
SHA1 hash:
26c46504c293311f0403bf699f2ddc6cacb63c5b
Link:
https://www.unpac.me/results/3199bfb1-cd9d-4223-8687-2d2d9c946bc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 8baffba2ed672607e1535dcbfcc47a264e7b8941f63cf181814d7365e8627d05

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/973670/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113476/

Comments