MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
SHA3-384 hash: e83bb0caa96daf14aa400a2a98acc2fe1bf8f857979a2beb380376b5d08ceaecbf16bcdf0704161c7b241c6101479abc
SHA1 hash: 1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
MD5 hash: 8b52c277c63c5877c0e4ca32d1458957
humanhash: dakota-jig-pennsylvania-happy
File name:ursnif_IAT_corrected.exe
Download: download sample
Signature Gozi
Create hunting rule
File size:57'344 bytes
First seen:2022-10-20 22:23:19 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3e85858f9f91b022a15a56437fb6f7c2 (4 x Gozi)
ssdeep 768:A2KGmsx3R69vSvjyRpq63goMWPXE2bE/JVMq2LATqeeAeOu2D2wqmLiu6:wGBx3R6iApqlaPGhVMq2LpeReOb2Pmp
Threatray 843 similar samples on MalwareBazaar
TLSH T1EB43E06A6F6008F7C1A3823636397795EA09132141356CD4E7970D381BDA95EEEBF313
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Viuleeenz
Tags:dll Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322145/
Detection(s):
SecuriteInfo.com.Trojan.Gozi.891.23869.11695.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gozi overlay packed razy ursnif
Link:
https://www.filescan.io/uploads/6351ca832d8b9371cb337326/reports/47d4b46e-8ba9-460b-8bb3-aaec4220f95a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b49aa9c-71a1-41fb-a3d8-7a2542c0f80f
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094520
Signature
Antivirus / Scanner detection for submitted sample
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 727158 Sample: ursnif_IAT_corrected.exe.dll Startdate: 21/10/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 4 other signatures 2->45 7 loaddll32.exe 7 2->7         started        process3 dnsIp4 29 onlinetwork.top 7->29 31 linetwork.top 7->31 33 192.168.2.1 unknown unknown 7->33 49 Found evasive API chain (may stop execution after checking system information) 7->49 51 Found API chain indicative of debugger detection 7->51 53 Writes or reads registry keys via WMI 7->53 55 Writes registry values via WMI 7->55 11 regsvr32.exe 6 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 6 7->17         started        19 conhost.exe 7->19         started        signatures5 process6 dnsIp7 57 System process connects to network (likely due to code injection or exploit) 11->57 59 Writes or reads registry keys via WMI 11->59 61 Writes registry values via WMI 11->61 21 rundll32.exe 6 15->21         started        35 linetwork.top 62.173.145.183, 49742, 49743, 49744 SPACENET-ASInternetServiceProviderRU Russian Federation 17->35 37 onlinetwork.top 31.41.44.194, 80 ASRELINKRU Russian Federation 17->37 signatures8 process9 dnsIp10 25 onlinetwork.top 21->25 27 linetwork.top 21->27 47 Writes registry values via WMI 21->47 signatures11
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2/
Threat name:
Win32.Infostealer.Gozi
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 23:44:47 UTC
File Type:
PE (Dll)
AV detection:
31 of 41 (75.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ruxzbetwapbtsr2ghxeyi3obw6rcb2q7cpobudgp4u4nl6b3x7ra._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2db38485abff68002fced62495b105cf98ca3eda7bbd30249ed3cf8be23ff2e0
Gozi
49c54e18e22e5c82d591ff5345a4c660f2c80e14fcbe4c3a7d1df43654e40e86
Gozi
4c0ccba038ff513555223a880da3760a974b0479fe6cf0e823f08774ecd0d9ba
Gozi
8e570e32acb99abfd0daf62cff13a09eb694ebfa633a365d224aefc6449f97de
Gozi
e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
Gozi
ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d
Gozi
+ 833 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:5000 banker trojan
Link:
https://tria.ge/reports/221020-2bcwcahcb4/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
config.edge.skype.com
onlinetwork.top
linetwork.top
Unpacked files
SH256 hash:
15f60ddcb36aa4c5d55050587109f3f252e1b61c92744718cd1562181bef97bf
MD5 hash:
a0f63bbf3b8e03bfc7c4941c0bb31075
SHA1 hash:
caeb32eb9399e89f166c7e07986c6beb99f3c240
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/ab6faedd-3cc4-45c8-99f4-798d3eef407b/
SH256 hash:
8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2
MD5 hash:
8b52c277c63c5877c0e4ca32d1458957
SHA1 hash:
1d64f4610c6e0af8a3e3a9d8e8b794fc1bebeef5
Link:
https://www.unpac.me/results/ab6faedd-3cc4-45c8-99f4-798d3eef407b/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d2f90927603/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gozi

DLL dll 8d2f90927603c33947463dc9846dc1b7a220ea1f13dc1a0ccfe538d5f83bbfe2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/322145/

Comments


Avatar
Al ツ commented on 2022-10-21 09:11:23 UTC

Check its configuration on https://tria.ge/221021-kyzvysceb8/behavioral2