MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f
SHA3-384 hash: d34a0708b82046bab5798f027761da166dc674b07f44cdf837d4672daa60778b687cd2f1d4dbe473cadc8ce11d11b443
SHA1 hash: e3bb8b1bad2f17bf48d7b3b5675e404f64b9e7cf
MD5 hash: bac6b7118aa1f9c9fe229393a7fcdb26
humanhash: virginia-two-high-golf
File name:bac6b7118aa1f9c9fe229393a7fcdb26.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:137'120 bytes
First seen:2021-05-05 13:19:23 UTC
Last seen:2021-05-05 13:28:02 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3f728412058b62c418b1091768b74d7b (8 x Gozi)
ssdeep 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
Threatray 255 similar samples on MalwareBazaar
TLSH F8D3BE0CF7E950C1C5DA3AB750B19E287228EE128DB4243616F62E797FF71A37C29485
Reporter abuse_ch
Tags:dll Gozi

Intelligence

File Origin
# of uploads :
2
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150621/
Detection(s):
Win.Packed.Crypterx-9850539-0
Create hunting rule

SecuriteInfo.com.Trojan.Gozi.796.15659.27384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d6a2478-c6f9-434a-be00-1df5e6480660
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 10:21:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
Gozi
1abd2ae7b4600681751fcd1d401a6ad35fbdd3e231790be49ef7b61333358802
Gozi
310ac7c48b536f71a16706f67fd4d2bed5d9f5708dd460cf3cbc0cd34f43a3ed
Gozi
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
Gozi
6eb9c1a0a8c539ac78ef7413a78479dbf6a3270f48c1ae79b4595aab0b299c63
Gozi
85d535a2051a60c54a1f2f43ce8854f51a784e87a7a9a5a337567fe3296d81a6
Gozi
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
Gozi
bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
Gozi
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Gozi
d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
Gozi
+ 245 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/210505-tq1lflds7j/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
026a934ae5a96fbb53fa1b81f69d5441d87c039951fb17639773bfb7f0a063ac
MD5 hash:
b8e4c4663cc6a6b33e7fe81e86b85e6d
SHA1 hash:
3a182a1d590af2cf073491c7c748ee16853e525f
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/84e44660-9f6e-4d37-b8c6-26c94fd19b53/
Parent samples :
cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
01006cd1258047b9e2bd9f58b303bd22c39b7f3242db9e4111f88b9f78b9df8f
4b8946f9fee32db6b42f7c0fdb70ca9ba7980c5932d3f959227cdfbef15e8c34
9f644696f60e80e65ba49dad63c828ba7eca8a3dd6a214bc5321cb7d3ed2c8e6
d8bcf8beebb5ab690b52094df6317f023f62f044e8107508d84d06d4700fe81a
bb5480c21a832b918bb504d84450129527c3e0c4c49924ecd874e880a6fb54c4
92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f
9e28e8d663048328cf77a9c78fb97b5037510d07b737ca0ee10065bb8bab1fd8
SH256 hash:
92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f
MD5 hash:
bac6b7118aa1f9c9fe229393a7fcdb26
SHA1 hash:
e3bb8b1bad2f17bf48d7b3b5675e404f64b9e7cf
Link:
https://www.unpac.me/results/84e44660-9f6e-4d37-b8c6-26c94fd19b53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

DLL dll 92df4c929fde89abd9aca880f6e942e432853e5e8db64ffe4c19929ff4e2342f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/150621/
  
URLhaus
https://urlhaus.abuse.ch/url/1100305/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 14:56:15 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0026.002] Data Micro-objective::XOR::Encode Data