MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070
SHA3-384 hash: 4f7c7459ada7bf2872398cc2be4cdd20379aff4ae71b212378613a5f70d429995a15a5a5b697568669fb588158021329
SHA1 hash: 269f90889d519741b79e52ea427fbc37e6a01868
MD5 hash: ae97252af977c7e64b2eeca6140e129e
humanhash: spring-spaghetti-delta-mirror
File name:610113e3e6859.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:556'032 bytes
First seen:2021-07-28 09:58:01 UTC
Last seen:2021-07-28 10:49:07 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 49c4814f9659cba3f787457752949e56 (2 x Gozi)
ssdeep 12288:KaME5j1f/QOwOSnV8Eh3doxeNZNN2lFzx3ycxXs4:Kafz3E4INX03ycxc4
Threatray 416 similar samples on MalwareBazaar
TLSH T171C48C087659AC32D2E362320B15E651232D74742B2186CF77EC7E9F2FB81D32639796
Reporter JAMESWT_WT
Tags:dll enel EnelEnergia Gozi isfb Ursnif

Intelligence

File Origin
# of uploads :
2
# of downloads :
801
Origin country :
n/a
Vendor Threat Intelligence
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174611/
Detection(s):
SecuriteInfo.com.Program.Win32.Wacapew.Cml.28345.14403.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57be46ca-5247-4b97-b740-ffc2734d6ea3
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/822991
Signature
Found malware configuration
Machine Learning detection for sample
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-28 09:55:37 UTC
File Type:
PE (Dll)
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smkmagmezcivd5wumjfmvvry7ycuwmbw7tcrcutrznmysvgcabya._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
171c18f740641ffc0e1ce486feacabb367292d01627a7103cd614e9a746a9b9c
Gozi
4eedda82bcd9d7789aa060262cbcddb7dccc4661e70984ebf31f80954ffc90a7
Gozi
54ce5aedb7cc073c481eb8af96f89f3ab11e5decaccf942d033479fd0f04c8b3
Gozi
6c99703002ea5284f603d0041f3a72b3a9e26f8f7af45a1f5e34e4297be0efb8
Gozi
6e4568c87d8d2b5d6428ce46362b1ae29559047aafc275948cd4510573e460a8
Gozi
8328e3fd543f366d1625e37bf5b002b5d057b2d80aa2250326c174425886c1c0
Gozi
9c4088dfc53bb7b6d9887d200801a926b73c09458910460a2d6f4e2d67f13e6e
Gozi
aa56916f2b2343a71ffbb8e8e28350d2cdd54ece785712703de5a703d58bb4df
Gozi
+ 406 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:8877 banker trojan
Link:
https://tria.ge/reports/210728-eycfn2ylbx/
Behaviour
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
outlook.com
zaluoa.live
daskdjknefjkewfnkjwe.net
Unpacked files
SH256 hash:
cc35beb3f7b5fd6a38b1775f110f9ab527c90f3cf6e76b02e074dc2954955a4c
MD5 hash:
6b645497a72175e510164553e888443b
SHA1 hash:
55c6c5b81b35713fd833cc934b9be80d378d67b7
Detections:
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/5fe39821-5f75-4da6-bb01-8e9cdfc74800/
SH256 hash:
9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070
MD5 hash:
ae97252af977c7e64b2eeca6140e129e
SHA1 hash:
269f90889d519741b79e52ea427fbc37e6a01868
Link:
https://www.unpac.me/results/5fe39821-5f75-4da6-bb01-8e9cdfc74800/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9314c01984c89151f6d4624acad638fe054b3036fcc5115271cb598954c20070

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174611/

Comments