MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4
SHA3-384 hash: e31470ff2e7ef5660a0e9dcdf26424143896ab908715d0cd8d087ae104afc6bafe7e3e1fac70da230225427de428815a
SHA1 hash: b453f5ffe50e506bde88ea77665859e040f182c6
MD5 hash: dc128b7f9c2b6926c426de8f0e249ad9
humanhash: kansas-berlin-earth-coffee
File name:93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4
Download: download sample
Signature Gozi
Create hunting rule
File size:406'016 bytes
First seen:2020-11-15 22:50:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a47bf8d6ef13b3fef9e73edef2c18705 (4 x Gozi)
ssdeep 6144:JIsw+BGSKlWkpLc95mEOHV6cj/8GdKSy/bmVR2zuGnhhDiWUHBDs:JIvcClZg5W16cj/8tkMzxnh5+O
Threatray 6 similar samples on MalwareBazaar
TLSH 3584AD7367D717F2E6B108374D15C281EE66A2A634E218D9E7F31C82354F752FAA2390
Reporter seifreed
Tags:Gozi

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Ransomware.Ursnif-9792476-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Gozi Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/539233
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected Gozi e-Banking trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Writes to foreign memory regions
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318713 Sample: FSvvTtQaTe Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 4 other signatures 2->76 12 FSvvTtQaTe.exe 1 7 2->12         started        16 AJRovrcp.exe 2 2->16         started        process3 file4 48 C:\Users\user\AppData\...\AJRovrcp.exe, data 12->48 dropped 102 Detected Gozi e-Banking trojan 12->102 104 Detected unpacking (changes PE section rights) 12->104 106 Detected unpacking (overwrites its own PE header) 12->106 116 2 other signatures 12->116 18 cmd.exe 1 12->18         started        108 Writes to foreign memory regions 16->108 110 Allocates memory in foreign processes 16->110 112 Modifies the context of a thread in another process (thread injection) 16->112 114 Maps a DLL or memory area into another process 16->114 20 svchost.exe 1 6 16->20         started        signatures5 process6 dnsIp7 24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        56 www.gnu.org 20->56 58 wildebeest.gnu.org 20->58 80 Modifies the context of a thread in another process (thread injection) 20->80 82 Maps a DLL or memory area into another process 20->82 84 Creates a thread in another existing process (thread injection) 20->84 signatures8 process9 process10 28 AJRovrcp.exe 2 24->28         started        signatures11 94 Detected Gozi e-Banking trojan 28->94 96 Detected unpacking (changes PE section rights) 28->96 98 Detected unpacking (overwrites its own PE header) 28->98 100 6 other signatures 28->100 31 svchost.exe 1 6 28->31         started        process12 dnsIp13 64 wildebeest.gnu.org 209.51.188.148, 49732, 49744, 49745 FREEASINFREEDOMUS United States 31->64 66 www.gnu.org 31->66 68 Detected Gozi e-Banking trojan 31->68 35 explorer.exe 2 31->35 injected signatures14 process15 dnsIp16 50 programuserandussource.ru 35->50 52 www.gnu.org 35->52 54 wildebeest.gnu.org 35->54 78 Disables SPDY (HTTP compression, likely to perform web injects) 35->78 39 AJRovrcp.exe 2 35->39         started        42 RuntimeBroker.exe 35->42 injected signatures17 process18 signatures19 86 Writes to foreign memory regions 39->86 88 Allocates memory in foreign processes 39->88 90 Modifies the context of a thread in another process (thread injection) 39->90 92 2 other signatures 39->92 44 svchost.exe 6 39->44         started        process20 dnsIp21 60 www.gnu.org 44->60 62 wildebeest.gnu.org 44->62 118 Modifies the context of a thread in another process (thread injection) 44->118 120 Maps a DLL or memory area into another process 44->120 122 Creates a thread in another existing process (thread injection) 44->122 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 22:50:38 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=spmz2lgrfa6var22lbqmypvhmq4pkg2edf4sz2n7yp66h7kxjosa._file
Verdict:
malicious
Similar samples:
2a80deaa083bb554ccc57c0ffd467b4fd1a6e2f1ae6ab1a3de140aab849b19bf
Gozi
361fb6895164e8e130e6fc3f6dc984af355294173c5e385d0ac35d6df61aea60
Gozi
73a0eff4b25b824af4b6600db0f637f991b45b0945c9385fd6e7eca289b7e5ed
Gozi
77a9dd087ddaea28c24891d5422565a155d03a4e201e4c7ab014502c825968de
Gozi
b0d9f78957650a0bc42b0bf646e3d158f713de64ee5e6ab395cf777e93a7a240
Gozi
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba
Gozi
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201115-28v17q8ncx/
Unpacked files
SH256 hash:
93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4
MD5 hash:
dc128b7f9c2b6926c426de8f0e249ad9
SHA1 hash:
b453f5ffe50e506bde88ea77665859e040f182c6
Link:
https://www.unpac.me/results/bb0587cd-5dd3-4e2e-9bca-9605a691cdf8/
SH256 hash:
c822cea917d121e2ff6bc41516ee629ba632624ed50938323e6804415af4f723
MD5 hash:
3cceba95093cb3980198c635a074d788
SHA1 hash:
e56fa1cd8445a399ec58b545f189c1a48d1f92d5
Detections:
win_dreambot_a0
Create hunting rule
win_isfb_a4
Create hunting rule
Link:
https://www.unpac.me/results/bb0587cd-5dd3-4e2e-9bca-9605a691cdf8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Ursnif
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:internal research
Rule name:Ursnif3
Create hunting rule
Author:kevoreilly
Description:Ursnif Payload
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments