MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3
SHA3-384 hash: a01c41385ffe1197dcbb4e8003599c2ab57e0557512fd8efb28e357c8fe039f980b6d4a1fe63da79148980545c80e48c
SHA1 hash: 54bd36675e88cc21dc125942c1474625a86cd83f
MD5 hash: cf960a758eaedcd2b6e110a3ab359d9e
humanhash: magazine-kilo-four-pasta
File name:94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3
Download: download sample
Signature Gozi
Create hunting rule
File size:1'451'408 bytes
First seen:2020-10-27 10:57:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1837f46d7e62de023bfe9705c8d34ba6 (1 x Gozi)
ssdeep 1536:2VSYFbN5Lc3ZjYWGbJnMitDbW0jobRWwD:105AZjYWOMitDbno9T
Threatray 607 similar samples on MalwareBazaar
TLSH 1C658C1F58098D32C4C31D3449DAC77B0EAF65F83B57B1A353B1C446714A37B6AA222E
Reporter JAMESWT_WT
Tags:Gozi Planeta TOV

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79829/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Searching for the window
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/513378
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305809 Sample: Wv353sHmdu Startdate: 27/10/2020 Architecture: WINDOWS Score: 96 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected  Ursnif 2->35 37 2 other signatures 2->37 6 Wv353sHmdu.exe 2->6         started        10 iexplore.exe 1 72 2->10         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 27 comocriarbebe.xyz 6->27 39 Detected unpacking (changes PE section rights) 6->39 41 Detected unpacking (overwrites its own PE header) 6->41 43 Writes or reads registry keys via WMI 6->43 45 Writes registry values via WMI 6->45 29 192.168.2.1 unknown unknown 10->29 16 iexplore.exe 32 10->16         started        19 iexplore.exe 32 12->19         started        21 iexplore.exe 32 14->21         started        23 iexplore.exe 22 14->23         started        signatures5 process6 dnsIp7 25 comocriarbebe.xyz 193.38.55.52, 443, 49719, 49720 SERVERIUS-ASNL Russian Federation 16->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94bb5ce324e3dbf3b2f19b85d33b77b376539ef51dce95443803c9036ffb2be3/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-10-17 23:25:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
08d5f4fe0502c81a416b29b00cc91170da32daaf6d382ae11a713fd0cfa16e12
Gozi
42433b509118c66781f3fbc95e1ea506d71260171c9462a085ff515619f1ca81
Gozi
75d6fcb75c0b26f417f8843ae4b1d535222bd015f4aa5d2ca130e5acc6d49c3b
Gozi
76c8a9dbff9b571500729611595f1a1bce8dab543922d731c3bb42af5477f517
Gozi
8526b9d15efa3e793ac4b6f9fb429841f42db283d92c3f64a9f4c3945ccb8b81
Gozi
b6815b7c6bd39d114da295e839d472997b073db3d57429aadad20bb73c7b47c2
Gozi
bc6a7b0e544aade9fc2a48c08ad4aaebd3743396d120f86d9d81b3c8757d9888
Gozi
c3636268f6d8b411a2bea8a72d85229c2082d218f01a161031546a57b52b48b8
Gozi
cc20b331f9b2b1ab79cf8e3570ee00d39a22c2f6029097d3c78c4e8903a391b1
Gozi
cd4ea9f0add28de11dee831302cddfa2b0e4b42e3d65c8929e735ece2f94590e
Gozi
+ 597 additional samples on MalwareBazaar
Result
Malware family:
ursnif_rm3
Create hunting rule
Score:
  10/10
Tags:
banker trojan family:ursnif_rm3
Link:
https://tria.ge/reports/201027-vbs5h8majj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Ursnif RM3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/79829/

Comments