MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 978490e3799591398561e4229c3297da19873b05cb24b069419859e9dfe5785b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 978490e3799591398561e4229c3297da19873b05cb24b069419859e9dfe5785b
SHA3-384 hash: 0a7997941f8bef825ceead3e102a5c58c489d5dcdf722fd92733404b7045b1c4d5b3adc4ac262f0390acd76d6ba77e20
SHA1 hash: 593f16455abc03e35065fabfe8f3c4290cffe84f
MD5 hash: c61d037094dc36aef5942498d424b866
humanhash: ceiling-september-music-kentucky
File name:595989.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:498'176 bytes
First seen:2021-01-28 06:59:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a12937d875eab5e83943a6c10ea768b (1 x Gozi)
ssdeep 12288:HrU+JT0SH9yQW3z6O098VLjRHlTGNTtzkqgXA/m:7T5RU5lTexztu
TLSH 6FB4AF42A896F0B5D4699578D1BEEFEA2A05FE26544CCD6F3B4C3ECAF8372405035278
Reporter JAMESWT_WT
Tags:dll Gozi ifsb mise Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
365
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dettagl_2244513.doc
Verdict:
Malicious activity
Analysis date:
2021-01-28 06:53:07 UTC
Tags:
macros macros-on-open loader
Link:
https://app.any.run/tasks/e1ef9e18-8d36-47d5-a283-267521ff1a3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114205/
Detection(s):
SecuriteInfo.com.Malware.28064.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/592644
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Writes or reads registry keys via WMI
Writes registry values via WMI
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 345365 Sample: 595989.dll Startdate: 28/01/2021 Architecture: WINDOWS Score: 72 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected  Ursnif 2->36 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        signatures5 38 Writes or reads registry keys via WMI 10->38 40 Writes registry values via WMI 10->40 15 iexplore.exe 1 61 13->15         started        process6 process7 17 iexplore.exe 155 15->17         started        20 iexplore.exe 25 15->20         started        22 iexplore.exe 29 15->22         started        dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49760, 49761 FASTLYUS United States 17->24 26 geolocation.onetrust.com 104.20.184.68, 443, 49745, 49746 CLOUDFLARENETUS United States 17->26 30 8 other IPs or domains 17->30 28 ocsp.sca1b.amazontrust.com 13.224.195.149, 49787, 49788, 80 AMAZON-02US United States 20->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/978490e3799591398561e4229c3297da19873b05cb24b069419859e9dfe5785b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 06:56:38 UTC
File Type:
PE (Dll)
Extracted files:
45
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/210128-46qjk4dr6j/
Behaviour
Modifies Internet Explorer Phishing Filter
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
978490e3799591398561e4229c3297da19873b05cb24b069419859e9dfe5785b
MD5 hash:
c61d037094dc36aef5942498d424b866
SHA1 hash:
593f16455abc03e35065fabfe8f3c4290cffe84f
Link:
https://www.unpac.me/results/4a7aa15c-f58e-4446-90c7-e3b4b8ce10d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/978490e3799591398561e4229c3297da19873b05cb24b069419859e9dfe5785b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe 978490e3799591398561e4229c3297da19873b05cb24b069419859e9dfe5785b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/114205/
  
URLhaus
https://urlhaus.abuse.ch/url/922197/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/981402/
  
URLhaus
https://urlhaus.abuse.ch/url/981417/
  
URLhaus
https://urlhaus.abuse.ch/url/981418/
  
URLhaus
https://urlhaus.abuse.ch/url/981427/
  
URLhaus
https://urlhaus.abuse.ch/url/981428/
  
URLhaus
https://urlhaus.abuse.ch/url/981533/
  
URLhaus
https://urlhaus.abuse.ch/url/981582/
  
URLhaus
https://urlhaus.abuse.ch/url/981589/
  
URLhaus
https://urlhaus.abuse.ch/url/981587/
  
URLhaus
https://urlhaus.abuse.ch/url/981588/
  
URLhaus
https://urlhaus.abuse.ch/url/981586/
  
URLhaus
https://urlhaus.abuse.ch/url/981583/
  
URLhaus
https://urlhaus.abuse.ch/url/981585/
  
URLhaus
https://urlhaus.abuse.ch/url/981584/

Comments