MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b83ff3af3645baf703075ecce628742d87f3349f08516d5affb105962b4fd6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b83ff3af3645baf703075ecce628742d87f3349f08516d5affb105962b4fd6b
SHA3-384 hash: 68ca544f1963f5192ac2e473a574c7ad7c79ec438d21390a788e64d1000af896f7140df953c373b7cb820edbd7318432
SHA1 hash: 9dfe540a1668c3227f9e1ee6e801ef7f2827e381
MD5 hash: 2ec1864a1be9b496a148d2e99a3e67c4
humanhash: sad-pizza-johnny-high
File name:2ec1864a_by_Libranalysis
Download: download sample
Signature Gozi
Create hunting rule
File size:315'392 bytes
First seen:2021-05-19 15:08:34 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f8aabbe6a394cd22acb165d00a6c2abe (2 x Gozi)
ssdeep 6144:NwOFFl5Z7DI1arQ/hie3xJxHMuC6CvtOL0Sd2k:NtLlrDIwQ/LMuCvtyp4
Threatray 311 similar samples on MalwareBazaar
TLSH F164AD207AD2F171E0B116714E85EAF50728BC169F660A1737E01FDF9E7D6D21E22B22
Reporter Libranalysis
Tags:Gozi Ursnif


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ursnif
Create hunting rule
Link:
https://www.capesandbox.com/analysis/158660/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/785080
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417476 Sample: 2ec1864a_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 64 19 Found malware configuration 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected  Ursnif 2->23 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 9->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b83ff3af3645baf703075ecce628742d87f3349f08516d5affb105962b4fd6b/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 15:09:09 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tob76oxtmrn264bqoxwm4yuhilmh6m2j6ccrnvnp7mifsyvu7vvq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
20c09f055323ec942cb40efc13c0ff06bb7c60f44087e9b8a4a4744bf80935ed
Gozi
2e5718f3104aa7083d05cf39485a89236aa452b8fdc10ecc3a01c1195a991ad4
Gozi
419e1f52d1dd72ef9e9d2af16124abcaa2cc889389bbb10bb8d1fa23276ba697
Gozi
532bc80351a659699d32d8f10760dca714cb395997cf0667e9631983d1b3a773
Gozi
70d9397fa81ec09be21e1bc235c6c9838612ba43cf238bcaf5525321a8ec3df0
Gozi
900a62f1d821af1da2b5235e651057b062a9fd3c74002ac38218038f7e6b4ea4
Gozi
9ed3ecdf0bb81781af7d2047a54103aa6eed022d1dd01b0477359558a28c6c06
Gozi
ea0f2536c5068f5a7b2c4776f40bf9eb8fbbb79f63c854991b4c57b8959fbf56
Gozi
f1abc2c7434df1d042774d3b48b1b609a576bb50a288802c646de4450a42345d
Gozi
f7d4b9acabc3f9a0425ed10c542838f0206b0ce8458b5b7b3b1f9211436d684a
Gozi
+ 301 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:3500 banker trojan
Link:
https://tria.ge/reports/210519-zr2mwv74qj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
app.buboleinov.com
chat.veminiare.com
chat.billionady.com
app3.maintorna.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b83ff3af3645baf703075ecce628742d87f3349f08516d5affb105962b4fd6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/158660/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 16:02:51 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0052] File System Micro-objective::Writes File
3) [C0007] Memory Micro-objective::Allocate Memory
4) [C0040] Process Micro-objective::Allocate Thread Local Storage
5) [C0043] Process Micro-objective::Check Mutex
6) [C0041] Process Micro-objective::Set Thread Local Storage Value
7) [C0018] Process Micro-objective::Terminate Process